#wannacry: cyber defence failure or organisational lapse?

Today a Government report acknowledged that the NHS was at fault during the #wannacry attack. Did we need an enquiry to know that?

The well-publicised NHS ransomware event, and more recent ransomware events, which exploited the same vulnerabilities as the NHS attack, were not the first attacks with indiscriminate, international consequences and won’t be the last. However, they give rise to some interesting reflections.

Firstly, things like this do not happen in a vacuum. There are experts — government, IT businesses, and independent consultants — who constantly produce security advisories which one ignores at their own peril. In this particular occasion, I claim that this is not a cyber defence failure as much as an organisational failure (probably triggered by budgets cuts, but this is irrelevant to my point here). NHS (and others — including surprisingly the German S-Bahn) had been repeatedly warned against using obsolete, unsupported software and advised to adopt an aggressive patching and systematic backup policy. This particular attack — as several others before — was known, not particularly sophisticated, and has only affected organisations which did not take the recommended precautions. Once a vulnerability is in the public domain, you either close it by applying the relevant patch, or stand as a sitting duck borrowing time on your good luck.

Admittedly, for organisations like the NHS this represents a big cultural change. These are organisations used to procure their equipment and then expect to use it flawlessly for tens of years, without giving it a further thought. The reality is that IT does not work that way. IT systems can be extremely complex, and therefore (for reasons too long to explain here) are not perfect, are reachable from the global network, and therefore are exposed to all sort of malicious behaviours and attacks, and so need constant revision. When a critical piece software becomes no longer supported, it has essentially reached the end of its useful life, and must be replaced, even if at the naked eye it may still appear as perfectly viable. This is true of PCs running the obsolete Windows XP, as well as of other scary situations with health devices and implants not designed with security and upgradability in mind.

Finally, there is the issue of proliferation of cyber weapons. It turns out that this attack was carried out using two exploits developed by the NSA, and recently leaked into the public domain. Such is the nature of cyber: once an exploit is used/leaked, it becomes public knowledge and it takes only basic skills for anybody to replicate it and use it for their own purposes. (This is quite a shocking statement, like saying that once a weapon is fired, anybody is able to acquire and reuse it at essentially no cost.) This cyber attack should illustrate why so many cyber experts and organisation around fight strenuously against law enforcement requests of backdoors in systems (remember the Apple/FBI San Bernardino case anybody?), and reinforces their case. It is not that these people side with criminals or terrorist, of course. They are rather trying to protect us all from the unthinkable consequences of the systemic failures that will arise if these techniques are leaked into the public domain. As we have seen, these leaks actually happen.

For me, these episodes highlight the following points.

1. Even though cyber security may be extremely complex, most of the attacks we see are easily defended against. Our research [read here] shows that 80% of the attacks we have witnessed in the past few years would have been avoided by some very simple and relatively inexpensive techniques. There is no excuse to ignore warnings like this.

2. Cyber-aware organisations should have policies in place that include: (a) monitor systems of cyber warnings and alerts; (b) systematically apply any security patches (automatically) as soon as they become available; (c) install and run reputable anti-virus software on all their devices; (d) perform systematic data backups of all their data; (e) expose all of their staff to cyber-awareness training.

3. Cyber-aware organisations should redesign their procurement strategies for IT-depended equipment. Support for security and upgradability should be a first concern. A systematic replacement plan should be budgeted for and implement for equipment that reach the end of their upgradability

4. Society as a whole should keep debating critically any government attempts to demand system backdoors for law enforcement purposes. No matter the motivations behind the request, the consequences of such techniques ending in the wrong hands can be unthinkable. And as we have seen, things have a way to get in the wrong hands.

-vsassone