Sunday, 14 May 2017


Contrary to the scare stories, we do not face a tidal wave of ransomware hard on the heels of the WannaCrypt attack. As is often the case, the media prominence of this technology is a sign of its maturity and imminent decline, not its sudden arrival. The incidence of ransomware has increased in recent years, but that owes more to the emergence of cryptocurrencies like Bitcoin than operating system backdoors cultivated by the NSA (which they've been doing for a long time). Writing code to automatically encrypt a hard disk is not difficult because operating systems are designed to run background processes that manipulate files. The challenge for criminals has been the money-drop. How do you get your hands on the cash without being nabbed by the police? Traditional methods have included wire transfers, payment vouchers (often laundered through online gaming sites) and even premium-rate text messages, but these are unreliable and risky. Cryptocurrencies have proven a boon to all sorts of online extortion.

Though there were earlier examples, ransomware first bloomed in the 1990s client-server ecosystem, which meant PCs with valuable data on local disks (and not backed up) plus Internet access and weak antivirus protection. The number of PCs still running old and vulnerable operating systems such as Windows XP is in steady decline, and most of the installed base is found in advanced economies where desktop machines are gradually being replaced by devices, such as smartphones and tablets, that act as terminals accessing remote data in the "cloud" (if compromised, these can usually be fixed by wiping the local storage, reinstalling the operating system and then synching data over the network - in effect the equivalent of a handset upgrade). The organisations most vulnerable to ransomware (and presumably the handful that have paid the ransom already) will be small businesses or sole traders who have a single PC, ineffective antivirus (a factor of older versions of Windows), no reliable data backup, and have probably mislaid the original media and licence keys for purchased application software.

While some NHS trusts may have been foolhardy enough to allow critical data to be stored locally on PCs, it would be surprising if they didn't have network backups, so they're probably not badly affected. In many cases the issue is simply that the PC has been disabled and can no longer be used to access corporate systems that are otherwise unaffected. It's an inconvenience rather than a data breach. Likewise, I suspect the machines hit in private companies such as Renault, Telefonica and FedEx are just as likely to be single function controllers running old and unpatched versions of Windows - e.g. industrial process monitors or unattended devices like train departure boards - rather than personal desktops. A simple swap-out or rebuild should fix these. What this does highlight, however, is the potential problems that will arise with the spread of the Internet of things (IoT), which is essentially a profusion of many small controllers. Having your fridge demand money with menaces might sound amusing, but it won't be so funny if the home security system has been compromised and you can't get into your house.

The prominence of the NHS in the UK reports of the WannaCrypt attack has inevitably led to much sage commentary on the self-defeating nature of austerity, not infrequently by dimwit journalists who have hitherto written sage pieces on the need for belt-tightening in the public sector. This is all well and good as far as it goes. Many trusts have clearly skimped on IT security to divert limited funds to the famous "frontline", while the NHS high command was foolish in not properly assessing systemic risk and the Department of Health was clearly culpable in deciding to stop paying Microsoft to extend critical patch support for Windows XP in 2015 (did Jeremy Hunt imagine that risk declined over time?) But the NHS's particular vulnerability owes more to decisions taken during the years of (relative) plenty in the late-90s and early-00s than to the lean years post-2008, and this can be seen in the fact that the attack has also affected private businesses that do not appear to be cash-constrained. There are three factors that I think are worth highlighting.

First, long before IT was punted as a service, it was punted as a commodity. The promise of the 1980s was that proprietary mainframe and terminal systems could be replaced by client-server systems using PCs that could also provide business productivity tools to key workers. Instead of maintaining expensive inhouse development teams writing bespoke applications, businesses shifted to the purchase of commercial off-the-shelf software. While this delivered real benefits in reduced development and implementation costs, it meant that organisations were increasingly dependent on third-party products that were familiar to hackers. To add to the problem, the distributed computing power of the PC meant that many critical applications were still developed inhouse, but now by semi-trained users creating Excel spreadsheets and MS-Access databases. Turf wars often meant that these were kept hidden from the IT department, hence they might not even be backed up routinely.

Second, the growing demand that the public sector should adopt private sector "best practice" meant that this model of corporate IT spread to the NHS in the 1990s. Unfortunately, the weaknesses visible in the private sector were magnified in the public sector by political pressures, specifically the compartmentalisation arising from the creation of internal markets and the emphasis on cost-led outsourcing. This produced weak IT strategy at the enterprise level, fragmented operations at the local level, and a deprioritisation of security and housekeeping outside of legally-mandated data protection. Though New Labour significantly increased spending on the NHS, its u-turn on marketisation ultimately undermined its efforts to improve productivity and organisational resilience by exacerbating these trends. Since 2010, the NHS has had to cope with both decreasing real-term budgets and even more fragmentation as a consequence of the Tories' strategy to facilitate private sector cherry-picking.

The third factor is the push for devolved decision-making and the decentralisation of commissioning arising from the Lansley reforms. Regardless of what you think about this either as economic and organisational theory or as a practical policy in the area of clinical management, it has reinforced the balkanisation of the IT landscape and helped depriortise security. Looking back at the use of IT in the health service since 1980, it is difficult to avoid the conclusion that the NHS might have done better to stick with mainframes and dumb terminals. The minimal vulnerability to malware would have been a plus, but just as importantly, such an architecture would have encouraged data consolidation and consistency, which is probably what the service needs most. Even today, the NHS is still partly dependent on paper records and manual transposition while the quality of its data service to patients is poor. Of course, a centralised IT system would suggest a centralised and uniform health service, which isn't the ruling vision.

What the WannaCrypt impact on the NHS highlights is that the chickens now coming home to roost originated in the political economy and business ideology of the late twentieth century more than the technical flaws of operating systems first released in the early years of the twenty first century. The commodification of IT, the attack vectors introduced by the Internet, and the organisational dysfunction created by maketisation and functional segregation have together produced an environment characterised by under-investment, poor management and systemic vulnerability. The good news is that the NHS should bounce back pretty quickly: crisis-management is its norm. The bad news is that any subsequent inquiry will be of limited value because it will focus on contemporary failings - poor systems control and bad management decisions - rather than root causes: the advocacy of internal markets for complex organisations and processes, and the delusions of devolution and empowerment.

1 comment:

  1. I saw yesterday that MS licensing had been devolved to the trusts a few years ago, another example of fragmentation that inevitably has risks for the integrity of the system.