This country has invested tens of millions of pounds in cyber security measures. We have a National Cyber Security Centre; Security Programme; Crime Unit; Security Strategy; Skills Centre; Security Academy; Security Alliance. Not to mention the activities of our various police forces and the National Crime Agency and, given the activities of Friday 12 May, GCHQ and the security agencies will have been working overtime.
Hundreds of millions of pounds have been invested in the name of “Cyber Security”. We were told that these electronic foot soldiers were protecting the Critical National Infrastructure, preventing, detecting and resolving crime. In short, keeping us safe from both criminal and state sponsored intrusion.
And yet for all this investment it was a twenty two year-old freelance hacker, working with his own equipment in a small bedroom in his parents’ house, who apparently detected the weakness in the WannaCry ransomware and took action to halt it in its tracks and prevent further hundreds of thousands of computers from being corrupted.
Over 300,000 computer systems have been compromised in some 200 countries. Great Britain, the United States of America, China, and Russia (one of the worst countries to be hit) are amongst those nations to have been targeted. The conclusion can only be that this was of criminal intent rather than state sponsored disruption.
The fact that so many countries were attacked cannot be prayed in aid as a comfort by those who should have prevented it. Rather, it demonstrates that despite constant warnings from security professionals, IT specialists, and even Microsoft, the “it won’t happen here” attitude has prevailed. Everything has its price and IT complacency has just reaped the whirlwind.
If this ransomware attack does not radically change attitudes, and investment practices, worldwide, and inject a sense of urgency into all those who operate computer systems, corporate or individual, then we are heading for hell in a hand cart. Seeking to achieve political advantage from the systemic failings serves no purpose at all. Indeed, it detracts from the challenge in hand. All governments are culpable, and we need a common solution.
In all the hacking cases that have come to light recently from TalkTalk, the banks, Tesco, Google, the NHS and many others, the common thread is out-dated systems, lack of investment and system vulnerability.
The cost of investment can readily be set against the cost of failure, negative share price impact and the loss of reputation. What cannot be discounted is Board level responsibility for leaving the organisation critically vulnerable. Help, advice, guidance is readily available. Security updates are often free.
Shutting the stable door after the horse has bolted is a comforting, but useless, exercise. The horse has to be secure in the first place.