UPDATE, MAY 15: Conor McKenna’s discussion with BBC World News about the ransomware attack, its effects, and security measures.
Conor McKenna of EA and the University of Birmingham writes for The Conversation:
In a matter of hours, the UK’s National Health Service was effectively placed on lockdown with computer systems held ransom and other machines powered down to prevent the spread of malware. Critical patient information has been inaccessible and several hospitals urged people to avoid accident and emergency departments, except in cases of real emergencies.
Ransomware is the form of computer malware that has infected the NHS. Typically, it encrypts user information and then demands payment before unlocking the information. In this case the ransomware demanded a fee of US$300 (£230) payable in the crypto-currency, bitcoin, allowing the perpetrators a degree of anonymity.
British law enforcement have called the ransomware a criminal attack rather than one orchestrated by a foreign state. The British public can take some small comfort in this; criminal organisations are not as well-funded and the malware may be easier to remove without the loss of patient files. It is too early to say categorically who is responsible for the attack, though it is certainly the most devastating cyber-attack on British infrastructure ever.
It is not just British infrastructure that has been affected by the ransomware. The Spanish telecommunications firm, Telefonica, was also attacked. There have also been a large number of other suspected attacks, notably in Germany, the Philippines, Russia, Turkey, and Vietnam. A total of 99 countries have suffered from this attack so far. Whether this is as a result of a larger international criminal organisation is still unknown; however, the rapidity with which the infections are spreading is very concerning.
The attackers’ motive is clear, but if one looks beyond the relatively small demands of the ransomware, there is something larger at play here. Cyber-criminals will often boast of their exploits to others to gain a level of prestige among their peers. So while money is often the primary driver for this kind of attack, there may be other motives that will remain hidden.
Out-of-date systems and lack of training
The question of how this could have happened is one that will produce several damaging reports outlining poor training and infrastructure. It has been clear for years that various NHS trusts have been lagging behind with upgrading their systems.
In 2016, Motherboard submitted Freedom of Information Act requests to 70 NHS hospitals, inquiring as to the number of machines owned that were still running Windows XP. An alarming 42 out of 48 respondents stated they still worked with machines using XP, despite the official end of Microsoft support for Windows XP in April 2014. While funding to ease the changeover through extended support and eventual move to a more modern operating system was made available, there are still many NHS computers running the old platform, putting the safety and privacy of patients at risk.
The UK Government could improve this by providing better training. It is not immediately obvious to anyone that accessing personal information, such as e-mails, Facebook, or Twitter, can have potentially damaging consequences. Opening a document from a friend or a link through Facebook can be devastating if proper codes of conduct are not put in place. Something as simple as bringing in a USB (thumb drive) from your home to transfer large files from one computer to another could have the same effect, if the USB has been infected.
Modern anti-virus software and up-to-date operating systems can only do so much. It is therefore vital to invest more in cyber-security training for all staff working with sensitive information. This attack proves that the UK’s cyber-security policy needs further work.