NHS services hit by cyber-attack – Expert Reaction

News broke over the weekend that a ransomware cyber attack had hit an estimated 200,000 victims across 150 countries, which was initially reported as affecting the UK’s National Health Service (NHS).

Just last week, a UK doctor wrote in The BMJ that hospitals were at risk of ransomware attacks, largely because of reliance on outdated operating systems such as Windows XP which is no longer updated with new security patches.

The Australian and UK SMCs gathered early expert reaction to the cyber attack. Please feel free to use these comments in your reporting.

Professor Asha Rao, Associate Dean of Mathematical Sciences, RMIT University, comments:

“Holding people to ransom is not new – what is new is the reach that digital ransomware has. The usual suspect in people falling prey to ransomware is the phishing email, an email with the link that is tagged with malware – a virus or a Trojan horse – anything that will allow the sender to somehow take over your computer, email account etc. In the case of ransomware, the link usually results in your computer files being encrypted and the perpetrator asking for money to unlock your files. Regularly backing up your files, onto secure off-site storage (anyplace, like cloud storage – that is not your computer) will help individuals and companies achieve some hardening against such an attack.”

Associate Professor Mark Gregory, Leader of the Network Engineering Research Group, RMIT University, comments:

“The global Wannacry ransomware attack highlights the need for cyber education, awareness and vigilance. Individuals and organisations should upgrade and update computers to ensure they have the latest operating systems and patches, install anti-virus software that has anti-malware and anti-ransomware capability, and backup personal data often.

“Global ransomware attacks are just the tip of the iceberg today and malicious attacks by global criminal organisations are occurring at an ever-increasing rate. Whilst the threat of becoming a victim of a ransomware attack is daunting we can take harm minimisation precautions. Computers need to be maintained and protected so it is important to check that regular updates are occurring.

“The Wannacry ransomware is likely to be adapted and released again in coming days or weeks so it is vital that we take the time to ensure that we’re prepared. Government security agencies have collected a wide range of malware and ransomware now and new attacks are often carried out using an update of previously released code. For organisations, it is important to subscribe to organisations, such as the Australian Cyber Security Centre, to receive threat notifications so that early action can prevent a threat from becoming an unwanted incident.”

Prof Alan Woodward, Visiting Professor of Computing, University of Surrey, comments:

“From what we can see it is a piece of ransomware called wanna decryptor. It goes by other names but it emerged in February 2017. Since then it has been modified and there is evidence that it is spreading using a flaw in the Microsoft network protocol called SMB, which was exposed in the recent dump of exploits that were allegedly from US intelligence agencies.

“It is not just the NHS affected: reports suggest it is a global problem. The virulence is likely to be because some organisations have either not applied the patch released by Microsoft, or they are using outdated operating systems (such as XP) that are no longer supported by Microsoft and hence no patch exists.

“The flaw it appears to be exploiting means that it acts as a ‘worm’ i.e. once inside a network it seeks out and affects any susceptible computer it can find on the network. The only sensible way to tackle it is to ‘pull the plug’ so that it can’t spread anymore until you can isolate the affected machines and work out a remediation plan.

“It is a horrible lesson about why using supported software, and keeping that software updated, is so important.

“I don’t believe it will have been a targeted attack but will simply have been that the ransomware has sought out those organisations that are running susceptible devices.

“Ransomware has one purpose: to extort money in return for releasing the data it has encrypted. However, there are two problems. First, there is no guarantee the criminals will release your data, and second, even if you do have your data released there is no guarantee the criminals won’t repeat the exercise.

“Some ransomware has been ‘cracked’ and so you can find a way to recover your data without paying. Nomoreransom.org is a website runs by Europol and can provide advice and support.”

Prof Awais Rashid, Director of Security Lancaster (A UK Academic Centre of Excellence in Cyber Security Research), and Professor of Software Engineering, Lancaster University, comments:

“The key question we need to consider is how and why such an attack could propagate from a non-critical system such as email to other systems and across multiple NHS trusts. Our society increasingly relies on interconnected systems to deliver key services such as health. It is essential that such systems are properly isolated and suitable security measures put in place to avoid attacks propagating from a compromised part of the system to others.

“Equally essential is how an organisation such as NHS responds to such a large-scale incident. What are the recovery mechanisms in place and how can the systems recover quickly to avoid the large-scale disruption that we are seeing in this case? These are fundamental security considerations that all organisations – not only those in the NHS – should be implementing.”

Further comments were released on the 17th of May

Nick Coleman, Chair of the Institution of Engineering and Technology (IET) IT Panel, said:

“The far-reaching impact of Friday’s cyber attack has proven that any organisation is at risk of being hacked.  Good security measures and training can help to reduce the risk of attacks from becoming disruptive.

“While most organisations have plans for security, that isn’t enough.  Nor is taking solace in the use of patches.  While a strategy of planning and patches has been relatively successful this time, it would be naïve to think that we can patch every cyber security vulnerability as we transform to an increasingly connected world.  Instead, for now, questions on cyber security governance and frameworks are hopefully among the discussions taking place in boardrooms today.  These are big and complex questions – and ones that organisations of all sizes need to consider regularly.

“What should be chief among those considerations are questions like – What are the cyber risks the organisation faces?  How well is the security plan actually working?  How good are response mechanisms – and does the overall security programme have clear metrics for measuring success?  Are people at all levels of the organisation, including the CEO and leadership, able to know what their responsibilities are?  And how are key suppliers and stakeholders dealing with their own cyber risks?

“In the longer term as we move to an increasingly ‘smart’ world where nearly every device and machine is getting digitally connected, a solution to the problem is the establishment of a Government department focused on this ‘smart’ world’s emerging engineering challenges.  This would be the most effective way of driving forward legislation and governance that can improve awareness of this important subject among businesses and the general public.”

Dr Theo Tryfonas, Reader in Smart Cities and Lecturer in Systems Engineering, Department of Civil Engineering, University of Bristol, said:

“In my view, the scale of impact to NHS systems in particular, reveals a worrying lack of resources and commitment from senior management and political leadership. It would be wrong to blame day to day operational practices and individual NHS staff for e.g. clicking on inappropriate content, not having available back ups etc. This could have been the case, had it been an isolated incident that affected one or few hospitals. Measures such as instigating a proactive security culture, building awareness of risks and facilitating resilience in the face of incidents across a complex organisation are only built upon investment and real commitment of the highest layers of political and organisational leadership.

“But there is also another dimension, pertaining specifically to the nature of procurement of IT in the public sector; for many years now many other sectors have realised the value of computing as an underlying service and of information as an essential utility – similar to energy or water. There needs to be a shift in our mentality towards this analogy to ensure the commitment required. For far too long IT procurement in the public sector has been seen as an exercise of purchasing equipment, disconnected from the essential nature of the services it enables. This makes it easy during cost-cutting exercises to consider risky trade-offs, for which the perceived risk is much lower than what is actually at stake. In an age of austerity it may be difficult for NHS’ IT managers to justify the purchasing of flashy equipment and software licenses, when front-line staff are under threat of redundancy. And yet we see the impact of these decisions when such an incident occurs.”

Prof Martyn Thomas, Professor of IT, Gresham College, London, said:

“Microsoft is right to say that everyone including Government agencies should behave responsibly and tell software companies about any security vulnerabilities that they find so that these can be fixed.  The top priority for security agencies such as the NSA should be making the world a safer place for everyone – not leaving the whole world at risk so that the agency’s staff can spy more easily.

“But there is a strong smell of hypocrisy when Microsoft takes no reponsibility for the ways in which defects in Microsoft products expose their customers and others to unacceptable risks.  Microsoft has made billions of dollars profit out of its software, so why was it acceptable to stop issuing free patches to correct critical safety and security faults in Windows XP and other products?  Governments should ensure that software companies are liable for defects in their products, irrespective of any disclaimers in the (largely unreadable and unread) licence terms.  Only then will software companies have enough incentive to invest in the science-based software engineering methods and tools that could prevent most of the errors that cybercriminals exploit.

“What is going to happen when ransomware becomes ‘clampware’, attacking automobile software through the vehicle’s radios, phones and other networks?  Who will be responsible for rescuing stranded motorists and how long will it take?  Or will we all just have to pay what the criminals demand to release the car, lorry or ambulance?  A modern car contains tens of millions of lines of software – which with current software industry standards means many thousands of software defects.

“Software engineers have known for 40 years that you cannot find all the defects in software by testing it; even a small system would need billions of tests to be run to test every possible combination of circumstances.  Software manufacturers who rely on a test-and-fix approach to security should be made liable for all the avoidable defects in their products.

“The latest ransomware attack was not especially sophisticated and it was designed to make money rather than to cripple our society or our economy.  It shows just how vulnerable we would be in the face of a well-resourced attack that was calculated to do maximum damage.

“We need a radically different national cybersecurity strategy – one that maps out a route towards a world where software products are certifiably secure and where software manufacturers provide enforceable guarantees.  We need to train software developers in rigorous software engineering and to require licensed engineers to develop, install and maintain critical software systems.”