The WannaCry ransomware attack that started on 12 May 2017 is the biggest single incident that the new UK National Cyber Security Centre (NCSC) has faced.
Although the global ransomware attack that heavily affected the NHS was unwelcome, it has provided an opportunity to test systems and raise awareness on key issues, according to Alex Dewdney, director for engagement and advice at the National Cyber Security Centre (NCSC).
“If you wanted to mount a national communications programme to make people sit up and take notice, you couldn’t have designed one better than this,” he told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London.
“I never thought I would hear so many ministers using the word ‘patch’, which has now become part of everyday conversation, so we need to take that opportunity and to build on that.”
Dewdney emphasised that the NHS was not targeted specifically, although NHS networks were affected significantly in the UK. Other UK organisations were affected, but the diversity of victim organisations was much greater in other countries around the world, including Russia.
Although the spread of the ransomware has slowed, it spread initially very quickly by using a specific vulnerability in the Microsoft file sharing protocol sever message block known as SMB to propagate in and between networks.
“In March 2017, Microsoft issued a patch for supported operating systems, and following the attack they issued emergency patches for unsupported operating systems as well,” said Dewdney, noting that while these patches prevent the spread of the infection, they do not help organisations to get back encrypted data.
Dewdney confirmed that the attackers behind the ransomware are still unknown, but he said the level of sophistication is well within the reach of “criminal entities” requiring the NCSC to work at an extremely high tempo. “It is easily the biggest and most complex cyber incident the NCSC has had to manage so far,” he said.
In response to the attacks, the NCSC’s incident management function was called into action. The initial focus was on understanding the technical characteristics of the attack, how it was spreading, and who the victims were.
The incident management team was also working to establish who was behind the attack and what the initial attack vector was, but these questions remain unanswered to a high level of confidence five days after the attack.
The NCSC also started looking at ways to protect victims and potential victims in terms of publishing advice on how to immunise against the ransomware and contain its spread, as well as what to do if already a victim. The NCSC was also working directly with some victim organisations to help put guidance into practice and help remediate.
The incident underlined the importance of partnerships for the NCSC, said Dewdney, including partnerships that were formed to scale the response and make inroads into this problem in a way that the NCSC could not have done on its own.
“We are still working very closely with the National Crime Agency (NCA), which has staff embedded in our teams. The NCA was able to deploy on the ground with victims at scale. They are also a vital source of information and forensic data, as well as analytic and investigative effort,” he said.
The NCSC is also still working with NHS digital and Care Cert. “The size and complexity of the health sector meant that we needed that central docking point to work with, and they did a fantastic job under very difficult circumstances,” said Dewdney.
The role of the NCSC’s industry partners was also absolutely critical, he said. “I cannot emphasise enough how grateful we are for the extent to which our partners in the cyber security industry really leaned in to help and pool the information they were gathering.”
According to Dewdney, the Cisp cyber information sharing platform “really came into its own”, both as a platform for sharing information and for discussion. “We need to build on that as a really key way of getting stakeholders to have live discussions about this kind of problem,” he said.
There was an international aspect too, said Dewdney, including the information that was provided to the international computer emergency response network and collaboration with the US.
At the same time, he said it was a truly national response, with the NCSC quickly establishing contact with authorities in Northern Ireland, Wales and Scotland.
Dewdney also highlighted the importance and the challenges of the media. “I think we did pretty well at pace in briefing senior politicians to speak, preparing ourselves directly in broadcast media, and using our web presence and social media to get the right messages across at the right time.
“LinkedIn proved to be a really important and useful platform, but we didn’t really engage in that, and that is an important lesson for us,” he said.
Overall, Dewdney said the NCSC bringing various organisations together under one roof also really proved its worth.
“There was a lot of consistency in what government was saying – officials, ministers and across our platforms. We achieved a greater consistency and therefore a greater sense of authoritativeness in what we were saying than we would have achieved before the NCSC was set up. We were able to get the messages out quite quickly and provide the assurance that patients’ confidential data had not been stolen,” he said.
However, he admitted that producing specific, usable and helpful guidance was a challenge. “How do you get messages across that are sufficiently technically detailed to be of practical use, but also easy to understand and follow.”
The NCSC decided therefore to publish a set of guidance for enterprises and another set for small to medium-sized enterprises (SMEs) and consumers, which is continually being refined and updated in response to feedback from those communities.
“We are really in the market for feedback around how we are getting those messages across and how they can be improved and made more useful,” said Dewdney.
One of the key lessons learned, he said, was about the power as well as the limitation of advice and guidance.
Dewdney said people are continually told to patch and update the systems, “but the fact is that people don’t always do it, so what we have got to realise as cyber security practitioners is that advice and even instruction is much easier to give than it is to follow”.
“We have to recognise that in the real world competing pressures and hard choices can easily get in the way. So we will continue with those exhortations, but as we mobilise campaigns to really make this happen across government, business, critical infrastructure and for consumers, we need to find the right mix of the ‘stick’ on the one hand and help to overcome those hurdles on the other,” said Dewdney.