In 2017, the NHS was the most high-profile victim of an international cyberattack. With the imminent phasing-out of support for Windows 7, Guinevere Poncia asks how government institutions are keeping pace with cyberthreats
Credit: Adobe Stock
Cybersecurity is one of the most significant challenges for government.
Using ever-more sophisticated techniques, cybercriminals are unabashed in targeting the UK’s critical national infrastructure (CNI), including telecoms, health and energy.
Increasingly, groups targeting the west also have the backing of aggressive state actors and their intelligence services. China, in particular, has been accused of developing a sophisticated network of hackers tasked with carrying out political espionage, further blurring the lines between the crimes of commercial criminal groups and state warfare.
In recent months, moves by the international community to name and blame those responsible for cyberattacks has pushed the issue up the political and public agenda.
In October 2018, the UK National Cyber Security Centre exposed the Russian military intelligence service (the GRU) as being behind a string of cyberattacks that caused disruption on the Kyiv metro and led to the publication of sensitive documents from the Democratic National Committee and World Anti-Doping Agency.
But whilst such controversies may grab the headlines, in a worst-case scenario, attacks by cybercriminals can lead to a catastrophic shutdown of entire public service systems, affecting millions of unsuspecting citizens.
The imminent phasing out of support for Windows 7 presents a significant challenge – if government is not able to adapt digital security to meet evolving cyberthreats, it leaves highly sensitive data vulnerable to attack, and the track records of many departments are not good
Although the UK has not been subject to the most severe form of cyberattack, which results in loss of life or long-term loss of essential services, it is difficult to forget the disruption caused in 2017 when Wannacry ransomware shut down computers across the NHS. The international attack was orchestrated by North Korean actors the Lazarus Group, hitting over 100 countries. In the UK, the NHS IT infrastructure was crippled, resulting in 19,000 appointments being cancelled.
The attack had huge political ramifications, with shadow health secretary John Ashworth accusing Jeremy Hunt of ignoring obvious warning signs. One decision, in particular, caused furore: a few years prior to the WannaCry attack, the government terminated a £5.5m deal with Microsoft to provide support for Windows XP.
NHS computers were consequently operating on outdated software, leaving them increasingly vulnerable to attack. Critics accused the government of severe negligence. Lib Dem home affairs spokesperson Brian Paddick said of the then home secretary, Amber Rudd, “This is not the first time she has looked lost in cyberspace”.
While that contract may have been a victim of austerity cuts, it is concerning to think that the government saw fit to deprioritise cybersecurity, given the seriousness of the consequences and the relative inevitability of attack.
As one commentator put it: “the [WannaCry strike] was bound to happen, it was just a matter of when”.
Notably, in 2018, then security minister Ben Wallace rejected a call from the Joint Committee on National Security Strategy to create a ministerial role dedicated to cybersecurity and protecting the UK’s CNI. At the time, there were at least six ministers with responsibilities in their portfolio related to cyber resilience, an arrangement the Committee called “wholly inadequate to the scale of the task facing government”.
Since then, despite heightened concerns about the presence of companies such as Huawei in the UK’s critical telecoms infrastructure, little has changed.
Legacy of woe?
A more recent report from the Science and Technology Committee identified legacy IT systems as a severe cybersecurity risk. The imminent phasing out of support for Windows 7 across Whitehall presents a significant challenge – if departments are not able to adapt their digital security to meet evolving cyberthreats, they leave highly sensitive data vulnerable to attack, and the track records of many departments are not good.
Just last year, the Home Office, for example, had to apologise over data breaches relating to the Windrush compensation scheme and EU citizens seeking settled status in the UK after accidentally sharing their details. A future breach of this data would not only undermine individual privacy rights but may also have massive implications for immigration or visa processes. A lack of security also beckons a similar national catastrophe to the 2017 attack.
Having said this, various moves are being made across government to tackle the problem. The Ministry of Justice, which suffers a disproportionate amount of data breaches, recently revealed plans for a £250,000 cybersecurity review. NHS Digital has also tapped Accenture for a £40m perimeter security deal. NHS Digital worked on the procurement process alongside NHSX and the National Cyber Security Centre, the latter providing leading guidance to businesses and the public sector.
DCMS announced funding to develop diverse talent in the cybersecurity sector, with investment in cyber skills hoping to reap benefits for government security strategy in future.
Looking beyond 2021, when the government’s National Cyber Security Strategy ends, lessons from the WannaCry attack, and the implications of such events on citizens, will surely inform the renewal of any cross-departmental approach.
Cyberthreats ought to be regarded as one of the most serious threats to government security. It is therefore imperative that with all future procurement and policy decisions reflect the urgent need to keep pace with rapidly evolving cyberthreats.
Look out later this month for an exclusive PublicTechnology research project revealing the prevalence of Windows 7 across government and the rest of the public sector. and shining a light on the scale of the challenge faced in eliminating the risk posed by software’s imminent end of life process