It is now apparent, from sources like the FIPR alerts, that the damage inflicted on NHS systems by Wannacry was much more localised than at first appeared. Few Trusts or Surgeries still use XP other than for items of equipment not connected to networks, e.g. oscilloscopes. More-over most of the infections were to unpatched Windows 7 systems.
At this point arguments blaming vulnerabilities on the Government for not spending more on NHS IT start to crumble. So too do arguments blaming widespread incompetence on the part of NHS management.
We are left with “yet another round of hype” from the Cyber Cartel – or are we?
I like to think that the way that GCHQ/NCA jumped in to “help” will indeed mark a turning point in the fight against on-line crime – “at last they are doing something useful with their bloated budgets”.
I should, however, begin by quoting one of those who thinks I am wrong:
“I don’t agree that turning policing over to GCHQ is sensible. It’s not just that they’re a franchise of the NSA who developed this exploit and then lost control of it. Their priorities are too different from those of the police.
Cybercriminals go unpunished because local police forces can work with forces overseas only through the NCA, to which they have access only through regional organised crime units. The NCA prioritises offences of interest to ministers and the tabloid press such as child sex
abuse images and terrorism. The NCSC fronts for GCHQ and shares its interest in state actors and critical infrastructure. Neither of these organisations has the right mission, or the right incentives for general law enforcement. So a million UK households will suffer a traditional
property crime this year, like burglary or car theft – while between three and four billion will suffer some kind of scam or fraud, almost all of which are online.
Now that crime has moved online, like everything else, the police are no longer doing their job, and neither the NCA or the NCSC is filling the gap. This is going to require major change, not just giving the spooks a few million a year more. They already have plenty.”
I do not believe we should turn policing over to GCHQ.
Nor do I believe that all police investigations requiring international liaison should be routed through regional organised crime units and the NCA.
I also agree that the the NCSC and GCHQ have the wrong mission and incentives for general law enforcement.
The majority of over over 65s have, however, now been targeted by criminal consortia, collating information stolen from banks, credit card operations and on-line marketing services in support of increasingly sophisticated mixes of on-line phishing, phone impersonation and courier fraud to attack those whose savings are most worth looting.
The victims are 2.5 times more likely to die within the next year.
At least one police force now has addressing this plague as its top priority.
The NCSC and GCHQ now have the powers and technology to help.
“Attack on the NHS” may be “fake news” – but that is not a reason for using it as an excuse to change the priorities of the NCSC and GCHQ.