The 'WannaCry' and related ransomware attacks, which disproportionately affected much of the NHS a couple of weeks ago, signals that urgent work needs to be done in that sector. There are also wider lessons for any other business or organisation - given the dependency of all institutions on IT systems, the large numbers of users and devices that connect to those systems and the increasing requirement for 'always on' capability. This blog post will address five key observations that are aimed at stimulating planning and thinking.
Basic IT Maintenance
IT systems must be up-to-date with the latest 'patches' to ensure that known technical vulnerabilities are addressed by vendor-supplied software. In addition, protective and adaptive software should be in place to protect the overall system from the outside world, i.e. from the actions of users and exploitation at ports and in firewalls ('end point' security). Senior management must understand reliance on (and the implications of that reliance) unsupported legacy systems, and have a plan in place to migrate from this risky reality to a sustainable one.
Staff Awareness
This ransomware and other cyber security threats may well exploit users - perhaps compelling them to click on links in an email or providing malware when certain websites are visited. Although employees, contractors and others should be made aware that they are increasingly likely to be the target of cyber criminals and others - systems should also protect users from themselves. Phishing (smart emails seeking user compliance with instructions) and spear-phishing (emails targeted at a specific user), and the use of other ways to exploit legitimate system users will not become any less common. The quantity of emails or notifications from other IT systems received - and the pace of work that we all pursue - means that we are unlikely to be able to reliably filter out such attacks.
In fundamentally open environments such as hospitals, campuses, transport hubs and so on there is an additional challenge above and beyond that which faces many other organisations. Any business should increase and maintain staff awareness of warning signs amongst their fellow employees and workers of behaviour and actions that are out of the ordinary. Legitimate users of systems can be subject to exploitation (e.g. via blackmail) or placed by a determined criminal enterprise (e.g. by acquiring a job solely to gain trusted access) - but in open environments there are many opportunities to connect devices to networks or collect important log-ins from academic staff.
Business Continuity
A key (and unacceptable) aspect of the NHS malware crisis was how an avoidable technical vulnerability - which was far from the most acute and difficult cyber munition imaginable - managed to instantaneously and protractedly affect the delivery of key services to clinicians and the patients that they serve. No doubt other effects were felt as well (e.g. payments to suppliers). Despite the employment of professional business continuity and disaster recovery officers, the existence of non-executive directors with oversight, risk registers and board meetings which look at continuity and crisis arrangements - there was no graceful degradation to delivery of vital services in a way that caused minimal or zero disruption.
In the business world, always on or high availability concepts drive plans and investment which ensure that customers can always rely on - say - an airport to work, save for exceptional circumstances. Malware such as WannaCry is not exceptional, and plans and processes should have ensured that services continue with minimal disruption by drawing on practiced alternative provision.
Organisations should review their continuity, recovery and crisis management arrangements to ensure that should - for example - normal systems become unavailable, alternative provision is available via a fall-back or fall-over capability.
What Else Is Inside the Fence?
It is a natural human tendency, albeit one which should be resisted, for senior managers to recover from an embarrassing and stressful incident, draw a line under it and move on. After the WannaCry incident, this is the last thing that the NHS and any other sector should do. If systems are so vulnerable that this malware could gain access and wreak havoc, the uncomfortable question must be (for those who were and were not so affected) - what else is inside the fence? There are very likely to be more sophisticated, more damaging, well-concealed and toxic malware lurking. Perhaps these have been leaking information or changing data - or are pre-placed to enable system failure or some other kind of damage at a future time (the so-called advanced persistent threats, APTs).
What Other Vulnerabilities Are There?
Just as public and private sector organisations should fear what additional malware and further threats are already pre-placed within the perimeters of their systems and processes - so, too, they should take this as a rather timely wake-up call to ensure that technical, operational and human resources are as invulnerable to exploitation by sophisticated or less sophisticated risks. Imagine, for example, the strategic, reputational, legal, recruitment, regulatory and existential consequences for a university that suffers a hack (or compromise through placing or creating an insider) that led to manipulation of grades, alteration of submitted work or deletion of assignments. Short of such a worst-case scenario, unavailability of systems would lead to organisational and employee stress and inability to meet basic service level agreements.
Conclusions
For those unaffected by WannaCry, this is an urgent warning signal that IT systems (oh, and people) need to be checked to ensure that - to the satisfaction of senior management's risk appetite - they are neither hosting malware nor susceptible to other attacks. Further, events have demonstrated that even after massive investment, promised levels of business continuity and crisis management could not be relied upon in the NHS. Again, rapid action should be taken by public and private sector organisations to ensure that minimum levels of service can be delivered no matter what the cause. The idea that defaulting under pressure to improvisation with 'pen and paper' is acceptable should be laid to rest. A graceful degradation to a baseline standard of quality needs to be assured.
Achieving these difficult but necessary capabilities will require c-suite interest and drive supported by translation to them of complex technical information. In addition, values and standards of absolute rigour to uncover weaknesses, address compromises and report genuine resilience are indispensable. All corporate bodies need to ensure that they have both enduring and reactive immunity to technological or human risks.
Dr Mils Hills has longstanding and unique experience in research and policy on information, cyber warfare and wider organisational security. The UK's first 'security anthropologist', Mils has led a national research capability for the Ministry of Defence, worked at national strategic level for the Cabinet Office and undertaken consultancy to boards in the public and private sector. Mils' track record extends to before 'cyber security' was invented (it was known as 'electronic attack' to cover all threats that targeted electronic systems). Since 2010, Mils has led research, course development and consultancy - currently as Associate Professor of Corporate Security at the University of Northampton.