According to the Financial Times, the virus was a weaponised development of the US National Security Agency's 'Eternal Blue' tool, part of a "highly classified NSA arsenal of digital weapons leaked online last year by a group called the Shadowbrokers".
WanaCrypt0r seems to have been distributed by the common route of an attachment to emails which were opened by numerous recipients who did not identify the attachments as suspicious.
The Guardian reported
"Many NHS trusts still use Windows XP, a version of Microsoft’s operating system that has not received publicly available security updates for half a decade, and even well-patched operating systems cannot help users who are tricked into running software deliberately."and later:
"It’s our governments, via the intelligence agencies, that share a responsibility for creating vulnerabilities in our communication networks, surveilling our smart phones and televisions and exploiting loopholes in our operating systems,” said Dr Simon Moores, chair of the International eCrime Congress."In an interview with Andrew Marr,
"Michael Fallon [was] forced to defend the Government's decision not to fund crucial updates for NHS computer systems, leaving them vulnerable to a global cyber attack which caused chaos at hospitals across the country."The cost saving was apparently a £5.5m saving by Central Government that could have been spent on keeping in place national support for XP in the NHS. Apparently there had been repeated warnings of the risks of running systems on an unsupported XP operating system, including a warning by Microsoft two months ago.
"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action."According to Keren Elazari, the sectors where unsupported software systems are most prevalent are those where safety matters:
"healthcare, energy and transport; as well as finance and other industries where computer systems provide the foundations for modern functionality."
Assuming early reports are broadly correct, this attack raises behavioural, organisational, leadership and reputational risk issues.
Why are parts of the NHS using outdated, unsupported Windows XP?
The obvious answer is cost-cutting by people who do not understand the consequences, in this case the risks of running out-dated, unsupported operating systems. This now seems to include a Government minister who did not listen to advice on a subject he did not understand.
If so this is a classic case of cost-cutting to produce a short term gain at the cost of a systemic weakness that goes on to cause great pain when the risk eventually manifests. Cost-cutting in ignorance of the consequences is a risk that typically emanates from the highest levels of leadership anbd it regularly causes failures.
Why do NHS staff lack the training needed to operate an outdated, unsupported operating system?
It seems that NHS staff lacked the training manually to identify suspicious emails. Candidates as causes of this state of affairs include:
- Ignorant leaders did not realise that cost-cutting on operating systems created cyber risks to which training might provide a partial solution.
- Leaders who recognised the risks but would not provide training, for example because it would cost money they were not prepared to spend;
- That no amount of training would be sufficient - but leaders either did not know this or did not care.
Who else is using unsupported software in systemically important systems?
These include supply chains for cash, food, power, water and the internet itself. What potential consequences might there be for the public?
The UK intelligence agency GCHQ, backed by the UK Home Office under Theresa May, have already inserted backdoors into many encryption systems and recently gained statutory authority to demand backdoors into encryption and other systems including computers, phones and TVs and anything else containing sortware. It has statutory authority to hack into computers and other devices worldwide and there can be little doubt that they, like the NSA, developed tools to achieve this years ago. They also stockpile vulnerabilities in operating systems, preventing companies like Microsoft from dealing with them. As Brad Smith, Microsoft president’s and chief legal officer, said,
“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.”
No organisation can guarantee the security of valuable tools such as these against a determined external attacker or internal leaker. These risks will always be greater than zero.
If surveillance and cyber-warfare tools escape into the hands of criminals or hostile state actors, the potential for harm will broadly be in proportion to the versatility of the tools and the creativity and motivation of users. There can be no doubt that a determined, skilled and motivated group of hackers could design an event to cause great harm and outrage, just as Al Quaeda did with its carefully designed and planned "9/11" attack on the USA. These are perfect weapons for the weak.
Given that there is a finite risk of cyber-warfare tools 'escaping', the question is whether intelligence agencies, and the politicians who ultimately control them, have considered the risks and consequences of the tools they develop being turned against their own countries and allies. Even if the probability of theft of the tools is thought very low, a foolhardy assumption, the potential for harm to the public is unknowably great.
This is yet another example of the risks of balancing short term gains against the long term consequences of systemic weaknesses. The problem with this balancing act is that it is rarely possible to quantify the consequences of systemic weaknesses, especially where deliberately caused harm is involved. History shows that it is easy to overlook or underestimate them. The problem is exacerbated by leaders' tendency to give more weight to imminent than to distant consequences.
As to the security services, the likelihood is that current cyber attack will come to be seen as small beer. When that happens, the reputation, and licence to operate, of the security agency concerned whose software has been turned against its own state or a friendly state, will be balanced on a knife edge. Other security agencies will be at risk of collateral damage.
As to the NHS, a series of scandals of incompetence, catalogued by Richard Bacon in his book "Conundrum", has left the NHS and its leaders with a poor reputation for competence when it comes to IT. If it eventually emerges that the NHS IT system had weaknesses that left it vulnerable to this attack, its reputation for competence will be damaged further. Evidence emerging suggests that it will also leave the reputation of the minister who cancelled the IT support contract in tatters.
Background reading: You can read more about how behavioual, organisational and leadership risks cause immense harm to seemingly solid organisations in 'Rethinking Reputational Risk: How to Manage the Risks that can Ruin Your Business, Your Reputation and You". Lord David Owen wrote of it:
"An exceptional book for learning at every level – whether you are a business school student or a chief executive; Prime Minister or a new recruit into the civil service."You can read reviews of the book here.