For years the industry, and indeed Silicon, have been warning that an attack on our critical infrastructure was coming. On Friday it happened. And it could have been worse.
Cybersecurity has long been seen as a drag – something that organisations believe has to be endured rather than invested in. It’s not just technical capabilities, its culture too.
Threats are only going to multiply as we move more processes online and the world becomes increasingly connected. The Internet of Things (IoT) is evidence of that.
Initial research suggests WannaCry targeted an SMB vulnerability disclosed in the ShadowBroker leak of bugs known to the NSA. It was patched by Microsoft in March – two months ago – and only for supported Windows operating systems.
Any regular reader of Silicon will have been aware that support for Windows XP ended in 2014 and only organisations who purchased extended updates would be covered. The NHS reached a £5.5 million deal in 2014 for 12 months of additional updates but this was not renewed in 2015.
Back in December, it was reported that of 70 NHS trusts contacted, 48 were still using Windows XP. NHS Digital puts the figure at 4.7 percent of all systems in the NHS technological ecosystem.
This means several NHS Trusts have not applied updates or are still too reliant on XP. As many as 48 Trusts in England were impacted by WannaCry as well as 13 in Scotland.
Other organisations, such as Telefonica, will also have to address their security measures but as a public body and provider of an essential service, the NHS will be held to scrutiny. As will the government.
But even still, if hundreds of thousands of NHS systems are still using XP – not matter how rapidly the figure falls – why on Earth was the government’s support agreement with Microsoft not extended?
Surely the cost of the incident has exceeded the £5.5 million it would have taken to arrange more support. After all, operations were cancelled, ambulances were redirected and staff were reduced to using pen and paper.
So much for the paperless NHS that is perpetually envisaged by ministers.
Home Secretary Amber Rudd has said most of the NHS is now “working normally”, that she hoped Trusts had backed up data and that the incident would encourage hospitals to upgrade to a new platform.
Rudd also pointed out the government’s £1.9 billion cybersecurity pledge but there needs to be action alongside rhetoric.
Funding has to be given to an NHS facing so many other problems and budget cuts and there has to be an acknowledgement among the organisation that the issue of cybersecurity cannot be ignored – no matter how pressed a Trust is.
The technology and cybersecurity industries can be accused of hyperbole, but Friday showed that its warnings cannot be ignored. And there may be worse to come.
A new low. International Committee of the Red Cross shuts down reunification system, after hackers…