In the UK, on the afternoon of Friday 12 May, news outlets began to report some minor technical glitches with National Health Service (NHS) IT systems across parts of eastern England. Within just a few hours, those ‘glitches’ had spread to other parts of the country, leading to cancelled outpatient appointments, and significant delays in hospital accident and emergency departments, with some having to close their doors to patients.
That evening, GPs’ surgeries began to report significant problems too, with many having to resort to using pen and paper – a throwback to a bygone age of the health service – and the UK Government’s emergency committee, COBRA, assembled to assess the growing crisis.
Problems continued across the weekend and into the following week, as IT teams across the country battled to counter the impact of the IT system failure and re-establish services.
It wasn’t just the UK that was hit; 150 countries – from the US to Russia, Spain to India – reported similar difficulties across private and public entities. Some manufacturing plants were forced to suspend operations while telecoms providers, courier services, utility operators, transportation services and even critical government ministries also suffered.
The cause was a ransomware attack dubbed ‘WannaCry’. Initially believed to be exploiting a security flaw in Microsoft’s Windows XP, the worm is now known to have, in fact, affected more computers running the Windows 7 operating system. The software developer had released a patch protecting against the vulnerability in March 2017, but many IT managers failed to update their systems before the attack was launched.
What this exposes, according to cybersecurity and information assurance expert Vince Warrington, is the lack of understanding as to the importance of good IT practice.
“Even within today’s companies, IT is seen as a secondary part of the organisation,” he says. “It is viewed like HR and finance: the bits that keep a business running. But businesses don’t appreciate how exposed they can actually be.”
Many organisations will take a reactive rather than proactive approach. “Some businesses will patch on a regular basis, but many others will see the latest issue on the news and only then look to apply patches, and protect themselves against it,” he continues.
Compounding the lack of protection was the previously unseen method of spreading this type of worm. Other attacks exploited users’ lack of IT knowledge, assuming they would forward emails or open attachments, allowing the virus to spread to their and other computers within the network and, ultimately, beyond it. “We’ve said to people for years and years not to click on attachments or forward emails in the event of a virus, but they still do,” Warrington says.
However, BBC cybersecurity software provider Malwarebytes stated that the ransomware searched the internet looking for Microsoft machines that were vulnerable to the bug through what is known as Server Message Block (SMB).
Regarding the difficulties the NHS faced in the UK, problems were even more acute because of an inability to protect against the virus, even if IT managers had the inclination to. Many NHS facilities are running older systems for which patches were not available. Such a problem raises the question of a lack of investment. But, as Warrington says, updating and even replacing legacy systems to combat a cybersecurity risk such as this would cost hundreds of millions in the UK alone. Nonetheless, he doesn’t see investment or lack thereof as the primary issue.
“The bigger problem is the lack of knowledge among employees,” he says. “Educating them on the dos and don’ts is a must, and knowing what to do in the event of a cyberincident would help protect the wider organisation and potentially stem the spread.
“We have three types of people: the digital natives – those born with a smartphone in their hands. Then we have digital migrants; people comfortable in this interactive world but who still keep their eyes open just in case. Finally, we have the digital tourists; more senior people who visit this land but it’s strange and perhaps alien to them. To them, they can understand somebody coming in and robbing a bank with a weapon, but the cybersecurity aspect is quite intangible.”
Warrington believes this problem spreads from the boardroom down. IT managers, he argues, are trying to get senior executives engaged, and make them aware of the importance of IT and IT security, but they are simply speaking a language that many don’t understand – or, at least, many within the boardroom. “There is money available, but it’s a case of getting the message across to those holding the purse strings,” he adds.
Coming together
However, one of the best ways to protect against any kind of cyberattack in the public and private sectors is to collaborate – something the UK Government is keen to promote and has included in its National Cyber Security Strategy.
“The National Cyber Security Strategy is good,” says Warrington. “There has been a realisation at a senior government level in the UK that this is an issue that we now can’t allow to carry on. We can’t just say to businesses, ‘You’re on your own’.”
Speaking at an event in London in May 2017, Mark Sayers, deputy director for the cyber and government security directive at the UK Home Office, said: “Our lives rely absolutely on trusted and secure communications, with the UK accounting for the highest use of the internet among the G7 countries.” He called for greater collaboration, stating: “We need the support of industry and academia to help us respond at the scale and the pace required, and to forge strong partnerships around the globe.”
“The one area I hope the National Cyber Security Centre [recently established under GCHQ, the UK’s intelligence headquarters] moves forward with is collaboration between government and businesses,” says Warrington. “We’re at a point where the government knows what it knows and businesses know what they know: each has different kinds of attacks against them. We need to see them sharing that information – not just businesses telling the government what they’ve seen but also the government responding. Even if that’s down to the level of government seeing evidence that suggests a particular bank is about to be targeted, then there should be a channel for the government to go to that bank and say that it’s aware of an attack; they’re not going to say how but this is what to do about it.”
In addition, businesses must start talking more to each other and forget about any embarrassment they may feel after being hit by a cyberattack. “Essentially, businesses don’t want to admit to being caught with their trousers down after a cyberbreach. That happens inside and outside businesses. But, importantly, the more information we share with each other, the better we’ll be protected in the long term.”
One of the “missing pieces”, according to Warrington, is academia. “At present, academia is isolated. I’d really like to see some of the top universities with research in cybersecurity reaching out around the world,” he says. “There is some great stuff going on within academia, but we really need to get academia talking to industry. There may be times they find an exploit, a flaw or something, so a route to talking to others about it would be very helpful.”
A further area to explore would be to tap into the wealth of expertise that is available. Warrington adds, “At the moment, the view of those operating in cybersecurity is of hooded people hunched over their screens – that doesn’t help. There is a lot of talent and expertise out there, and governments should work towards bringing it in and using those people. It’s quite easy to see what’s going on today and feel that the future for cybersecurity is very bleak, but I don’t believe that. We’ve got a lot of incredibly intelligent people doing some very important work.”
And there is much more potential in the pipeline. “People are starting to appreciate how important cybersecurity is today and, in coming years, we’ll be seeing individuals who will be completely comfortable with IT and see security as an important issue going into the workplace,” he says.
A matter of national security
The irony of the WannaCry outbreak was that, according to some reports, information on the exploit and how to use it was stolen from the US National Security Agency (NSA). Security and intelligence agencies can benefit greatly from knowing of and, in some cases, using such exploits, but there is a risk, as the ransomware attack highlighted.
“The interesting thing about the US in recent years is that intelligence agents are finding these exploits and holding on to them for their own use,” says Warrington. “There is always a benefit to knowing of potential exploits as it allows you to keep a check on hostile governments or states, as well as terrorist networks. So keeping them to yourself is helpful, but then we do have the risk of those exploits being found out – as happened with the ransomware attack – causing damage and costing a lot of money. So it does pose a challenge for intelligence services to find the right balance between keeping hold of information and sharing it.”
Aside from cybercriminals, one of the challenges national security agencies have faced in recent years is the growing threat from other states, and state-backed individuals and organisations. “State cyberinterference has definitely grown in recent years,” he adds. Speaking of potential political interference Warrington warns that there is the potential for cyberabuse and that we may have already seen it.
“What’s really interesting now is what’s going on in Russia, although they would totally deny anything. Access to the internet has changed the way influence is being used. In the 1970s, if you wanted to affect something like an election, you’d have to go and talk to a national newspaper, and get your story out there. Now, you can be anywhere in the world with a computer and do it.”
Warrington says the Russian government has, in fact, made IT and cybersecurity part of its defence infrastructure. “Russian authorities are employing IT-talented people and use them for their own gain. At the moment, we think the Fancy Bears hack team is a kind of semiautonomous function of the government; they are paid by it to release information. This type of thing is ideal for Russia to spread misinformation and then be able to deny it,” he says.
However, it’s perhaps not the Russians who pose the most danger internationally. “Of all the nations, North Korea is probably the one that would try to do something catastrophic,” he warns. The country and its government has been linked to the WannaCry attack – although there are conflicting reports emerging from the cybersecurity industry about its true origin – and a number of other cyberincidents in recent months.
Lazarus Group, believed to be a North Korea-backed cyberhacking unit, has been allegedly stealing tens of millions of dollars from a Bangladeshi bank. It has also been linked with attacks on European banks and even Sony Entertainment. “North Korea is active in cybermatters, but, whereas China has used this technique to help with getting a commercial head start, the feeling is that North Korea would be much more likely to press a button with the aim of taking out a bank or other important infrastructure,” Warrington believes.
The end game
Clearly, the cyberworld is becoming much more dangerous for individuals, commercial enterprises and nation states. Recent events such as the ransomware attack, political interference and commercial hacks have proved that the issue needs to be taken more seriously. According to Warrington, a good start would be to eradicate bad practice, which would “shut off many of the loopholes”.
But collaboration is key. “We’ve gone through the stage of working among ourselves and that really didn’t work, so we’ve now got to have a sensible and adult conversation about cybersecurity,” he explains. “That means taking down some of the barriers that exist between business, academia and government, and even between businesses themselves.”
However, despite the recent and, in some cases, extremely damaging cyberactivity that we have seen, Warrington thinks the picture isn’t as bleak as some would have us believe. “There isn’t an endless queue of cybercriminals; there are far fewer than people think. In the former Soviet Union, you’re probably talking about just a few hundred.”
But there is no room for complacency. “Quite often, when you think you’ve made something secure, it’s not,” he says. “It’s a moving target. You think you’re secure today but, by tomorrow, somebody will have found an exploit and suddenly you’re open to the world again. It’s almost as though we have to move away from this idea of keeping the bad guys out and accept that they are going to get in, and figure out how to effectively bounce back from that. So it is more about resilience.” An interesting viewpoint, and one that we may all have to accept as the norm in the months and years to come.