By Steve Hersee (@stevehersee)
On Friday news broke of a ransomware attack against the NHS in England and Scotland. Malicious software infected around 45 NHS trusts, disabled NHS IT systems and locked staff out of NHS patient records. Consequently, operations were cancelled, doctor’s surgeries were closed and patients in some trusts were asked not to attend hospital unless they had an urgent need for care. It is the nightmare scenario that has been exercised and planned for by many in the security community but somehow still seems a shock.
It soon became clear that the attack was not specifically targeted against the NHS but was part of a much larger malware outbreak that spread across the globe. The WannaCry malware which was responsible for the attack is spread by a computer worm and encrypts the content of computers it infects, making the data inaccessible to the user. A message then demands the user pays around $300 (£230) in Bitcoin for the data to be decrypted. WannaCry is particularly dangerous because once it infects one system on a network, it then attempts to seek out and infect other vulnerable systems.
In the aftermath of the attacks the blame game is already in full swing and there are no shortage of commentators jumping at the chance to quickly apportion blame:
- You can blame the NSA and GCHQ, as Digital Rights activists such as Edward Snowden and the Open Rights Group do. The NSA purportedly wrote some of the code that was used in the attack and delayed their disclosure of vulnerabilities in Windows XP. Without this code the malware may have been less potent, and if the NSA had alerted Microsoft of the vulnerability earlier than users would have had more time to patch their systems.
- If you can blame the NSA for writing some aspects of the ransomware software, then you can also blame academics and industry for creating the encryption protocols used in the attack. The establishment has previously identified the use of ‘advanced encryption’ as a particular problem for law enforcement. Despite the huge and widespread damage being caused by these attacks, and the massive computing power and expertise at their disposal, the NSA and GCHQ cannot currently break the encryption used. It is the perfect tool for criminals.
- You could blame the digital rights community, and conclude that their campaigns to restrict the NSA’s legal and technical capability to gather information on terrorists and criminals has forced them to pursue this information through more dangerous means. If the NSA was granted more secure access to the computers of criminals and terrorists, then it could be argued that they would have no need to engineer the type of malware that was leaked and partially repurposed for this attack.
- You could blame modern technology such as the digital currency Bitcoin, through which WannaCry’s operators are demanding payment from infected users. Bitcoin is not centrally managed and instead uses a form of decentralised ledger called the blockchain to store details of transactions. It can provide users with greater privacy, but also allows payments to be made anonymously. Some commentators, such as the FBI, claim that Bitcoin is used by criminals to move and steal funds.
- You could blame Microsoft for selling an operating system with so many exploitable vulnerabilities. When security vulnerabilities are discovered in other devices, such as cars, the manufacturers are forced to recall the vehicles and pay the owners compensation. And other operating systems such as Apple’s iOS appear much more resilient to such attacks. Why is Microsoft security so notoriously poor and why are they not held to account for this?
- You could blame the NHS itself for ignoring warnings about vulnerabilities in its systems and persisting in using technology that is 16 years old. Depending on your political persuasion you might choose to direct this blame towards the current health secretary for not taking the threat seriously, or you could blame the NHS itself for ignoring warnings issued by the government and not installing a patch that was provided to them.
- You could blame government austerity, as the Daily Mirror In 2016 the Government Digital Service decided not to extend the £5.5 million support deal with Microsoft for Windows XP, which would have ensured that NHS systems received regular security updates that may have protected them from the attack. Was this cost cutting worth it?
- And finally, you could blame society’s overreliance on technology. As many commentators have argued, we are embracing technology without fully understanding the long-term risks. Computers have undoubtedly saved lives and money for the NHS, but computing technology is vulnerable to attack and outages. Should doctors surgeries really be so reliant on this technology that they cannot operate without it?
Lessons can undoubtedly be learned from these attacks but hasty recriminations are extremely unhelpful and will, alone, change little. The NSA and GCHQ will continue to look to exploit vulnerabilities in software if this is the best method to gather the information they need to protect the country because they have a duty to fight crime and prevent terrorism; the digital rights community will continue to campaign against state surveillance because it is their role to argue for human rights; companies will continue to produce insecure software because market forces demand frequent updates; industry will continue to ignore best practice on IT security due to lack of expertise and funding; society will continue to embrace the benefits of modern technology and new technologies such as Bitcoin will continue to proliferate and provide criminals with novel ways to commit crime on a large scale.
The problem is that whilst academia, the security agencies, the digital rights community and large technology companies have a common interest in preventing attacks such as WannaCry they are often more focussed on fighting each other than they are on working together to improve the UK’s Cyber Security. If they could put the time, energy and expertise that they dedicate to fighting court battles, arguing over legislation and playing the media blame game, to more constructive and collaborative uses then perhaps there is a chance that WannaCry will be remembered as the moment we pulled together to protect the country. If not, then the cycle of attack and recrimination will continue and only the darker elements of society will benefit.
Steve Hersee is a Cyber Security Researcher jointly supervised by the Information Security Group and Department of Geography at Royal Holloway, University of London. He is studying threat construction in cyberspace, focussing on the roles of the state and the digital rights movement. He can be #hunted down on Twitter @stevehersee