UK Government Funding for Cyber Security

The recent cybersecurity attack on NHS Scotland’s Lanarkshire trust has been confirmed to be the result of ever-prevalent ransomware.

Ransomware is a type of cyber-attack where your files and data on your computer are encrypted in such a way that they cannot be accessed without a special decryption key. This key is held only by the perpetrators of the ransomware, who will release the key only on payment of a ransom, often in anonymous cryptocurrencies like Bitcoin.

This type of attack is on the rise, and was the cause of the much larger NHS Ransomware attack on NHS services earlier this year by the ransomware ‘WannaCry’. This attack used very similar software, and even exploited the same vulnerability which had not been fixed by the Lanarkshire trust.

The vulnerability can be found in the legacy Windows XP operating system, still used by many government organisations. Microsoft stopped officially supporting Windows XP back in 2015, but due to the serious nature of the original NHS attack, which affected elsewhere in the world, Microsoft released an urgent fix. Companies and organisations were very slow to install this update, which allowed the success of the attack on NHS Scotland’s Lanarkshire trust.

There are good reasons why some companies and organisations continue to use legacy software. Banks, for example, have an incredibly complex array of computer systems, all using legacy software. Upgrading these computer systems may be possible for the banks, but the consequences of the upgrade going wrong could be devastating for the global financial system.

For the NHS, however, the underlying reasoning is rather more involved and obscure. Prior to the 2015 cut-off date on which Microsoft’s support for Windows XP ended the Department of Health, who oversee the funding of the NHS, strongly advised NHS trusts to upgrade their computer systems by this date. Many trusts failed to make the upgrade in time.

In order to compensate for this, the Department of Health signed a contract with Microsoft to continue to provide support for Windows XP to the NHS. At the time, the Department of Health had little choice but to sign a contract with Microsoft because otherwise confidential patient information and life critical machinery would have been put at risk of cyber-attacks.

This contract with Microsoft had long since expired by the time of the hard hitting ‘WannaCry’ attack several months ago and the more recent Lanarkshire trust ransomware attack. but there are still many NHS trusts that have not upgraded their computer systems, This was after Microsoft gave a critical notice to the Department of Health advising them of the security flaw.

Ross Anderson, Professor of Security Engineering at Cambridge University, said the ‘WannaCry’ attack is ‘sort of thing for which the Secretary of State [for the Department of Health] should get roasted in Parliament’.

‘If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, then whose fault is that?’ Professor Anderson told the Guardian.

Having seen the impact of cybersecurity threats first-hand, naturally, NHS trusts will be looking to secure their computer systems by any means necessary. The Department of Health is also injecting a further £21 million into effected trusts to help improve cybersecurity.

Many people are beginning to ask: Who let these cybersecurity attacks happen in the first place? Why did so many trusts ignore the repeated warnings from Microsoft about an imminent security threat? Was it due to lack of training, staff, or inward investment?

Clearly the Department of Health has a lot to answer for, but more importantly if NHS trusts continue to fail to upgrade their computer systems, there will be more cybersecurity that threatens patient’s personal information and potentially their lives.

Ultimately, the UK government was lucky during the ‘WannaCry’ attack ago in that most of the civil service remained unaffected by the attack. With many other departments in a similarly vulnerable position, it could have been far worse.