Photo taken from the Norse Attack Map
The blame game reached a new level this weekend, as the NHS was hurled up in the court of public opinion, but the critics miss the point.
How parochial has the UK media become? A cyber-attack hits 150 countries, infecting hundreds of thousands of computers, and all the UK media care about is the supposed incompetence of the NHS.
Think back to a week ago. It seems that the biggest criticism levelled at the NHS was that it was management heavy – too much money spent on admin, not enough on nurses.
Now we are told it is incompetent because of the way it managed its IT.
The Conservative party blames the NHS, with the Defence Secretary, Michael Fallon accusing the NHS of failing to follow government advice to reduce exposure to Windows XP.
Labour blames the government for making the NHS take money from its IT budget to spend on other areas and they cite a decision in 2015 not to renew a contract with Microsoft to renew computer systems.
But if you really want to look for someone to blame, then look towards the NSA – the US National Security Agency – look towards the criminal, the lowlifes who are willing to blackmail organisations that are trying to save lives, but above all, blame the 21st Century and recall that the real lesson is not so much security, it is about communication and transparency.
The NSA found the bug in the Microsoft software in the first place, instead of alerting Microsoft, it kept it secret to use as a potential tool to support spying activities. And then it was stolen. It is the NSA, not the NHS that should be the focus of media wrath. If European banks can be fined for failing to monitor money laundering exposure effectively, shouldn’t the NSA be fined an order of magnitude more money?
Microsoft said that “this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. “It drew a comparison with WikiLeaks, and said: “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
It added that “an equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen and said the “attack illustrates a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
Neither should we forget that the people behind the WannaCry attack are criminals. As such, we must remember that they chose as their targets organisations such as the NHS. Who knows if this will result in any deaths, if it does, then the perpetrators of this crime become murderers, they are the true villains.
But then in the world of cybercrime it is almost too easy. Earlier this year, Fresh Business Thinking interviewed Florian Malecki, SonicWall’s International Product Marketing Manager. He said: “These days, if you want to make money illegally, and you think selling drugs or robbing a bank is a tad risky, there is always the dark web, you can find companies that will act on your behalf, ‘hacking as a service.’”
What lessons can we learn?
Well, for one thing, the next time we get a message on our computer saying that the machine needs a software update, we don’t react by swearing, or cursing, and say “I’ll do that later.” All of a sudden, such updates become a matter of burning importance.
We must back up data, of course – although there is always a danger that the data we have backed up is already infected.
Earlier this year Microsoft called for a Digital Geneva Convention. It said that “the governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
But Microsoft truly hit the nail on the head when said: “We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks.”
And that is the point. Microsoft made the headlines by calling the WannaCrypt attack “a wake-up call for all of us.” But actually, “collective action” is the key – instead of casting blame on the victims, it is time to focus on working together – collective action, and not collective blame is what we need.
For more on ransomware, see these artilces.