specialists in agile and advanced IT management and IT governance systems for complex business and IT landscapes
specialists in agile and advanced IT management and IT governance systems for complex business and IT landscapes

The NHS Ransomeware Attack in the Context of the IT Industry

18 May 2017



In April 2017 I purchased a new laptop. It was a well-known make from a well-known high street retailer. Each time I go through the process of transferring data and programs to a new machine the task seems to become more difficult but this time things became much more complex much more quickly. I was installing a new version of Microsoft Office when an error message appeared on the screen together with a helpline number. I called the help line and assumed that I was talking to Microsoft.  The agent diagnosed the problem (a virus) and asked permission to take control of my machine in order to fix it. Something made me suspicious and after a short conversation to confirm my suspicions I declined the kind offer of assistance and restored the device to its correct pre-delivery status minus the virus – a virus that I believe was probably installed before shipping. The national support people for the retailer requested that I report the incident to the police via actionfraud.police.uk . This site is designed to collect statistics by threat type and it helps if you can classify the threat you have experienced. 

I concluded that the post purchase process for hardware and software is getting more complex; cyber-crime is more widespread, is international in nature, and has probably infiltrated the assembly process; and there seems to be little interest in gathering evidence in order to actually capture and prosecute criminals.

The NHS case

On Friday 12 May 2017 a ransomware virus was unleashed across the globe affecting computers worldwide. Particularly badly affected was the NHS here in the UK. Although on a much larger scale than my home challenge there are many similarities. We can assume that the NHS has issues upgrading to new (and safer) releases of software especially when old equipment still has to be supported and that the virus was able to exploit the vulnerabilities that this created. Cyber-crime is now definitely more widespread, can be indiscriminate, and those responsible are not ethical in their selection of targets. Whilst this was happening the police were bystanders, powerless to act.

Few will be concerned about my problem and the month-long process that was background to this thinking but we should all take notice of the May event which I believe will prove to be a water shed for the industry. 

The Case for Action

The industry must ensure that software is virus free and make it easier to secure networks and devices. Security must be builtin. There are many players involved in even the smallest installation and the security of each component must be standardised and tightened so that users, managers, and business owners can be assured that the total infrastructure and its data is secure. 

Cyber-crime is widespread and we have been far too tolerant of cyber criminals. The language is almost that of the gaming generation; we talk about cyber-attacks (not criminal destruction), data leaks (not theft), hackers and computer geeks (and not criminals who are stealing and putting people’s lives at risk). They have their own currency (bitcoin) and agencies that will allow them to exchange this for real money without providing personal identification. The law is not deterring these criminals. 

Society has allowed the internet to remain the wild west of computing for too long and we have been slow or reluctant to control it. The lazy and less competent organisations are being punished now but unless we act quickly we could all be held to ransom. To date the authorities have dumped this into the “too difficult” box because its technical, because it’s not like other crimes, and because it requires international cooperation, but a solution must be found.

In an earlier blog, in response to a statement by Sir Tim Berners Lee, I had said that it was time to challenge the users’ right to withhold identity. Every event on the internet should be traceable to a responsible and identifiable person. Our email should only arrive if its source and embedded links can be trusted.

Technology for the security, management and governance of IT, or anything

Technology management, security and governance are all of crucial importance to a successful business but there is still little understanding in the boardroom of how these should be measured or controlled. We researched the problem and we are working on a prototype system that will introduce automation to the management and governance of IT that is suited to the digital world, that is consistent with the latest broader management thinking, and which will enable IT to be managed and controlled from the boardroom. The management philosophy embedded within this thinking will improve not just how we manage security but the whole enterprise.

Copyright© May 2017, Dr David Miller, ITDYNAMICS Ltd      All rights reserved

Print Print | Sitemap
© ITDYNAMICS™ 2011 All rights reserved