Tim Stevens:
It only takes a moment for the type of malware used in yesterday’s NHS attack to cause widespread havoc
The NHS has been hit by a cyber attack. Hospitals and GPS’ surgeries across the country have suffered IT problems which leave them unable to see patients or conduct tests. Health officials have declared a major incident and doctors fear patients will be harmed. If there has been any attack on British critical infrastructure which matches this one in scale, I haven’t heard of it. But while shocking, none of this should be surprising. The only real surprise is that it took this long.
The big question is: who did this and why? Was it a deliberately targeted attack on a linchpin of British society by a state or political actor, or just rogue criminal software? We don’t know and we may never know, but all signs point to the latter – particularly as incidents have been reported across Europe today, and the software used is being linked by security experts to tools stolen from the US’S National Security Agency and dumped online.
The type of software the NHS is now grappling with is called ransomware. Once downloaded on to your computer it encrypts your files so you can’t access them and then demands money. This one asks users to send $300 in bitcoin – a digital “cryptocurrency” which is difficult to trace – to the makers of the program within seven days. That may sound like a pittance, but multiplied by the number of computers in the NHS it is potentially a tidy taking.
It’s possible that this program was deliberately targeted at the soft underbelly of Britain’s infrastructure. The NHS has a unique status in the public imagination – it’s symbolic of what it means to be British. Anything which subverts it is guaranteed to make headlines. But political actors trying to produce that kind of fear usually make sure their names are attached to their actions. At present we do not even have the customary claim of responsibility from Isil.
So it is more likely that this was a simple program, created to make money, which accidentally got into the NHS network and replicated itself once inside. Probably some innocent user has accidentally downloaded it by visiting the wrong web page or opening an infected attachment.
In that case we are looking at not a terrorist attack but a bureaucratic farce, set off by drive-by criminals or even a single teenager – though the results may be just as dangerous.
Most office networks have systems in place which block such mistakes, or detect ransomware before it spreads, but in this case these systems failed. Fingers will inevitably be pointed: first at NHS system administrators, then at NHS bosses, and then, potentially, at ministers. Ransomware has steadily grown in sophistication, with thousands of varieties identified by security researchers, and become widely recognised as a major threat to corporations and governments. This attack shows just how vulnerable our infrastructure still is. Clearly, our defences are not good enough.
But there’s no such thing as a perfectly secure system, and the threat of ransomware is proving very difficult to mitigate against. There is an arms race happening between governments and the computer industry on one side and criminals on the other. Anyone can buy so-called “crimeware” on the dark web, that underside of the internet which states cannot easily monitor. You can pay a little up-front in the confidence that you will make back your money from those whose files you hold hostage. In these circumstances our defences may never be good enough.
I hate to say that these attacks are inevitable, but they aren’t far off. We must hope that the business continuity plans of the NHS and other institutions are fit for purpose.
If the culprit was working for a foreign state, we might soon identify him. But if not, we probably won’t. Cybercrime is not the product of centralised, hierarchical organisations like the Italian mafia. It’s more often performed by distributed networks of individuals in multiple jurisdictions, who are very good at covering their tracks. Even if we find them, we may not be able to prosecute them.
So what can we do? Cybersecurity is everybody’s job. From GCHQ and other government agencies, down through the makers of security software, to the companies which are targets to the individuals who work for them, anyone can be the weak link which lets an attacker get a foothold on a system. So our biggest issue may be the public itself.
In the wake of the hacking attacks which disrupted the US election, public awareness of cyber-security is greater than ever. The real suspicion that Russia is disrupting Western democracy has worked better than all the visions of cyber-apocalypse our governments once tried to scare us with. But we clearly still have problems with digital hygiene. I can tell you not to open attachments if you don’t know who they’re from, or to check with your friends that they really have sent you something when you receive emails apparently from them. But it only takes one person to make one mistake. Don’t let it be you.