Last week we learned that the Health and Safety Executive (HSE) in Ireland were subject to a ransomware cyber attack which locked them out of vital records and disrupted their operations. And so this past weekend, I spent most of my time answering various questions from various journalists about it.
Usually when this happens, my answers are instructive. But by the end of this past weekend, it had become abundantly clear that I was in fact being asked the wrong questions all along – both in substance and approach.
So now, I’m going to share these questions with you, in the hope that explaining exactly why they are wrong might prove helpful in how we all approach and question cyber attacks going forward.
Question 1: What do we know about the HSE cyberattack?
Absolutely nothing. In the early days of an attack, even the people with access to the systems struggle for answers. This is exactly why these kinds of ransomware attacks work. The people closest to action don’t know and they know the most. They can’t answer. They’re too busy!
Useful insight about a cyber attack is rarely delivered fast, instead it takes experts days of investigation and analysis to be able make a sensible determination. So, always exercise caution when reading detailed insight in the immediate aftermath of a cyber attack, and know that this question isn’t going to get you far to begin with.
Question 2: What sort of ransom demand would HSE be looking at?
There’s no doubt that HSE will have received a demand, and they will have an exact figure. But it’s absent from their public statement, so it’s not possible for anyone to say how much it is with any degree of accuracy. All that we can say is ransom demands scale.
If we compare to recent attacks in this field, we know that Colonial Pipeline paid out nearly US$5 million when they were hit, while the Metropolitan Police Department in Washington, D.C was asked for US$4m (a demand they refused).
So, from this, we can put HSE’s figure in the region of US$5 million. This is in line with recent demands and so is not wildly speculative.
Regardless of this, I read unsupported figures in the press which put the demand as high as US$30 million, which would make the HSE demand the most expensive in ransom history!
What’s wrong with digging for clues about how much targeted organisations are paying out? Well, the figure above wasn’t quoted because it is based on any real insight, instead it was used because it makes your eyes pop and your head swivel: it’s sensational.
Personally, I’m not a fan of fear, uncertainty and doubt (FUD) and it’s deeply cynical of vendors to try to capitalise on the pain of the victims by presenting baseless figures.
Question 3: Was it a sophisticated attack?
This is actually a good question, because it shows that we are seeing an evolution in the understanding of cyber threats.
For a long time firms have escaped censure when cyber attacks happen because they were attributed to nation state actors (a government sponsored group which targets other governments to steal, damage or change information). But this completely overlooks the fact that a child of 12 could have instigated the same attack, and worse allows the organisation to pass off the attack as unavoidable.
So back to the question. While this is a good one, it’s not the right one, because it suggests that sophisticated actors launch sophisticated attacks. But this doesn’t always follow. Whether the malware was sophisticated or crude, the question should be: what was the angle of entry?
And spoiler alert: in the case of HSE, I don’t know.
What I do know is that the Intelligence Community on both sides of the Atlantic have long warned about Business Email Compromise (BEC). This is also referred to as phishing, CEO Fraud, Friday Afternoon Fraud, Invoice Fraud and so on. It’s essentially when an attacker poses as a member of your organisation, using your domain to get you to approve a fake invoice or click a malicious link. I also know that email is the starting point for 96% of these targeted cyber attacks and 90% of ransomware attacks. Let that sink in.
So instead of asking whether it was sophisticated, the questions we should be asking are:
- was this attack reasonably foreseeable?
- was this attack avoidable?
The answer to the first question is yes, it was reasonably foreseeable. Ransomware is well known, understood and on the rise. It’s now even possible to hire ransomware tools, Ransomware as a Service (RaaS), meaning that even the least sophisticated bad actor can launch such an attack.
As for the second question, the answer is that it depends. First to a large extent on the angle of entry (i.e. did it come via email) and second whether the HSE had taken steps to manage well known email vulnerabilities with global standard protocols.
Question 4: Could the information security team have done more?
I don’t know. Maybe, maybe not. But again it’s not the right question. Cyber threats and cyber risk are corporate matters and are the responsibility of the entire board, the whole of the management team, the information security team and their lawyers.
While the role of HSE as a non-profit is not wealth generation, directors exercising reasonable care, skill and diligence should consider value preservation as a strategic imperative. As part of their governance, risk and compliance framework, they should be considering cyber governance and cyber risk at the top of their agenda.
Risk appetite and the budgets needed to process global standards to combat known cyber threats are all set at C-Suite. So it’s neither fair nor accurate to look solely to the Information Security team who are usually under-financed and under-resourced when these attacks happen.
Questions should be directed towards the board. For example, what is the entity’s risk appetite? Are they considering cyber threats and risk at board level? If not, why not? Are they investing in solutions that will materially improve their cybersecurity posture? If not, why not?
Question 5: Are the HSE and other state agencies now vulnerable going forward?
100% yes. If you’re connected, you’re vulnerable, and there’s risk inherent in everything. But that’s not to say that things can’t be managed better.
Ireland is a small country, and it would be straightforward to implement global standard solutions to known significant cyber threats.
While people are worried about ‘emerging threats’ or sophisticated attacks, it’s the known significant threats that are being left unaddressed. That’s the biggest problem. The good news is for the most significant cyber threats, there’s a fix.
Question 6: What must be done to ensure this doesn’t happen again?
The harsh fact is that we can’t ensure anything of the kind. But let’s compare cyber and email security to road safety. We’ve had cars on the roads for decades and whether because of a mechanical failure or driver error (reckless or accidental) we continue to see fatalities from road traffic collisions (RTC).
While we cannot ensure RTCs don’t happen again, we can mitigate the risks through a multi-layered approach. By adopting various sensible safety measures, it has been possible to reduce the number and severity of RTCs.
How we made the car safer: three point safety belt, air bags and collapsible steering columns.
How we made the roads safer: introduction of legislation to compel road users to wear their safety belts (front and back), criminalising drink-driving and reckless driving.
So what can we take from this? We can’t ensure that this never happens again, but governments can put in the right measures in their businesses and network supply chain to mitigate risk.
So what do I really think?
I think that Ireland’s commitment to not paying the ransom demand is an excellent decision. It gives me confidence that we have the right leadership in place. But with a sense of urgency, the government must make our digital space safer now by compelling firms to implement global standard protocols, like DMARC, without exception.
Provided the Irish government does this, it can materially reduce the risks for the future, protecting the economy and livelihoods. It will also set a golden example for other authorities in the same position.