As posted on Who is to blame for exposing the NHS to cyber-attacks?

Three days after the WannaCry ransomware outbreak and a string of questions have emerged. Could the intelligence agencies – the NSA and GCHQ – have done more to prevent the attack? And, in the UK, is the NHS to blame for allowing itself to be so vulnerable?

The chain of events starts with the NSA. It discovered the weakness that made the ransomware so prolific which was then stolen by a hacking group known only as Shadow Brokers, thought to be linked to the Russian government.

The Shadow Brokers first appeared last year, and has published five separate leaks of hacking tools stolen from the NSA since then. “Responsible disclosure” – the practice of warning companies before revealing security flaws – is not something the group partakes in, and its data dumps appear to be timed to embarrass the NSA and US government with little care for the collateral damage.

The fifth and most recent dump contained the vulnerability, nicknamed EternalBlue by the NSA, which allowed WannaCry to spread so far and fast. On the face of it, the flaw was fixed by Microsoft without comment a month before the Shadow Brokers leak was published, leading many to assume the NSA had tipped the developer off about the existence of the vulnerability.

“The real problem,” said Ilia Kolochenko, chief executive of security consultancy High-Tech Bridge, “is that in 2017, the largest companies and governments still fail to patch publicly disclosed flaws for months.” Microsoft even went out of its way to issue a public, free fix for Windows XP, a version of its operating system which has not been sold for more than eight years. The security company issued a blistering attack on the NSA, comparing the leak to “the US military having some of its Tomahawk missiles stolen”.

There are further questions for the NSA and GCHQ. Both agencies technically have two responsibilities: to protect their national IT infrastructure, and to become effective hackers in their own right, to break into the networks of adversaries domestic and foreign. Underlining that split, Britain’s National Cyber Security Centre is a subsidiary of GCHQ.

Jim Killock, executive director of the Open Rights Group, points out that those mandates conflict, and that not for the first time the security agencies chose to keep a vulnerability secret so they could use it themselves, rather than help fix it so their citizens were made safe. “GCHQ have a lot of questions to answer about their very dangerous strategy of hoarding knowledge of security problems,” Killock said. “The National Cyber Security Centre should be made independent of GCHQ so these risks can be balanced without bias.”

As for the NHS, why did so may of trusts fail to apply the Microsoft fixes, or patches? Even those trusts that still run the dated Windows XP operating system are largely paying high fees for “custom support”, which means they should have had access to the vulnerability fix in time. But such updates are not always simple to administer.

“It is important to recognise that patch roll-outs are complex,” said Adam Meyers, vice president of cyber security company CrowdStrike. “High-profile patch fiascos have made IT departments wary of automatic patch installations. Organisations often run testing, to double check that applying the patch does not knock over their IT systems.”

For a health service, such considerations are critical. Expensive, specialist equipment may not work with newer operating systems, or require whole new software to be written to enable compatibility. Upgrading a home computer to the latest version of Windows is tricky enough, and most Microsoft customers do not have to make a 15-year-old MRI machine working alongside it.

And so the question comes back to money. A better-resourced NHS might have had enough IT staff to keep the networks functioning while testing and applying patches, buying new hardware, and updating operating systems, a point Labour has been keen to make in the context of the election campaign.

But many other organisations around the world were hit by the WannaCry: politicians are unlikely to accuse Telefonica, FedEx or Deutsche Bahn of being resource-starved, yet they too fell prey.

If the intention is to find somebody to blame, then the finger should principally be pointed at the malware authors themselves, who chose to unleash WannaCry in an attempt to extort money.

The malware has spread beyond its authors wildest dreams – and their nightmares. Bitcoin, the medium through which WannaCry demands payment may provide a veneer of anonymity, but the combined efforts of the world’s security agencies are now seeking the hacker authors out.