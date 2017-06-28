Russia's largest oil company, multinational firms, Ukrainian banks and India's largest container port have been hit by a massive cyber attack that has once again highlighted how vulnerable both government's and corporations are to cyber attacks.

Last month's "WannaCry Ransomware" attack, suffered by over 150 countries, was far more serious than most realise. In the UK most of the national health system was paralysed, patients suffered and ambulances were diverted from their routes. In Germany, trains were delayed and in Spain, telephones failed. The impact of this attack seemed to have been assessed mostly in terms of disruption and cost, but there could have been more dangerous consequences. If action is not taken, then certainly there will be.

This was the first attack where lives could have been put at risk. A patient might have been denied urgent life-saving treatment. An ambulance may have arrived too late at an accident, or may not have been called at all due to the phone network being unavailable. There could have been a disaster due to an issue with train scheduling or signaling. Future similar attacks would almost certainly threaten lives.

The threat to life from cyber attacks is likely to increase with greater digitization of countries' national infrastructure. While WannaCry is probably the work of criminals motivated by money, others with more nefarious intentions will have watched and learned. Daesh (ISIS), al Qaeda and others will probably already be preparing to grab the world's headlines with a newer potent version of Ransomware.

The attack has been described as a ‘wake-up-call' but judging by the latest attack, it seems governments have not woken up to what is a dramatic shift from cyber financial crime to a direct threat to citizens lives. Three features of the UK Government's response to the WannaCry attack are illuminating.

Firstly, possibly because of the distraction of the national election, it was slow to provide direction and accept responsibility. The Home Secretary took 48 hours to assemble COBRA, the national crises committee. The National Health Secretary avoided making any comment for days. The governmental pointed the finger of blame to health service trusts for not updating their software even though the vulnerability had been pointed out to the government. In reality, these trusts are government funded not-for -profit organisations which make difficult decisions on allocating inadequate funds on treatment and infrastructure. Under current laws, they are forced to take risks to balance their books.

Secondly, the issue was viewed as simply a technical one. It was identified as a failure to update an available security patch. There was little appreciation of policy failures that led to the threat. When lives are at risk, as in aviation, operators are legally mandated to implement technical and non-technical measures. This is not the case in the cyber world.