It’s time to smarten up our act in the fight against cybercrime
The NHS attack exposed widespread incompetence in IT matters – firms and governments must do more
It’s a bit embarrassing really. Like a homeowner leaving their front door wide open and then screaming blue murder when they’re burgled, the NHS was caught off guard. The burglars deserve no leniency of course. But nor should we be under any illusions about what was revealed by the mass hacking of NHS computers – and it isn’t just funding difficulties. It also shows that in IT matters, incompetence and carelessness are rife.
The NHS is not alone. The same virus, known as “Wannacry”, has penetrated the German rail network, Fedex and the Russian interior ministry, according to the head of Europol. As it spreads, it reveals security gaps everywhere. It isn’t hard to protect against – any computer running an up-to-date version of Windows is safe. Yet despite this easy defence, there are an estimated 200,000 victims and counting.
The usual crowd is blaming America. Wannacry uses a tool originally designed by the US National Security Agency, which was stolen by hackers and recently posted online. It was then adopted by criminals to improve their ransomware, a virus that demands cash from its victims. It’s unclear how quick the NSA was to flag the danger after the leak. But it’s futile and naïve to suggest Western spies should be prohibited from developing such tools.
What the attack does show is that we are pathetically unprepared for a new age of security threats. There is little hope that we can stop the attacks. Many come from jurisdictions we can’t touch, like China and Russia, and those authorities seem to take a lax approach. We will never be able to guarantee total safety against sophisticated attacks. But it is possible to make it much more difficult and expensive for hackers to wreak havoc with our data and infrastructure.
It just requires organisations to stay vaguely up-to-date. The NHS has been running Windows XP, a 16-year-old operating system, on a huge number of computers. Its IT managers should have known this was unacceptable: Microsoft sent out a major alert about this vulnerability two months ago and, for recent systems, provided a free fix for the fault.
That hasn’t stopped some people pointing the finger at Microsoft for failing to include users of much older software, like Windows XP, in this free update. This is like complaining that a carmaker has a duty to supply bespoke free parts to update vehicles it no longer produces. Microsoft offered free XP updates for 13 years and gave users three years’ notice before it stopped making these available.
IT systems, of course, can be hard to update, especially for organisations like the NHS. Hospitals run all sorts of specialised software for specific hardware, like MRI scanners. Update part of the system and it’s possible it will no longer be compatible with another part, especially since some hardware is made to last 20 years, whereas software becomes obsolete much faster. Such an issue, though, should be flagged before it gets critical, if IT managers are doing their jobs properly. And the NHS, one of the biggest single buyers of medical technology in the world, should be budgeting for and demanding essential software updates from all of its suppliers as a matter of course. This isn’t an optional extra that can be dropped in order to make efficiency savings. For one thing, updated software is itself usually faster and improves efficiency.
IT carelessness, though, is widespread. Wannacry has revealed that major companies are, like the NHS, failing to install basic software updates. And laziness in cybersecurity comes in many forms. Talktalk, the telecoms company, was hacked by a 17-year-old boy after failing to take simple precautions to protect customers’ data. I was told recently about one large American bank that couldn’t understand why decisions at its board meetings, held over Skype, kept being leaked. It turned out a journalist had logged in using the system’s default pin code.
Despite their appalling reputation, however, banks are relatively better prepared than other organisations. They have learned from being targeted voraciously by hackers and from outages caused by their creaking legacy IT systems. Their regulators frequently mention IT security as a top threat to financial stability. As a result, the finance industry has put management time and cash into shoring up its defences.
The Bank of England supervises “Waking Shark II”, a cyber “war games” event between major banks, every year and publishes a report on its findings. Such practices should not be limited to banks and City regulators.
Governments and companies need to spend more cash and time on the problem. Britain has admitted as much by increasing its national cybersecurity budget and clearly, the NHS’S IT supervisors are in need of some remedial training. This isn’t just about budgets, though. Britain is severely lacking in knowledge, skills and a sense of urgency. Technology companies and IT departments struggle to hire enough people because we aren’t producing them.
It shouldn’t be daunting. It doesn’t require the country to start teaching children maths before they can walk. In fact, all the people I know who work in IT learned to code outside their formal education and many taught themselves after university. Some studied classics (linguists, I’m told, make good coders), some had hobbies in Djing or music. Others are good at card games or, perhaps, the Telegraph puzzles page. Jobs in IT can provide intellectual satisfaction, independence and good pay, and yet most of Britain isn’t interested. As demand for tech whizzes rises, that ought to change.
It might seem odd to say so, with the virus still spreading, but we have been lucky this time. Wannacry is not targeted at critical infrastructure and its aim is to get cash, not destroy data. Any organisation with proper backups, which, as far as we know, the NHS does have, can restore normal service by wiping infected computers.
But it won’t always be like this. More dangerous, malicious threats are out there that deliberately and irreversibly destroy IT systems or leak data. It’s true that we can’t make everything impregnable. But given what’s at stake, we can at least expect companies and governments to cover the basics.