Doctors across the United Kingdom found themselves on the receiving end of a sophisticated cyberattack on Friday as computer systems in up to 40 organizations belonging to the National Health Service (NHS) fell victim to ransom-ware. Upon gaining access to a computer the attack would encrypt the device, requiring the user to pay a bitcoin (approximately $265 US Dollars) to be able to use any of the files on the computer. A message on the screen told users “if you don’t pay in 7 days you won’t be able to recover your files forever.”
- Cyberattack hits dozen nations 'using leaked NSA hacking tool'
- U.S. watched Russia hack French systems during election
- Israel believes foreign nation directed thwarted cyberattack
In response the NHS shut down its computer network, leaving doctors without access to patient records or phones, or able carry out vital medical activities such as x-raying patients. The effect on health services extended far beyond the computers held ransom. “Everything seemed to be working, but we were told to shut down,” said a London based Doctor. “I came from my surgery to the hospital in case they needed help triaging.”
The situation is developing rapidly, but here are the seven big takeaways from what we know so far.
The scale of vulnerability. This was not an attack targeting the NHS, but a global attack, which the Moscow based Kapersky Labs estimates to have struck at least 45,000 times so far, affecting companies from FedEx to Spain’s Telefonica. The NHS, comprising a massive, complex, and old computer network, was simply a rich target. That such an attack could spread so quickly, through so many different organizations, underscores how vulnerable we are to cyberattack.
Update your systems. The reason the attack spread so quickly in large organizations is that it exploited a networking system for the Windows Operating System called SMB. The vulnerability has been fixed, if systems have been kept up to date. But in many large organizations, with thousands of devices, and old software that may not be updatable such as Windows XP, the vulnerability was not patched. This failure has legal ramifications. “Under the Data Protection Act 1998 there is an obligation to take appropriate organizational and technical measures to protect the data,” explained Mark Watts, head of the Commercial IT and Data Team at the London based law firm Bristows LLP. “The failure to patch software, or keep it up to date, or even the decision to run sensitive medical information on systems that are too old, could itself be a breach."
If it is decided that hospitals and Doctors across the U.K. have failed to take appropriate measures, the costs of updating computer networks all over the country will be vast. Although organizations can take cost into consideration, in determining whether it is feasible to protect data, Watts noted that "there has been enforcement by the Information Commissioner where small businesses have been sloppy.”
Cyber proliferation. The evidence suggests that this attack was carried out by a criminal enterprise in pursuit of profit. But Eternal Blue, the penetration tool deployed in the attack appears to have been developed by America’s National Security Agency. The tool became public after a cyberattack against the NSA last year by a group calling themselves Shadow Brokers, who after trying to sell the software released it on the Internet. At present there is no substantive regulation of the development of cyber-weaponry, or robust measures to prevent their proliferation, especially into the hands of criminals and non-state actors.
Where are the criminals? The attack also exposes how difficult it is to find those responsible. “In cyberspace, authentication of the identity and location of an attacker is ordinarily difficult,” said Doctor Lucas Kello, Director of the Cyber Studies Programme at Oxford University. “In this case it may be impossible owing to the diffuse nature of the actions.”
The starting point in the investigation is to find where the attack got in, and then to trace where information was coming from, and going to, but “it is very difficult to pin down the point of entry,” explained Becky Pinkard, Vice President of Service Delivery and Intelligence at the US cyber firm Digital Shadows. In such an attack there are “thousands and thousands of events to find where they got in.” The other method is to track information travelling back to the hackers, by following the bitcoin payments.
One reason that we know the attacks around the world are by the same group is that the money is going to the same source. “The Bitcoin address associated with this attack on the NHS is the same as the Telefonica attack. Payments have been made,” Pinkard added.
We’re paying ransoms? The British Government has a long established policy not to pay ransoms. But what about the case of an NHS x-ray machine, needed for emergency surgery? And if a primary method of investigation is to follow the money back to the hackers, might paying up be the only way of catching them? That means the government paying criminals. The legal position here is unclear, and is going to need a lot more discussion.
It is only the beginning. The attack is unprecedented in scale, and it could bring unprecedented profits. If any data that has been ransomed is not backed up, it may be impossible to regain the data without paying the ransom. “Bad guys are watching this too,” noted Becky Pinkard; “watching how much money gets made. It will set the wheels spinning.” Cyber analysts are expecting to see an uptick in ransom-ware attacks, and are worried that more leaked government Cyber Weapons could soon be deployed. It will also take a long time to fix existing vulnerabilities.
And the stakes go up. “To-date, no cyber action has caused a loss of life,” noted Doctor Kello, whose forthcoming book The Virtual Weapon and International Order explores emerging cyber threats. “This may be the first to do so. At least, it reveals the real potential for cyberattacks to cause human death.” We are increasingly exposed to cyber threats, and yet policy responses are lagging far behind.