After the NHS hacking - who is really to blame?

15/05/2017  -  4.15

Tony Proctor - Principal Lecturer Cyber Security

So the NHS got hacked last Friday. Already evidence of “the blame game” is beginning to appear. Why were the NHS using outdated / unpatched systems? Why did the NSA “lose” a cyber weapon? Why did Microsoft stop patching XP?

Whilst these and other similar questions may be relevant, what we should be doing most is learning from the experience and trying to prevent these things from having an effect in future.  We can’t stop criminals from engaging in criminal activities, we can lessen the consequences of their actions.

For over 10 years now, I have been involved in running Cyber Security Warning, Advice and Reporting points (WARPs). These are networks for practitioners to share real experiences of cyber security threats and risks. Indeed, at our recent East Midlands Meeting we discussed MS17-010 (the Microsoft vulnerability being exploited in this attack) and Eternal Blue (the hacking tool “stolen” recently from the NSA). WARPs operate mainly (but not exclusively) in Local Government, perhaps the existence of such information sharing networks is why we haven’t seen so much impact across that sector?

How did it happen? In all likelihood, somebody was sent an email with an enticing attachment, clicked on it and away we go; WannaCrypt set about its business of encrypting files on NHS systems with the intention of holding them to ransom for Bitcoin. The main difference between a “worm” and a “virus” is that it will automatically spread across a network without requiring any additional user action; so it will not only affect any drives on the local computer, it will affect any network storage that the user is connected to. An infection by a worm strikes fear into most network administrators.

As organisations and individuals we can do the following things to lessen the impact of this type of problem;

1) Make sure that systems are updated, do not use systems that are no longer patched

2) Make sure that we backup all our important data and periodically test that they work

3) Try not to click on links in emails

4) Use antivirus / security software and make sure that it is up to date.

Amidst the hype, we need to put Friday’s events in perspective; in my opinion this was not really a targeted attack (other than it was targeting un-patched systems). We have to ask ourselves in whose interest it is? My suggestion is no one’s, particularly criminals who do not normally want to draw attention to their activity, they simply want money. Ultimately “the blame” rests with the criminals that engage in this activity.