It is tempting to see this week’s cyber security crisis in Irish healthcare as inevitable. Most economically-advanced countries have experienced some sort of major cyber incident. Indeed, the event bears some resemblance to the most testing moment of my six years running cyber security in the UK; almost exactly four years ago the NHS experienced serious digital disruption. Demands for payment in cryptocurrency appeared on the screens of doctors’ surgeries. Ireland’s turn, so this argument goes, had to come sooner or later.
Yet Ireland has been singularly unfortunate. Ransomware – the locking of computer systems followed by the issuing of extortion demands to the victim to unlock the network and keep any stolen data out of the public domain – is the principal security scourge of the digital age. But attackers tend to focus on commercial organisations likely to pay quietly for the problem to go away.
The disruption to UK healthcare in 2017 turned out to be the result of a botched attempt by North Korea to steal money from banks that accidentally infected organisations in more than 100 countries. Some ransomware groups claim to avoid healthcare targets altogether, though a number of American and European privately-owned hospitals have been hit.
What is without precedent until last week’s events in Ireland is the targeted extortion of an entire national healthcare system. It is hard to think of a more horribly disruptive or more dangerous cyber incident. One of the few that comes close is equally recent: the hack earlier this month of a company in the United States called Colonial Pipelines. This caused severe fuel shortages and panic buying of petrol on the east coast.
For now the focus must be on the slow and painstaking efforts to recover. After that attention needs to focus, in Ireland and beyond, on how to combat the three reasons why ransomware racketeering is flourishing.
First, Russia, despite its protestations, provides a safe haven for most of the biggest ransomware operators. There is not much Ireland can do about this alone. However, the United States – without whom nothing of import happens in cyberspace – is now very aware of the problem because of the Colonial Pipelines incident. Irish diplomats should make Washington aware of all the details of the HSE hack to add urgency and evidence to President Biden’s focus on the problem.
There is some evidence ransomware gangs have overreached and are feeling pressure from elsewhere, possibly from the Russian government or from fellow criminals annoyed at the spotlight now being shone on their criminality. The so-called “Darkside” group behind the American pipeline hack is at least pretending to disband.
The provision of a decryption key to the HSE – without a ransom payment – might suggest the criminals know that targeting healthcare in the full glare of publicity was not smart business.
Weaknesses
Second, across western countries standards of cyber security are generally too low. Ransomware hacks are not normally terribly sophisticated – excitable talk of “zero day exploits”, to use the jargon, are almost certainly wide of the mark in the HSE case.
The dull, grim reality is that Ireland suffers from the same, systemic digital insecurities as most of the rest of the western world. The HSE intrusion was almost certainly the result of basic security flaws and weaknesses.
But something can be done here. The Irish Government should conduct a hard-headed review of lessons learned and then implement changes to regulation, public procurement, and cyber security requirements for businesses and public bodies to improve digital defences.
Finally, the biggest and most corrosive problem is that the business model of ransomware works spectacularly well for the criminals. Darkside, for example, is estimated to have made $90 million in just nine months. Unregulated cryptocurrency transactions evade money laundering regulations. Insurance models make paying criminals the easiest option. So time and time again, traumatised victims pay.
One can understand, if not condone, such decisions. But for those tempted to pay, there is a catch. Although ransomware gangs will normally provide the tools to unlock so that they can get paid next time, they do not always work well. The act of hacking systems damages those systems, and recovery takes time and money.
Ransom payment is not a flick switch to recovery. Colonial Pipelines paid $4.4 million for a decryption key that failed to bring the pipeline back and didn’t prompt the quick recovery of systems capability (Colonial still cannot invoice their customers).
In Ireland’s case, of course it’s harrowing to see sick people denied the care they need because of criminal hackers. But those thinking that Ireland’s Government should take the path of least resistance and just pay up would do well to look at the Colonial Pipelines episode. Moreover, the criminals have whatever data they’ve stolen forever, so paying them doesn’t remove the risk of leaks. The only thing paying the ransom guarantees is more ransomware attacks.
Opportunity
Indeed, Ireland’s unique misfortune presents an unlikely opportunity for Irish global leadership. What is desperately needed to begin to turn the tide against ransomware is breaking the cycle of payments. Someone needs to show that you can survive these attacks without paying. Can Ireland show the way? Conversely, if the government of a wealthy country decides to pay its way out of trouble, why on earth should a struggling business owner take a stand?
However, much he would have wished to avoid it, it has fallen to Taoiseach Micheál Martin to be the first head of government anywhere in the world publicly to face down cyber extortionists.
Should he continue to do so, however difficult the circumstances, he deserves the support of the Irish nation and everyone worldwide who cares about the online security of our societies.
Ciaran Martin is professor of Practice in the Management of Public Organisations at Oxford University’s Blavatnik School of Government. He was chief executive of the UK’s National Cyber Security Centre between 2016 and 2020.