Although the global ransomware attack that heavily affected the NHS was unwelcome, it has provided an opportunity to test systems and raise awareness on key issues, according to Alex Dewdney, director for engagement and advice at the National Cyber Security Centre (NCSC).
“If you wanted to mount a national communications programme to make people sit up and take notice, you couldn’t have designed one better than this,” he told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London.
“I never thought I would hear so many ministers using the word ‘patch’, which has now become part of everyday conversation, so we need to take that opportunity and to build on that.”
Dewdney emphasised that the NHS was not targeted specifically, although NHS networks were affected significantly in the UK. Other UK organisations were affected, but the diversity of victim organisations was much greater in other countries around the world, including Russia.
Although the spread of the ransomware has slowed, it spread initially very quickly by using a specific vulnerability in the Microsoft file sharing protocol sever message block known as SMB to propagate in and between networks.
“In March 2017, [Microsoft] issued a patch for supported operating systems, and following the attack they issued emergency patches for unsupported operating systems as well,” said Dewdney, noting that while these patches prevent the spread of the infection, they do not help organisations to get back encrypted data.
Dewdney confirmed that the attackers behind the ransomware are still unknown, but he said the level of sophistication is well within the reach of “criminal entities” requiring the NCSC to work at an extremely high tempo. “It is easily the biggest and most complex cyber incident the NCSC has had to manage so far,” he said.
In response to the attacks, the NCSC’s incident management function was called into action. The initial focus was on understanding the technical characteristics of the attack, how it was spreading, and who the victims were.
The incident management team was also working to establish who was behind the attack and what the initial attack vector was, but these questions remain unanswered to a high level of confidence five days after the attack.
The NCSC also started looking at ways to protect victims and potential victims in terms of publishing advice on how to immunise against the ransomware and contain its spread, as well as what to do if already a victim. The NCSC was also working directly with some victim organisations to help put guidance into practice and help remediate.
Importance of security partnerships
The incident underlined the importance of partnerships for the NCSC, said Dewdney, including partnerships that were formed to scale the response and make inroads into this problem in a way that the NCSC could not have done on its own.
“We are still working very closely with the National Crime Agency [NCA], which has staff embedded in our teams. The NCA was able to deploy on the ground with victims at scale. They are also a vital source of information and forensic data, as well as analytic and investigative effort,” he said.
The NCSC is also still working with NHS digital and Care Cert. “The size and complexity of the health sector meant that we needed that central docking point to work with, and they did a fantastic job under very difficult circumstances,” said Dewdney.
The role of the NCSC’s industry partners was also absolutely critical, he said. “I cannot emphasise enough how grateful we are for the extent to which our partners in the cyber security industry really leaned in to help and pool the information they were gathering.”
According to Dewdney, the Cisp cyber information sharing platform “really came into its own”, both as a platform for sharing information and for discussion. “We need to build on that as a really key way of getting stakeholders to have live discussions about this kind of problem,” he said.
There was an international aspect too, said Dewdney, including the information that was provided to the international computer emergency response network and collaboration with the US.
At the same time, he said it was a truly national response, with the NCSC quickly establishing contact with authorities in Northern Ireland, Wales and Scotland.
“The Scottish government resilience room proved to be a really effective means of co-ordination, and the facility has some lessons to teach the rest of us across the UK about how quickly and effectively it is possible to reach out across all of the potentially affected sectors.”
Dewdney also highlighted the importance and the challenges of the media. “I think we did pretty well at pace in briefing senior politicians to speak, preparing ourselves directly in broadcast media, and using our web presence and social media to get the right messages across at the right time.
“LinkedIn proved to be a really important and useful platform, but we didn’t really engage in that, and that is an important lesson for us,” he said.
Overall, Dewdney said the NCSC bringing various organisations together under one roof also really proved its worth.
“There was a lot of consistency in what government was saying – officials, ministers and across our platforms. We achieved a greater consistency and therefore a greater sense of authoritativeness in what we were saying than we would have achieved before the NCSC was set up. We were able to get the messages out quite quickly and provide the assurance that patients’ confidential data had not been stolen,” he said.
NCSC ‘in the market for feedback’
However, he admitted that producing specific, usable and helpful guidance was a challenge. “How do you get messages across that are sufficiently technically detailed to be of practical use, but also easy to understand and follow.”
The NCSC decided therefore to publish a set of guidance for enterprises and another set for small to medium-sized enterprises (SMEs) and consumers, which is continually being refined and updated in response to feedback from those communities.
“We are really in the market for feedback around how we are getting those messages across and how they can be improved and made more useful,” said Dewdney.
One of the key lessons learned, he said, was about the power as well as the limitation of advice and guidance.
Dewdney said people are continually told to patch and update the systems, “but the fact is that people don’t always do it, so what we have got to realise as cyber security practitioners is that advice and even instruction is much easier to give than it is to follow”.
“We have to recognise that in the real world competing pressures and hard choices can easily get in the way. So we will continue with those exhortations, but as we mobilise campaigns to really make this happen across government, business, critical infrastructure and for consumers, we need to find the right mix of the ‘stick’ on the one hand and help to overcome those hurdles on the other,” said Dewdney.
Read more about the NCSC
- The National Cyber Security Centre is unashamedly ambitious in aiming to make the UK the safest place to do business online, which chief Ciaran Martin sees as an achievable goal.
- The UK’s NCSC and NCA publish a joint report on the cyber threats facing UK businesses, outlining the best response strategies.
- The NCSC has the right pedigree to coordinate and balance the cyber security efforts of government, industry and academia, says GCHQ director Robert Hannigan.