WannaCrypt raises questions over government cyber priorities

The fallout from the WannaCrypt ransomware attack which quickly spread to multiple countries and systems last Friday continues to cause consternation around the world.

In the UK scores of National Health Service Trusts were infected, leading to routine appointments being canceled and huge concern over the robustness of critical healthcare systems that are still running on a fifteen-year-old software platform (Windows XP) which is vulnerable to the exploit.

Critics have suggested a lack of government funding has left the NHS wide open to malware attacks that exploit outdated software.

UK Home Secretary, Amber Rudd, sought to rebut that criticism a few days ago, arguing that the success of the WannaCrypt attack on NHS’ systems is nothing to do with “our preparedness”.

“If you look at who has been impacted by this virus it is a huge variety across different industries and across different international governments. This is a virus that has attacked window platforms, the fact is that the NHS has fallen victim to this. I don’t believe it is to do with our preparedness. There is always more we can all do to make sure we are secure against viruses but I think there has already been good preparations in place by the NHS to make sure they were ready for this sort of attack,” she said in a statement at the weekend.

Back in 2015, the UK government announced a five year National Cyber Security Strategy — when it said it would be putting £1.9 billion into transformational investment up to 2020, including for defending critical infrastructure and ecommerce activity from hackers.

It’s not clear exactly how much of that money has been spent so far on upgrading critical systems. But, very evidently, there is still much work to do to get the public sector off of legacy platforms such as Windows XP.

Indeed, as well as multiple NHS Trusts, TechCrunch understands that some of the UK Home Office’s own systems are still running on the platform. According to a source familiar with the matter, the government department uses Windows XP for its Poise end-user computing environment that’s used by civil servants and contractors.

When we contacted the Home Office to ask which of its systems are running on Windows XP it failed to address the question. Instead they responded with general comments that Home Office IT systems are under “constant review”, and the department has been following the National Cyber Security Centre’s advice to secure its systems against the WannaCrypt virus.

The spokeswoman added that the department has put additional security and contingency measures in place — without specifying what those measures are.

In a statement on its website the NCSC urges organizations to follow its advice to limit their risk of being infected by WannaCrypt. “We know already that there have been attempts to attack organisations beyond the National Health Service. It is therefore absolutely imperative that any organisation that believes they may be affected, follows and implements this guidance,” it notes.

The NCSC’s advice for companies to secure themselves from ransomeware attacks includes:

  1. Keep your organisation’s security software patches up to date
  2. Use proper antivirus software services
  3. Back up the data that matters to you

We put several questions to the NCSC about the UK’s cyber security spending priorities — at the time of writing it had not responded but we’ll update this post if they do.

Our source pointed out that many organizations do not upgrade from an older OS because they fall behind a number of upgrades and it becomes increasingly difficult and expensive to make an OS upgrade the further back you are on platform versions. Which underlines how important funding is to this security story — whatever Rudd claims about the UK having no problems with “preparedness”.

Questions about the ongoing reliance in the UK public sector on vulnerable legacy systems need to be asked — not least given a sequence of failed centralized government IT projects, including for health and border control.

Given its public prioritizing of cyber security — including a boost in funding specifically for bolstering critical systems — the optics certainly don’t look good.

In the Home Office’s case it’s not clear what kind of practical impact there might be should some of its internal systems become infected with WannaCrypt. Disruption to asylum applications, for example, would not have the same visibility as disruption to healthcare. But the department also oversees policing and programs related to critical comms infrastructure, such as for emergency services, so there’s potentially public safety concerns here too.

The Home Secretary herself has acknowledged there are “lessons to learn” from the WannaCrypt attack. And it seems very likely the department will be having expedited conversations about upgrading off of Windows XP stat, although it’s declining to talk publicly about anything it’s doing on that front.

Another question mark in this story is the role of domestic intelligence agencies — given that the exploit WannaCrypt is utilizing was apparently stolen from the NSA. And the NSA has a long history of working closely with the UK’s own domestic intelligence agency, GCHQ. Which at least makes it a possibility the UK’s own spy agency might have had some knowledge of or role in maintaining the underlying flaw that’s caused so much disruption here. And even if GCHQ is quietly helping defend the Home Office’s internal systems from this specific flaw, it’s evidently failed to provide such a service to the NHS.

Microsoft has rightly taken flak for not continuing to provide security patches for its older platforms. But the company also put out a strongly worded statement yesterday, laying the blame for WannaCrypt’s spread at the feet of government agencies that have made a practice of stockpiling and even creating security exploits — likening it to if the military allowed stockpiles of conventional weapons to be stolen.

“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” said company president and chief legal officer Brad Smith yesterday. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”

“The governments of the world should treat this attack as a wake-up call,” he added. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

Microsoft is advocating for a “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.

Where we stand here and now, with intelligence agencies actively and secretly exploiting weaknesses in security systems, we are very far away from any such accord that security must be a priority for everyone — including every part of government.

But perhaps we’re a little closer to understanding the scale of the risks involved.