In common with most of the people I know in the IT security sector in Ireland, I've been doing a lot of exasperated eye-rolling while reading through the known details of the HSE hack, and the unacceptably mediocre state of Irish national cybersecurity practice it exposes.
Nothing has happened here that is any more 'sophisticated' than what has been perpetrated for decades
Beware any effort to deflect attention from this point by suggestions that this particular attack was unusually adept, or hard to anticipate, or that such attacks usually target huge organisations with the cash to invest in highly specialised security that can block such assaults. All not true.
I’ve spent much of my working life attending IT security events. That’s about 25 years of listening to experts from all over the world. And I am here to tell you that nothing has happened here that is any more “sophisticated” than what has been perpetrated for decades by motivated, skilled hackers using various clever hacking tools. Only the technology and specific techniques change.
The general security rules remain: organisations need adequate IT defences, perhaps especially, staff security training. Most ransomware attacks originate in human mistakes – an employee who clicks an innocent-looking malicious link, letting attackers into a system – not elaborate external assaults.
And, no, those younger "digital native" employees aren't less likely to make this error. A survey of 3,500 working adults by security company Proofpoint found that over-55s were considerably more likely to follow better security practices, and to actually know what ransomware and phishing attacks are, than 18-38 year olds.
Changing landscape
Organisations also need up-to-date systems and technology that can meet the demands of the workplace. And, at a national level, governments need to be acutely aware of the changing landscape of cyberthreats and have a properly funded, coordinated, expertly-led national cyberdefence strategy.
Ours, the National Cyber Security Centre (NCSC), is small. It's underfunded – at €5 million annually – even if that is a tripling of its tiny budget on last year (but then again, merely a quarter of the ransom reportedly demanded by the attackers for this one hack).
Over the past decade, the total non-salary expenditure for the NCSC has been just €14 million, in a state housing the operations of many of the world’s largest IT companies.
By comparison, in May 2018, Denmark, with a population of a similar size to Ireland, announced a 1.5 billion kroner (€207 million) investment in its cybersecurity infrastructure and programmes for 2018-2021, as part of its national cybersecurity strategy.
Government positions often struggle to match the pay for a comparable job in the private sector
The NCSC is also rudderless: it has not had anyone formally running the agency for a year. Little surprise the top job has been hard to fill when, according to the Government, the salary was advertised at between €106,000 and €127,000. That’s around the base pay of the average IT security manager in the US at an average-sized company, and a good deal less than the average salary of any employee in a big tech firm.
While government positions often struggle to match the pay for a comparable job in the private sector, coordinating national cybersecurity is a critically important role, not least as breaches put at risk our personal data, stored and managed across various State departments and agencies. (Don’t even get me started on the possible risks of a proposed single health identification number for everyone, much less our old friend, the Public Services Card with its biometric picture, personal signature and PPS.)
Attack likely
A ransomware cyberattack of this sort, aimed right at the heart of Irish health services, has been increasingly likely ever since the pandemic began, when such healthcare attacks began to grow worldwide.
The FBI issued a national US alert last autumn concerning attacks specifically on healthcare organisations. Security companies also have been warning of a major leap since the start of this year in, yes, ransomware attacks against healthcare organisations.
A new report by security firm Check Point Technologies noted a doubling of such attacks in the first half of this year compared to the same period in 2020, with healthcare the most targeted sector since the start of April. In April, global healthcare organisations were hit by an average of 100 ransomware attacks weekly, nearly double the number of the next worst-hit industry, utilities (oh, hello, Colonial Pipeline).
Ransomware gangs tend to dump the data gathered in successful attacks – such as people’s credit card numbers, contact details, national ID numbers, photos, health records, and insurance information – onto the dark web. The Government here has said it fears the same will happen with Irish records.
Organisations like the HSE have obligations under the General Data Protection Regulation (GDPR) to adequately protect personal data – especially health data, considered particularly sensitive under GDPR – against attacks and breaches. It could face a potential maximum €1 million fine for the inadequate data protection revealed by this breach.
Meanwhile, the costs the HSE faces just to get its broken systems, services and computers back up and running – estimated at "tens of millions" by HSE executive Paul Reid this week – make that full-year budget for the NCSC look very, very small indeed.