Subscriber competition
Win VIP tickets to this year’s BMW Championship at Wentworth
It was like a scene from an apocalyptic science fiction film: on the morning of Friday, May 12 2017 computers around the world started to shut down. Screens flashed red with a ransom note that read, “Ooops, your files have been encrypted” and demanded a payment of between $300 and $600 (£230 and £470) in bitcoin.
The attack, called “WannaCry”, spread rapidly across 150 countries. Within hours of Spanish mobile operator Telefonica first announcing it had been hacked, NHS hospitals reported they too were having problems.
It was the beginning of a crisis that would last three days and affect more than 200,000 computers, belonging to the likes of Renault, FedEx and railway company Deutsche Bahn. But nowhere was the pain felt more acutely than in the UK.
By lunchtime that Friday, NHS hospitals and GP surgeries were turning away patients and ambulances, cancelling operations and asking people to only seek medical care in an emergency. The country was, by then, used to hacks on a massive scale, but not to any that threatened lives.
Although Robert Hannigan had resigned as head of GCHQ four months earlier, he kept his finger on the pulse of Britain’s computer networks and watched the WannaCry attack unfold. “The NHS had thought it wasn’t a target, but found it couldn’t operate at all. It was completely paralysed,” he says. “That was a huge wake-up call.”
The hackers, reportedly from North Korea, didn’t intentionally target the UK’s health service: it was collateral damage. WannaCry entered computers through a glitch, discovered by the US National Security Agency, in early Windows operating systems. The 33 affected NHS practices were hit because they hadn’t updated their Windows XP software for many years.
“The problem for the NHS isn’t so much cyber security, it’s that their basic infrastructure is so creaky and old fashioned that it’s open to attack,” says Hannigan.
It might not be his responsibility any longer, but the former GCHQ chief is eager to bring the UK into the 21st century and do all he can to stop hackers winning.
“Ten years ago it was hard to get anyone interested,” he recalls. “As more and more people have direct experience of hacks and fraud, they are getting the message that it really matters.”
His cyber CV is impressive. In 2009, when he was security adviser to then prime minister Gordon Brown, Hannigan created the world’s first national cyber security strategy, which predicted many of the threats to come. Almost a decade later, North Korea would be suspected of authoring the WannaCry attack and Russian hackers would be found inside British critical infrastructure. Meanwhile, the internet would be a known breeding ground for extremists who saw the UK as a target.
In 2014, Hannigan moved to GCHQ to steer it into a new era of transparency. It was a year after the agency had suffered from one of the biggest leaks in history, Edward Snowden’s mass surveillance revelations, and its reputation was in tatters. Hannigan thought openness would be the best policy and, as such, oversaw the launch of GCHQ’s first Twitter account and opening of the publicfacing National Cyber Security Centre. His mission didn’t stop at repairing the agency’s standing; he also wanted to educate the public. Fear and ignorance would do no longer.
“This affects everybody, including individuals,” he says. “We can’t just sit back and wait. We should focus on identifying talent that hasn’t been discovered yet and developing it.”
One of the biggest problems facing the UK, as WannaCry showed, is a lack of technical proficiency. There just aren’t enough defenders in the face of highly trained foreign criminals and state-sponsored hackers.
“In North Korea and Russia there has been a lot of state investment in agency cyber skills,” he says. “It’s hard to put countries in a league table, but they have very sophisticated people out there.”
In Britain, meanwhile, computer security is poorly taught and aptitude is seldom nurtured. This is, in part, because teachers can’t keep up with the pace of technological change or the constantly evolving threat hackers pose. “So much of the cyber security training that’s out there is very old-fashioned,” says Hannigan. “It’s dull, it’s slow and it’s classroom-based. We have to break out of that and find something that’s generationally appropriate.” At GCHQ, he helped develop the Cyber First programme for young people, including a girlsonly summer school. He now chairs the advisory board of a Bristol-based start-up called Immersive Labs, which uses online games to spot and train cyber talent. It was founded by his former GCHQ colleague James Hadley and is aimed at users with no technical knowledge, who have a natural aptitude for analytical thinking, problem solving, research, – and Sudoku.
“Parents need to get over their technology fear and snobbery,” he urges. “There’s massive potential here for their children and grandchildren to have a career in this. For the next 10 years, at least, cyber security skills are going to be massively in demand. Young people can name their price if they have the right skills.”
Will his children, aged 12 and 17, pursue careers in cyber? “My daughter is big into maths … But I wouldn’t dare predict it,” he admits.
Hannigan’s hopes for Immersive Labs go far beyond children; he wants to train parents to be computer defenders, too. “People shouldn’t write themselves off because they’re the wrong generation,” he says. “The beauty of cyber is that you can play around and teach yourself. You don’t need to have been doing it since you were eight. You just need to get over the fear of technology.”
Immersive Labs’ prime user is a mid-career adult who has never thought themselves technically capable. The company has recently launched a programme for training veterans and this summer will release one for women returning to work after having children.
Immersive Labs, meanwhile, can only exist because of the changed culture at GCHQ. “Ten years ago, if you left GCHQ to set up a company, you were frozen out and seen as a traitor,” says Hannigan. “We now see it as a national project. The threat is so huge for the whole economy, you can’t expect one government agency to mitigate it.”
Hannigan’s other suggestions have included the creation of an international cyber war treaty. In the meantime, he welcomes the news that all NHS computers will be upgraded to Windows 10 and that the Government will spend £150million in the next three years to improve the service’s security.
How likely is another attack on the scale of WannaCry?
“For the next five to 10 years, things will probably get a lot worse. Crime is on the rise and, with geopolitical instability, countries are prepared to do reckless things,” he says. “I don’t think people should panic, but everybody needs to take it seriously. All of our data is at risk.”