Russia's largest oil company, multinational firms, Ukrainian banks and India's largest container port have been hit by a massive cyber attack that has once again highlighted how vulnerable both government's and corporations are to cyber attacks.
Last month’s “WannaCry Ransomware” attack, suffered by over 150 countries, was far more serious than most realise. In the UK most of the national health system was paralysed, patients suffered and ambulances were diverted from their routes. In Germany, trains were delayed and in Spain, telephones failed. The impact of this attack seemed to have been assessed mostly in terms of disruption and cost, but there could have been more dangerous consequences. If action is not taken, then certainly there will be.
This was the first attack where lives could have been put at risk. A patient might have been denied urgent life-saving treatment. An ambulance may have arrived too late at an accident, or may not have been called at all due to the phone network being unavailable. There could have been a disaster due to an issue with train scheduling or signaling. Future similar attacks would almost certainly threaten lives.
The threat to life from cyber attacks is likely to increase with greater digitization of countries’ national infrastructure. While WannaCry is probably the work of criminals motivated by money, others with more nefarious intentions will have watched and learned. Daesh (ISIS), al Qaeda and others will probably already be preparing to grab the world’s headlines with a newer potent version of Ransomware.
The attack has been described as a ‘wake-up-call’ but judging by the latest attack, it seems governments have not woken up to what is a dramatic shift from cyber financial crime to a direct threat to citizens lives. Three features of the UK Government’s response to the WannaCry attack are illuminating.
Firstly, possibly because of the distraction of the national election, it was slow to provide direction and accept responsibility. The Home Secretary took 48 hours to assemble COBRA, the national crises committee. The National Health Secretary avoided making any comment for days. The governmental pointed the finger of blame to health service trusts for not updating their software even though the vulnerability had been pointed out to the government. In reality, these trusts are government funded not-for -profit organisations which make difficult decisions on allocating inadequate funds on treatment and infrastructure. Under current laws, they are forced to take risks to balance their books.
Secondly, the issue was viewed as simply a technical one. It was identified as a failure to update an available security patch. There was little appreciation of policy failures that led to the threat. When lives are at risk, as in aviation, operators are legally mandated to implement technical and non-technical measures. This is not the case in the cyber world.
Third, the Home Secretary was quick to reassure that no patient records were compromised. This indicated that she viewed the potential threat from the attack as one to data privacy rather than the more serious one of risk to life.
The UK experience is typical of other governments. There is an absence of thinking within government circles which bridges the understanding of cyber threats from simply technical – to one with political and security implications. A lack of confident leadership is also evident because politicians have not taken time to understand the new opportunities and threats which come with digitising their governments and economies.
Increasing resilience from more menacing future threats, governments should consider some policy options. Making adherence to basic cyber security standards such as ISO 27001 a legal requirement for all critical national infrastructure and major corporations would go a long way to safeguarding against most unsophisticated attacks.
All world powers, the US, Russia and China, have been affected by this attack. This presents an opportunity for governments to collaborate on ways of limiting access to unregulated parts of the Internet. This is to deny criminals and terrorists room to manoeuvre. Idealists will resist this, pointing to the fact that it is the freedoms and absence of regulation that allowed the creativity and enterprise which has led cyber space to become such a powerful opportunity for mankind. That is true, but this very fact now makes it vulnerable to exploitation by people with nefarious motives. As with the American wild west, there comes a time when idealism leads to anarchy, which must be restrained by pragmatism.
Europol, the FBI and other national and international policing organisations should be resourced to do everything possible to pursue the perpetrators of this attack. It is important to send out a clear message to those who threaten the safety of others, that they cannot hide from prosecution. Reporting all instances of cybercrime should be a legal requirement and outlawing government departments and large businesses to pay ransoms will help law enforcement do its job.
Finally, both Microsoft and Russia have accused the US Government of creating the software tool used by WannaCry. The ‘Eternal Blue’ tool allegedly developed by the NSA was used in the attack. Governments should apply the same legal constraints on the development of software weapons by their spy and defence agencies as they do on landmines. Otherwise, these cyber weapons will create more insecurity than security for their countries.
Above all, it is important that politicians educate themselves about their leadership responsibilities in this new domain. The internet is an amazing opportunity for human progress. In the wrong hands, it is an opportunity for those with selfish motives to cause suffering and distress. Political leaders must now fulfil their primary responsibility of safeguarding their citizens’ lives and property in the virtual world as much as they do in the real world.