The Times Leader and letters 15th May 2017: Sangfroid?
Not Hacking It
A massive cyberattack has hit businesses and government services worldwide. The NHS was badly affected because it was badly protected
Some cyberattacks are unavoidable. Criminals and the authorities are engaged in a perpetual race to find vulnerabilities in the computer systems on which citizens, businesses and governments rely. Sometimes hackers will find and exploit new weak spots before spooks and technology companies can fortify them. Yet the ransomware attack that paralysed 48 NHS trusts and dozens of GP practices on Friday was not such a case. The vulnerability was well known. This attack was avoidable and, if the government had heeded experts’ warnings, it would have been avoided.
Computer users across the world logged on last Friday to find that access to their files had been cut off. A message on their screens said that they could have their data back, but only after paying a ransom of $300 (£230) in bitcoin, an online crypto-currency which allows money to change hands anonymously over the internet. Europol reports that there are now more than 200,000 victims in more than 150 countries, from car factories in France to couriers in the United States and the interior ministry of Russia.
This was an attack of unprecedented scale. The vulnerability of the health service made the impact in Britain particularly alarming. Thousands of patient appointments have been cancelled. Some transplants and bypasses were halted mid-operation. Cancer sufferers who had arrived at hospital prepared for chemotherapy were turned away.
Unfortunately the attack may not be over. Its progress was halted on Friday night by a 22-year-old blogger who happened upon a so-called kill switch in the code of the ransomware. Since then hackers have released a new version of the software, without the loophole.
The health service was so acutely affected because too many NHS trusts are using ancient computer systems. The perpetrators have targeted a chink in the virtual armour of Windows XP, an operating system first released in 2001. Microsoft learnt of that vulnerability months ago. In mid-March the company therefore released an update to protect remaining Windows XP users. It seems that many NHS trusts failed to install it.
NHS computers should not have been running on antiquated systems in the first place. According to a recent report in the British Medical Journal 90 per cent of NHS computers rely on Windows XP. Given that, the government digital service should not have terminated its support deal with Microsoft in 2015. An extension, costing only around £5.5 million a year, would have made these incidents less likely and was reportedly recommended by cybersecurity experts at the time.
When the government decided to terminate, trusts were encouraged to migrate to other systems or strike their own support deals with Microsoft, but many did not bother, citing financial pressures. Security should have been higher on their list of priorities. NHS Digital and the Department of Health should also have done more to ensure that individual security updates were installed across the service.
Amber Rudd, the home secretary, has said that lessons will be learnt. They will have to be. Rob Wainright, the chief of Europol, says the number of cases is ever-increasing. Britain is relatively well prepared, with a national cybersecurity centre backed by £1.9 billion of new funding. Small pockets of insouciance, however, could have disastrous consequences, particularly if future attacks involve the large-scale theft of personal data.
Every company, agency and individual must also share the burden of keeping networks safe. The weapons in the hacker’s arsenal are always changing, and they are finding new opportunities to manipulate weak systems for profit across the globe. There will always be risks. This one, however, need not have been passed over.
Sir, The root cause of the horrific National Health Service crash was not the aptly named WannaCry ransomware or the criminals behind it but the lack of NHS expertise in information technology (“Huge hack attack hits NHS hospitals”, News, May 13). The NHS does not need more money for IT; it needs more investment in high-level IT expertise. For instance, how many postdoctoral computer scientists does it employ? How much research is being done to stay ahead of criminals?
Until the National Health Service takes IT seriously, it will continue making poor decisions buying and managing IT, with the harmful consequences such as those we are now seeing.
Prof Harold Thimbleby
Sir, Friday’s cyberattacks on National Health Service trusts were shocking but it is more than three years since Microsoft stopped providing security updates for Windows XP. For NHS trusts to keep the outdated, insecure system is like a householder leaving the key to his front door under the mat outside, with a sign saying “key to house here”. To allow those attacks to happen was gross negligence. “Austerity” is no excuse because it is not expensive to upgrade the system, and certainly less than the weekly salary of one of the numerous NHS managers.
Robert Rhodes, QC
Sir, Windows XP, which is still used on some NHS computers, was launched in 2001 when Labour was in power. Since then, new operating systems have been launched: Vista and Windows 7 while Labour was in power; Windows 8 under the coalition government; and Windows 10 when the Conservatives had a majority in 2015.
The Labour, Conservative and Lib Dem parties should all take responsibility for not having ensured that trust boards, chief executives, the Care Quality Commission and NHS management stayed on top of their IT systems.
Sir, How much of the blame for the cyberattacks should be laid at Microsoft’s door for forcing costly system upgrades on users by withdrawing support for older, still functioning versions of Windows?
Sir, Could anything be more illustrative of the short-sightedness of NHS underfunding than the huge cost that will now be incurred in updating the computer system.
I hope the government will also reimburse hospitals for the extra costs they have incurred due to the chaos and rescheduling of operations and appointments.
Sir, There is a simple process to reduce significantly the incidence of cyberattacks such as recently experienced by the NHS.
It should be a disciplinary offence for an employee of any company or institution to open any email attachment coming from outside the company or institution from an unidentified source.
Dr Paul Kilty