Vaccinate the NHS
On 12th May, the NHS discovered it was under attack. Ransomware was affecting hospitals and surgeries, encrypting files and demanding a ransom of around £250 per PC (payable in Bitcoin), to unscramble them. At least 16 NHS trusts were affected, and many non-critical patients had to have appointments cancelled.
Despite the headlines, this was not an attack directed specifically at the NHS. This malware, dubbed WannaCrypt, hit systems worldwide. There are confirmed reports of infections in at least 75 countries, and the number of computers affected numbers in certainly in excess of 100,000 world wide, with some monitoring services claiming to have identified over 250,000 infections in 150 countries. As well as the NHS, other high profile names to have been victims include Fedex, Renault, Germany's Deutsche Bahn (railways), and Spain's Telefonica. There were reports that 20,000 petrol stations owned by China National Petroleum could only accept cash payments as a result of the attack, and Russia's Interior Ministry had about a thousand computers affected.
The code used by WannaCrypt was based on exploits developed some four years ago by the US's National Security Agency (NSA), and was based on a fundamental defect in the way Windows shared files and printers on public-facing PCs. The exploits were stolen and leaked onto the internet in February of this year, at which point the NSA provided full details to Microsoft who immediately provided patches against these bugs for all supported operating systems. It no longer provides support for XP, and hence did not provide a patch for XP users. Support for Vista ended on April 11th so it only just qualified for the support patch.
When the scale of the WannaCrypt incident became apparent, journalists, pundits, even sneering comedians on panel shows, were quick to criticise the NHS for continuing to use an insecure operating system, calling it an accident waiting to happen, and claiming everyone has been telling the NHS for years that they needed to stop penny pinching and upgrade to a secure system.
That is massively unfair to the NHS. There are over a million PCs in the NHS, and only about 5% of them run XP, (which is less than the global average) but 5% of a million is still a lot of PCs to manage. The cost of upgrading a perfectly good XP machine to run a later version of Windows is expensive. Not only do you need to pay Microsoft for a new version of Windows to overcome the myriad of manufacturing defects in the original they sold you, but you also need faster hardware, more memory, a bigger disk. You might also need fresh copies of your specialist applications software, updated device drivers or possibly new peripherals if the older models are no longer supported, tech support to transfer your data, hours to reconfigure it to get things back where you want them, and you have to train staff in how this new-fangled operating system works.
Before you criticise the NHS for continuing to eek out the life of older XP machines, ask yourself how you would feel if a department was running short staffed and cancelling appointments for a week because the budget for a nurse had been spent on a shiny new computer which has icons for Amazon shopping and Netflix, where you can download an advert-funded app to get today's weather and news to the desktop, which lets you store data somewhere on "the cloud" at the click of a button, and which snoops through your emails and patient files so that Cortana better knows what you are interested in and sends god knows what information back to Microsoft.
You should also keep in mind, before laying the blame for WannaCrypt at the feet of XP laggards, that the majority of infections within the NHS were not the XP machines, but rather they were the Windows 7 machines. Pundits pointed out that Windows 10 was immune to WannaCrypt but the counter to that is that these exploits were developed by the NSA years before Windows 10 was released.
Microsoft has got off with surprisingly little criticism. In the midst of the attacks, it issued a statement in which it congratulated itself for being among the first responders to attacks on the internet, whilst placing the blame on government agencies for keeping these exploits secret and calling it a wake up call. It has called for a Digital Geneva Convention which would prohibit government spymasters from stockpiling these exploits for use in cyber-warfare, and instead would legally require the agencies of signatory countries to report the flaws back to Microsoft so that they could be patched.
That thinking is deeply flawed. Firstly, why would the NSA, CIA, MI5, GCHQ, or any other government spy agency around the world invest the man hours to find bugs in Windows if all they were allowed to do with the information was hand it back to Microsoft? It isn't the job of world governments to fix the security holes in Microsoft's cash cow. Secondly, you can have all the digital conventions you like, but it won't stop criminal gangs dissecting Windows for flaws and exploits.
Such was the seriousness of WannaCrypt that Microsoft provided a headline-grabbing patch for XP, even though it is an obsolete, insecure operating system which Microsoft feels no obligation to fix. XP users still needed to discover, download and install the fix manually. If you right-click on that XP patch, it clearly says it was compiled on February 11th, the same day as it made the patches for all other versions of Windows, three months before the WannaCrypt outbreak, which means Microsoft stockpiled it. Didn't it just criticise spy agencies for hoarding bugs? Presumably releasing the patch to the public would not have fitted with Microsoft's commercial strategy which is to charge people for ongoing XP support, and to get people onto a paid upgrade treadmill.
For all its impact, the creators of WannaCrypt will not have a great payday. The latest estimates are that a maximum of $90,000 has been transferred to the ransomware's Bitcoin account, so maybe up to 300 people world wide have paid up. It isn't often that a hacker manages to upset the security agencies in USA, Russia, and China, all at the same time, and a haul of $90,000 certainly won't make the risk worthwhile. Any attempt to cash out those BitCoins is likely to leave a paper trail, and will be watched closely by police forces worldwide, for many years to come.
24th May 2017
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.