In the second instalment of a regular Gazette feature, Peter Wright cites the NHS and Royal Navy in arguing that your old IT system might not be as safe as you think

The National Health Service was brought to its knees in May when its IT system was hit by the WannaCry ransomware cyber-attack.

Ransomware is a particularly aggressive type of malware that can infect a system just through clicking on a link on a website or, as is increasingly common, by a mobile device such as a phone or tablet being connected to a desktop or laptop via a USB. Malware in its more benign forms can slow your PC’s operations, making programs and web pages take an eternity to load. Ads continue to appear on screen while offering you increased PC performance if you buy a mystical product which they claim can instantly speed up its performance. More aggressive ransomware – such as WannaCry or the Solicitors from Hell ransomware attack a few years ago – restricts access to systems, threatening to delete their entire contents if the ‘ransom’ is not paid within an often short deadline.

The public sector is a regular victim of ransomware attacks. Local authorities and universities sometimes pay thousands of pounds to retrieve valuable data, which often relates to tens of thousands of individual users. The WannaCry attack showed that the NHS as a whole was particularly vulnerable to this specific type of attack.

WannaCry went viral in a matter of hours, attacking systems around the world. Even large companies such as global car manufacturer Renault were affected, with the damage to its systems sufficient to impede the progress of the Renault F1 team. Its engine management software was compromised, reducing the performance of the equipment and condemning both drivers to poor starting positions at that weekend’s Spanish grand prix. In an organisation with such vast resources, and a large number of highly skilled executives and engineers, Renault’s security was found wanting. Since that attack the company has worked closely with a sponsor (which provides cybersecurity services) to beef up defences. Even though that sponsor had featured its decals on Renault’s cars for several seasons, everyone presumed that its system was safe and secure – until it was compromised so badly.

Organisations around the world were affected by WannaCry, which subsequent investigations have suggested may have originated from state-sponsored sources in North Korea. Yet it was the NHS that made headlines as operations were delayed and patients suffered. One of the reasons for this is the provision of IT across the NHS which (following the aborted private finance initiative-funded NHS IT system that collapsed in the mid-2000s) is patchy at best.

As budgets have been stretched, IT systems have aged while also being required to store and process larger and more complex sets of data relating to patients. Many machines were using the Microsoft Windows XP platform. While having a reputation for over a decade as a stable, efficient system, the platform has now been unsupported by Microsoft since 2014. The impact of this lack of support is that Microsoft is no longer supplying regular patches and updates to the system. Hence it was more open to exploitation by the WannaCry ransomware.

The NHS is not the only organisation vulnerable to exploitation caused by obsolete equipment.

The Royal Navy’s new £3.2bn aircraft carrier HMS Queen Elizabeth spent 20 years moving off the drawing board until it steamed down the Firth of Forth on 26 June. This long gestation period has its consequences. Much of the IT infrastructure was to a high specification for the 2000s but now looks rather creaky following repeated delays. Reporters allowed on the new carrier were surprised to note that PCs around the vessel were running on the aforementioned Windows XP. Now the system may be ‘air-gapped’ to an extent, and the Royal Navy has referred to ‘NASA’ levels of security around the ship’s various systems. However, all it could take is an unwitting rating who decides to charge their android phone from a USB socket and who knows what maladies could inadvertently find themselves on critical attack and defence systems?

It is hoped that staff would know not to carry out such activity and expose the system to these risks. But I have heard from cybersecurity experts of tests on complex systems from aircraft flight decks to the control room of an oil tanker where a sweep of the system has identified malware lurking in the recesses of the network. It could be a fairly ‘vanilla’ breed, without the capability to do much harm to such a system, but that does not get around the fact that it got there, most likely from an android phone being connected. If it got there, what would the risk be if a more aggressive type of malware had got in? What if it was sufficiently sophisticated to have been able to give an external third-party user control of the system? Could they find and exploit sensitive personal data? Would they have been able to compromise or shut down a system  while at 30,000 feet?

Law firms are at risk because of the highly sensitive nature of the client records our systems hold. Often firms are the product of mergers and acquisitions of other firms and partners, leading to some offices using different IT systems, software, mobile devices and security settings. Sometimes, within a large firm, there could be a whole department that operates as an almost separate entity due to a historic merger or partner acquisition some five or 10 years ago. IT systems can vary and are expensive to tackle, so often a new logo and letterhead are designed and in place before anyone starts to consider a strategic IT and security plan across all office locations, jurisdictions and staff. Hence law firms can be at even greater risk than the NHS and the Royal Navy, but with rather fewer resources to use in their defence.

Ensuring that all operating systems, internet browsers and mobile devices are using up-to-date, active and supported platforms is a good place to start. Oh – and also make sure that staff know that they should not be plugging personal mobile devices into any of the office USB ports in order to get a drop more juice before the evening commute home.

Peter Wright is chair of the Law Society’s Technology and Law Reference Group

Topics