The NHS held to ransom
A global cyberattack brought chaos to much of the NHS last week. Hospitals were forced to cancel operations and appointments as the Wannacry virus infected computers in 47 NHS trusts. In some cases, telephone systems broke down, and people were urged to stay away from A&E. NHS staff were alerted to the attack by a message on their computers demanding they each pay $300 (£230), in the virtual currency Bitcoin, to regain access to their files. Thanks to the savvy of 22-year-old Marcus Hutchins, a self-taught programmer who discovered a disabling “kill switch” online, the spread of the virus was halted.
Around the world, the virus affected an estimated 200,000 computers in at least 150 countries. Victims included Russia’s Interior Ministry, the courier firm Fedex and the French carmaker Renault. In Germany, the ransom message appeared on railway station information screens when the rail operator Deutsche Bahn was hit.
What the editorials said
This was the worst cyberattack to date on our “critical infrastructure”, said The Sunday Times, and it’s “a wake-up call we can’t ignore”. We must square up to the prospect of regular assaults of this kind. The precedents aren’t encouraging, said The Times. The vulnerability of the “antiquated” Windows XP system, still used in 90% of NHS computers, was well known. Yet in many cases, it seems, managers neglected to fit the security patches offered by Microsoft just two months ago. What’s more, the government failed to renew a support contract with Microsoft two years ago that might have prevented disaster. Some cyberattacks are unavoidable: this one wasn’t.
And this is far from the first “ransomware” attack on NHS systems, said The Mail on Sunday. Responding to a recent Freedom of Information request, the NHS had to admit that 79 English trusts (around 33% of the total) have been hit since June 2015 – several may even have paid the ransom. Yet they seem to have done little to protect themselves from fresh attacks. This latest one is just another example of their “slackness and folly”.
What the commentators said
Protecting the world’s computer systems is a “Sisyphean task”, said Robert Colvile in The Sunday Telegraph. Security experts have to tackle criminal networks, often linked to hostile states: the malware that hit the NHS was apparently stolen from America’s National Security Agency and dumped online by a group known as the Shadow Brokers, thought to be connected to Russia’s espionage service. Yet they also have to battle against human stupidity, pennypinching bureaucrats and some “hideously outdated systems”: our cash machines and air traffic control often depend on devices and code dating back to the 1970s. It’s not just the software we have to protect, said Elisabeth Braw in The Times. Imagine the global mayhem that would result if the underwater cables that carry 99.7% of the world’s internet traffic were attacked. The truth is that our whole way of life is now susceptible to “underhand aggression”.
No need to panic, said Matt Ridley in the same paper. Computer viruses have been around for almost as long as computers – the first serious outbreak was spread among Apple computers via floppy discs in 1981. Since then there have been regular scares, and with each the doomsayers have predicted the internet’s collapse. Remember the “Slammer” worm of 2003, or the “Conficker” worm of 2009. Yet doom has been kept waiting because “anti-virus protection has evolved just as fast” as the viruses themselves. Besides, not all organisations are as bad at self-protection as the NHS, said Juliet Samuel in The Daily Telegraph. The financial sector, in particular, is rising to the challenge. Every year, the Bank of England runs “Waking Shark II”, a cyber “war game” that pits the banks against each other to sharpen up their act. Even so, we were lucky this attack was relatively innocuous. The Wannacry virus aims only to extort cash, not to destroy data. There are other “more dangerous, malicious threats out there”; viruses that “deliberately and irreversibly destroy IT systems or leak data”. We have been warned.
What next?
Security experts are warning that international criminal gangs may soon deploy a second cyberweapon stolen from the US National Security Agency and made available on the dark web for anyone to use. Code-named Esteemaudit, it also exploits weaknesses in Microsoft XP software.
Almost all the affected NHS computers are now back in service after emergency repairs. The Government says it has earmarked £50m to protect the health service against future attacks, as part of a wider national cyber defence programme.