show image

Government security awareness criticised pre-cyber-attack

There’s still only one dominant story in the IT world today and that’s the cyber-attack that caused so much difficulty in the NHS over the weekend.

It may come as a surprise to find that Government Computing (disclaimer: this is published by the same company as New Statesman Tech but there has been no overt link between them and us) was warning that the government had insufficient security awareness. This is in spite of Parliament’s own calls for greater security skills and the institution of the National Cyber Security Centre, all of which had happened in recent months.

April’s survey and the cyber-attack

Nonetheless, almost exactly a month ago, Government Computing reported on a survey of 1500 IT professionals who felt they were insufficiently protected against a cyber-attack if it happened. They were looking to the government for support.

It now turns out that at least some government departments were unprepared in their own right; as we said yesterday, the fact that the attack hit Windows XP, a system released in 2001 and made obsolete in 2014, confirms that the entire incident was preventable. The fact that 100-150 countries (depending on which report you read) were affected confirms that this applies not only to the UK but that it’s a worldwide issue.

Two further elements have become clear since we wrote the first piece. First, the briefings government ministers receive can be wide of the mark . Here’s Jeremy Hunt starting an interview with the BBC by saying: “We don’t know why criminals targeted the NHS” – if 100 or more countries were hit by the same attack it’s patent nonsense to say the NHS was singled out,.

Second, curiously, Microsoft appeared to find issuing a security patch very easy and very quick to do. Some commentators on social media have suggested this means it’s behaving immorally by not doing so for older systems as a matter of course; they forget that updating and upgrading is and has always been the business Microsoft is in, and as a business it’s reasonable enough that it’s driven by sales rather than any perceived morality.