This blog posting represents the views of the author, David Fosberry. Those opinions may change over time. They do not constitute an expert legal or financial opinion.

If you have comments on this blog posting, please email me .

The Opinion Blog is organised by threads, so each post is identified by a thread number ("Major" index) and a post number ("Minor" index). If you want to view the index of blogs, click here to download it as an Excel spreadsheet.

Click here to see the whole Opinion Blog.

To view, save, share or refer to a particular blog post, use the link in that post (below/right, where it says "Show only this post").

Lessons From The Massive Ransom-ware Attack

Posted on 15th May 2016

Show only this post
Show all posts in this thread.

There are several very important lessons to be learned from the recent enormous ransom-ware attack (reported here, by the BBC), which affected at least 99 countries, and had huge impact on the National Health Service (NHS) in the UK.

The attack was a worm (not a virus), meaning that infection passes directly from one networked device to another, without the need for any user interaction (being careful about what email attachments you click on is no protection).

The attack was stopped, in part, by the efforts of a UK security researcher "MalwareTech", who found a "kill-switch coded into the worm. This kill-switch will prevent new devices being affected by the worm, but will not decrypt already infected devices.

  1. Firstly, it is a timely reminder for everyone, even people who do not own a computer, smartphone or other computational device, that the modern world is full of cyber-threats and that there is no way to guarantee protection from them. The chaos caused in the NHS shows that people's lives can be severely disrupted, including lives put at risk, by attacks on our infrastructure. If you own or administer computers, this is a reminder of how vital it is to take regular and frequent back-ups, and to keep those devices up to date (security patches and updates to anti-virus and firewall software).
  2. It is also a reminder that organisations such as the National Security Agency (NSA) in the USA, who developed the hacking tool upon which this ransom-ware worm was based, cannot keep anything secret, and cannot be trusted to develop or use such technology. It is no use blaming WikiLeaks for publishing data on the hacking tools that the NSA had developed (as far as I know, they did not publish the actual code); the NSA themselves are to blame for being insecure. Maybe the UK government should sue the NSA, on behalf of the NHS, for the damage caused by them letting the exploit code leak into the wild.
  3. One thing to note is that the NSA, and similar organisations around the world, do not seem to be under any legal obligation to notify vendors such as Microsoft about security holes that they find. Nowadays there are many so called white-hat hackers who, when they find a security vulnerability, notify the responsible vendor, and give them a month or more to roll out a repair before publishing their discovery; the NSA doesn't, and the reason is that they want systems around the world to remain vulnerable so that they can hack them themselves. If the NSA were not so leaky, this wouldn't be such a problem, but sadly they are notoriously insecure. Microsoft themselves are warning (here) about the dangers caused by governments storing data on software security vulnerabilities.
  4. Another rather important lesson here is that an obsolete operating system like Windows-XP should never be used for mission-critical purposes. It has, officially, not been supported by Microsoft for years, and is seriously insecure (and not just because it is a Microsoft product). These PCs should have long ago been upgraded or replaced to something more secure and under support. Personally, I would never recommend any version of Windows for any use where security is important (Linux is inherently more secure, cheaper, and faster), but if you really want to use Windows, at least make sure it is current and supported.
  5. There is also an important lesson for the UK government (or maybe for the voting public). This report by the Mirror describes how the government cut the support which they had been providing for all these obsolete Windows-XP computers in the NHS about a year ago; this despite ample warnings of the cyber-security risks: the Government Digital Service, decided not to extend a £5.5million one-year support deal with Microsoft for Windows XP. What they did not do, however, is provide central funds for replacement or upgrade, nor did they put in place a centrally managed and funded replacement/upgrade programme; they simply told the NHS that they should take care of the problem themselves. This was arrogant and financially motivated irresponsibility of the highest degree. If the support from Microsoft was to be continued, the cheapest and most effective way to get it would have been through a contract with the UK government, not by piecemeal contracts with individual NHS bodies; if the PCs were to be upgraded or replaced, again, the cheapest and most effective solution would have been a centralised programme. This situation just highlights how cheaply the UK government values the lives and health of the populace.

As far as I know, no NHS patients died or suffered other major harm due to the cyber-attack; that is pure luck, and next time (because there will certainly be a next time) we may not be so lucky. We have a whole host of services (electricity generation, including control of nuclear power stations, electricity distribution, water distribution, flood prevention, mobile phone, emergency services, Internet services, traffic control, air-traffic control, weather forecasting, weapon system control, etc.), most of which are essential and many of which are safety-critical, which depend on computers. Hacking is relatively easy (you can buy kits to develop hacking tools fairly cheaply) and preventing it or repairing the results is hard, expensive and time-consuming. The world really needs to learn the lessons from this attack, urgently.