On Friday, the internet era’s largest and apparently most damaging cyberattack to date infected systems of roughly 200,000 victims in at least 150 countries. Experts said the bulk of the attacks targeted Russia, Ukraine, and Taiwan. However, Chinese universities, multinational companies like FedEx, and alarmingly, UK hospitals, were also badly hit by the ransomware. Called WannaCry, the malware infects computers, locking out files until the administrator pays to access them.
The effects of the cyberattack were especially crippling for the UK’s National Health Service (NHS), with hospitals across England and Scotland affected. Operations were canceled, ambulances were diverted, and vital patient records became unavailable. Some hospitals were even forced to stop admitting patients. The delays continued into Saturday, and the extent of the damage is still unclear. It is still unknown whether any patients died as a direct result of the cyberattack, but given the scale of the interference, it appears to be a serious possibility.
In figuring out who or what is responsible for the alarmingly broad vulnerability to the crippling attack, key public policies and security strategies need to be reexamined. Two policies that need a closer look in the wake of the attack are the US National Security Agency’s focus on creating dangerous offensive measures over defending the US and allies from those same measures, and Britain’s mounting failure to properly fund its NHS.
The vulnerability that allowed for the attack was identified several years ago by the NSA, and was most likely shared with British intelligence. However, these organizations apparently failed to warn anyone else at the time. In fact, the technology that was used in the attack was stolen from the NSA, according to several independent malware researchers.
It was not until the hacking toolkit itself was leaked, among others, last month, that Microsoft offered a patch fixing in the problem. Unfortunately, many systems did not update in time.
Some cybersecurity experts pointed toward a problematic strategy by US security agencies, focusing on offensive measures rather than defense. The fact that the hacking toolkit was created by the NSA, but then allowed to leak, would support that assertion.
Edward Snowden, the former NSA contractor who leaked information about US surveillance programs in 2013, put the blame primarily on the NSA and similar agencies for the attack.
“Despite warnings, (NSA) built dangerous attack tools that could target Western software,” he said. “Today we see the cost.”
He also added that if the NSA “had privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, this may not have happened.”
If nothing else, an earlier disclosure would have left much more time for computer systems worldwide to apply a patch to close the vulnerability, and to take proper measures to guard against such an attack.
Britain’s National Health Service for example, has tens of thousands of computers still running the obsolete Windows XP system, and had failed to renew their support contract with Microsoft at the time of the attack. Despite calls from National Data Guardian Dame Fiona Caldicott, these systems were not updated. Some of these vulnerabilities were the result of users bypassing security measures they found overly obstructive, but limited financial resources also played a part. In addition to the cost of new software licenses, the cost of retraining and providing tech support for users can be massive.
According to Shadow Secretary of State for Health Jonathan Ashworth, concerns had been raised repeatedly about the NHS’s outdated computer systems, which he said left the systems vulnerable to the attack. In a letter Sunday to Secretary of State for Health, Jeremy Hunt, Ashworth said:
“As secretary of state, I urge you to publicly outline the immediate steps you’ll be taking to significantly improve cybersecurity in our NHS. The public has a right to know exactly what the government will do to ensure that such an attack is never repeated again.”
Labour leader Jeremy Corbyn pointed out, following the attack:
“In 2014, there was a one-year renewal of the protection system on the NHS systems which was not renewed and so systems are now not upgraded and not protected. As a result, we’ve got this dreadful situation.”
In February, the British Medical Association (BMA) said at least £9.5bn in upfront spending would be necessary to build a secure future for the NHS. The BMA’s chief said the NHS had reached a “breaking point.”
That same month, researchers argued in the Journal of the Royal Society of Medicine that “relentless cuts” were also to blame for 30,000 deaths in England and Wales in 2015.
It should not take an unprecedentedly disastrous cyber-attack for it to be common sense that the NHS should be properly funded.
Responsibility for the vulnerability of global computer systems to the cyber-attack goes much further than the NSA’s strategies and the funding problems that have plagued the NHS. However, these two issues are prime examples of the consequences when government entities neglect their obligation to protect the public. The costs, which have yet to quantified, will affect only the victims, with little blowback on the public and private organizations that made the choices that allowed the attack to inflict so much damage. It also shows the need, in an era in which society increasingly depends on the internet, to protect these networks as a matter of national (and global) security. If the agencies tasked with ensuring this security, such as the NSA, are contributing to the problem while failing to ensure protection, then it is clear a public conversation is needed to examine whether such agencies are doing fulfilling their mandate. If Britain’s NHS is failing to support the health of its citizens, in a crisis or otherwise, then changes need to be made there as well.