Graeme Robertson/Getty Images
show image

Oscar Williams

News editor

Public bodies are woefully vulnerable to the march of cyber crime

Barely a month passes in 2017 without some kind of IT failure hitting the headlines, but the hacks, leaks and breaches that make the news may represent just the tip of the iceberg.

A new investigation by the i newspaper has revealed that public bodies have been breached 400 times over the last three years.

The real number may be higher still. More than half of NHS trusts and one in ten councils refused to answer questions put to them by the i’s team of reporters.

The motivations for such attacks are varied. Some hackers want to extort money and steal data. Others simply want to wreak havoc.

To casual observers, the threat may seem abstract – but cyber crime has a real world impact, a truth thrown into stark relief in May when the NHS faced its biggest hack yet.

A gang of cyber criminals since linked to the North Korean government released a virus dubbed WannaCry into the wilds of the internet. It quickly found its way into the poorly protected systems of the NHS, encrypting files as it spread.

Fortunately, the proliferation of the ransomware, which demanded victims pay a fee to have their files released, was stalled when a 22-year-old computer whizz known as Malware Tech found a killswitch.

But considerable damage was done before the NHS’s IT teams had a chance to stop the virus. Doctors and nurses were forced to cancel thousands of operations and appointments as techies scrambled to get systems back online.

Public bodies such as the NHS are far from alone in being targeted by hackers. But the figures revealed by the indicate that the public sector may be particularly vulnerable to the march of cyber crime. One hospital told the paper WannaCry was the price it paid “for a very long-term under-investment in IT infrastructure”.

It’s a sentiment echoed by the Charted Institute for IT, which concluded in a report last month that the WannaCry strike could have been averted if hospitals had spent more time skilling up their staff.

“The [strike] was bound to happen, it was just a matter of when,” said David Evans, the institute’s director of policy. “Whilst doing the best with the limited resources available, it is clear that some hospital IT teams lacked access to trained, registered and accountable cyber-security professionals with the power to assure hospital Boards that computer systems were fit for purpose.”

The threat of cyber crime will only increase as hackers develop ever more sophisticated methods of attack. The Register, an IT news site, reported last week that experts now fear hackers will create ransomware tailor-made for particular organisations.

Public bodies could become prime targets for such a strike, given the importance of the work they carry out, but too many remain poorly protected.

The creation of the National Cyber Security Centre (NCSC), a spin off from GCHQ, was welcomed by experts last year. Yet there is only so much the organisation can do to defend public bodies without assuming complete control of their systems, an approach that is neither practical nor desirable.

The impetus for change must come from within, but even with the best will in the world, executives in the public sector are powerless to protect their organisations unless they have the money to do so.

Government needs to ensure NHS trusts and other bodies have the funds to adequately secure their systems. If custom-made ransomware takes off, WannaCry 2.0 could be far more destructive – and it may not have a killswitch.

This article also appears on NS Tech’s parent publication www.newstatesman.com