NHS cyber attack a 'wake-up call' for government

Written by Colin Marrs on 15 May 2017 in News
News

Governments must start taking cyber security as seriously as physical military security, according to Microsoft’s president, in the wake of the attack which affected the NHS on Friday.

IT professionals have worked over the weekend to reverse the damage done by the WannaCry software, which encrypted files stored on Microsoft software.

But Brad Smith, Microsoft’s president and chief legal officer, in a blog post, attacked governments for “stockpiling vulnerabilities”.

He said: “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.

“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”

He said that the attack, which affected organisations around the world, was equivalent to Tomahawk missiles being stolen from the military.

“The governments of the world should treat this attack as a wake-up call,” Smith said.

“They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”

In February, Microsoft called for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to suppliers, rather than “stockpile, sell or exploit them”.

Calling the WannaCry incident a “wake-up call”, Smith said: “We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks.”

Mark Skilton, part- time professor of practice in information systems management and innovation at Warwick Business School, said that Microsoft was right to make its call for joined-up governance.

He said: “The risk and impact of cyber weapons can do the same or more harm than physical weapons. It can indirectly kill patients, change traffic controls, alter car onboard steering systems, change election outcomes and more.

"With the rapid rise of the connected digital society with wearables, automated travel and your privacy and life in full digital view security a huge problem. 

"Governing the digital world is much harder as the identity of people and things is obfuscated, partly due to the paradox of the need for privacy, but also from the nature of digital data that is re-coded, redactable and transmutable.”

Over the weekend, Microsoft took the unusual step of releasing a patch to fix the vulnerability on Windows XP systems.

The firm stopped support for XP in 2014, but the UK government paid for a year’s extension to give departments and organisations time to migrate to newer systems.

In May 2015, a statement from the Government Digital Service said: “All departments have had seven years warning of the 2014 end of normal support and this one year agreement was put together with the support of technology leaders to give everyone a chance to get off XP.”

GDS said at the time that it expected that remaining government devices using XP would “be able to mitigate any risks, using guidance from the Communications Electronic Security Group.

"Where this is not possible, they may need to review their own short term transition support.”

In an anonymous briefing to The Sun newspaper, a government minister laid the blame for the security breach firmly at the door of NHS trusts.

The minister was reported as saying: “All the trusts were told very clearly to stop using unsupported software, and several times. “From April, it was even in their contracts.

“They didn’t. So it is pretty rich when they then turn round and then try to blame us.”

Yesterday, the NHS released documentation for organisations affected by the incident.

It recommended that organisations download the new patch and apply it before reconnecting to the national network.

How the infection made its way onto NHS systems is still unknown.However, Talal Rajab, head of the cyber and national security programme at industry body TechUK, said: “The way these attacks work means that, although there has been no indication of a new wave of the ransomware spreading, there remains the possibility of existing infections from the malware spreading within networks.

 “With new, sophisticated means of sending malware, the challenge for organisations is more than just about training employees to ensure that they do not click on infected emails or visit malicious websites.

“The risk of being infected by malware should be minimised by keeping software up-to-date, using the latest anti-virus software and backing up data that matters most.”

Jim Beagle, president of data management firm Bridgehead, which has a number of NHS clients, said: “I think that the speed with which most NHS facilities got back up and running is testament to the robust processes for disaster recovery that they had in place.”

Share this page

Tags

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

High court gives government six months to amend data-retention law
27 April 2018

Both the government and human rights group Liberty claim victory after judges agree that the so-called snoopers' charter is incompatible with EU legislation 

Government targets dark web with £50m cybercrime funding boost
12 April 2018

Local police will also receive funding for training and the establishment of dedicated online crime units

NCSC picks IoT, cloud, and cryptojacking among UK plc’s biggest future threats
10 April 2018

Cybersecurity agency issues report looking forward to coming dangers and back at year in which DDoS and ransomware hogged the headlines

Government considers creating social-media regulator with sanctioning powers
21 May 2018

With new internet-safety legislation due later this year, respondents to a government consultation have urged the creation of a dedicated regulator with the power to punish