ransomware

A Few Thoughts on the Ransomware Attacks

I’ve found a certain amount of the coverage surrounding the WannaCrypt ransomware attack really quite annoying, and the responses in many cases quite pathetic. So here are a few thoughts of my own:

  • The NSA, and other governmental bodies, have an awful lot to answer for. Governments love to collect operating system ‘exploits’ to use themselves. They have teams of people either trying to find ways to crack commercially available operating systems, or they go onto the black market and buy them from hackers. These shortcomings aren’t reported to the software producers like Microsoft. But if I spot a vulnerability and say nothing about it (because I may attack my enemy with it later), then so might you also find it. And you may be more nefarious than me. In this instance, the leaky sieve that is the NSA, actually let this and other exploits be stolen from them earlier this year. It was as a direct result of this theft from the NSA, that this attack took place. Although Microsoft had patched this hole in March, we know hundreds of thousands – perhaps millions – of users don’t keep their systems up to date. Nonetheless, if the NSA had alerted Microsoft much to the vulnerability rather than sit on it for their own means, then more people would have avoided being infected. There is a real issue of responsibility here, as Microsoft itself points out very firmly in a blog published over the weekend.
  • It’s frankly criminal that important infrastructure is still running on a deprecated operating system like Windows XP. This is an OS that launched in 2001 and for which extended support ended in 2014. Microsoft gave seven whole years notice that support was ending. Yes, it’s understandable that in parts of the developing world, people are still using these elderly systems. But first world hospitals? It’s no excuse to say that some bespoke piece of software requires this now legacy OS. With that amount of notice, that equipment should have been upgraded if necessary.
  • The Government must take some responsibility for this. After Microsoft stopped support of XP, the Government Digital Service chose to pay £5.5m to Microsoft for extended support. But in May 2015 this was not extended despite thousands of Government computers still, somehow, running XP. This Guardian report from the time made clear that this was a massive security vulnerability. While some individual departments may have paid for extended coverage, many clearly did not. At that point they were massively vulnerable. In the absolute worst case, you’d have expected a rapid transition to newer OS’s within months. Instead, here we are, two years later.
  • In particular, the National Audit Office published a report in 2016 into the NHS’s sustainability. The report included these paragraphs:

    “In February 2016 the Department transferred £950 million of its £4.6 billion budget for capital projects, such as building works and IT, to revenue budgets to fund the day-to-day activities of NHS bodies. Of this, £331 million was exchanged for revenue support for 93 trusts, to fund healthcare services. The Department did not assess the long-term effects of transferring this funding to cover day-to-day spending. This means it does not know what risks trusts may face in future as a result of addressing immediate funding needs.

    “This was the second year that the Department has used money originally intended for capital projects to cover a shortfall in the revenue budget. In 2014-15, the Department transferred £640 million to help mitigate the trusts’ deficit. In the coming years, the Department plans to continue transferring capital funding into day-to-day spending under 2015 Spending Review agreements.”

    In other words, a shortage of NHS cash meant cancelling major IT projects amongst others, and instead using the money to maintain a day to day service. IT upgrades aren’t always just “nice to have’s.” They’re often essential as this attack has shown.

Yes – of course the evil hackers are the most responsible people here. And anyone tasked with maintaining IT systems should be ensuring that critical security software patches are applied as soon as they’re released.

But a combination of state-sponsored one-upmanship in cyber warfare, and a willingness to allow legacy IT to be used for critical services is frankly criminal.

When your actions are leading to hospitals being closed down, the repercussions could easily mean life or death. I trust that a lot of people are taking a long hard look at some of their decisions.