On Friday, May 12, 2017 a computer virus, known as WannaCry, which encrypts data on infected computers and demands a ransom payment to allow users access, was released worldwide. WannaCry was the largest cyber attack to affect the National Health Service in England, although NHS trusts had been attacked before. A National Audit Office (NAO) report published this month focused on the ransomware attack’s impact on the NHS and its patients, as thousands of appointments had to be cancelled.
Of the 37 trusts infected and locked out of devices, 32 were in the north, and the Midlands and East NHS regions. NHS England believe more organisations were infected in these regions because they were hit early on that May Friday before the WannaCry ‘kill switch’ was activated, by a cyber researcher.
NHS Digital told the official auditors that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware. Leaving aside those specific ‘lessons to learn’ that the NHS authorities have admitted, the high-profile, television news-leading WannaCry affair showed not only the truth behind the moral ‘a stitch in time saves nine’ but how speedily a cyber-attack develops, once it begins.
To state the obvious, cyber-attacks do not recognise borders. Hence Ciaran Martin, CEO of the UK’s official, one-year-old National Cyber Security Centre (NCSC) acknowledged the need for ‘cooperation in cyber security’ in a recent speech. He said: “With some of our closest European partners we are now trying to put in place the sort of infrastructure that is needed for collaboration – things like secure phone lines and the ability to share information at greater scale.”
Ciaran Martin made the point that knowledge is of little use if you can’t act on it. “WannaCry, the global ransomware virus, was a good example of where we fused the high classification analysis with easy to follow, quickly available and highly practical guidance to our citizens about how to contain the attack.” His speech was particular on cyber risks to the election process; ‘our risk mitigation is not just about generic best practice cut and pasted from the Internet but about specific advice to counter specific threats we worried about because we know about them through either classified intelligence or some other source’.