The NHS attack: where were GCHQ?

The cyberattack on the NHS raises some questions about the dysfunctionality of our security services which, if I were an investigative journalist, I’d want to start digging away at.

The attack uses EternalBlue, code developed by the NSA which exploits vulnerabilities in Windows XP; the reason the NHS has fallen victim is because most of its IT still runs on this antiquated system, and Hunt took the decision in 2015 to stop paying for the Microsoft support which could’ve kept the system safe (annual cost of the support: £5.5m, 0.005% of the NHS budget).

EternalBlue was made available this April by hackers calling themselves the Shadow Brokers. Since August last year they have released a number of tools developed by the NSA, all of which in one way or another take advantage of flaws in operating system code to take control of computer systems. (There’s a consensus that there is a Russian connection to this leak of NSA software. Snowden said on Twitter that “circumstantial evidence and conventional wisdom indicates Russian responsibility”. Sam Jones, the FT’s defence correspondent, has also made that connection).

Here’s what I would be focusing on. GCHQ will have known what EternalBlue and the other exploits can do. You would hope that at least in April, and ideally back in August last year, they would have started worrying about the dangers they might pose to UK IT infrastructure. So why, once the contents of the Shadow Brokers’ release became known, weren’t measures taken to protect critical systems?

The implication is that there was bureaucratic failure: either the people whose job it is to think about cyber attacks on civilian systems failed to communicate the risks arising from the Shadow Brokers hack, or they did, and no-one listened. Someone ought to write the story that teases out where and how that failure happened.