May, 2017: The WannaCry ransomware spreading around the world last year hit the National Health Service in Britain hard, disrupting more than a third of the trusts, the operating units of the NHS, forcing cancellation of almost 20,000 hospital appointments and operations, and the closure of five emergency departments.
It was a precursor of things to come just a short time later with NotPetya – and should be taken as a sign of a major shift in the threat landscape. Consider that WannaCry is believed to have been a false-flag attack perpetrated by North Korean actors (similar to NotPetya which has been linked to Russia) and we have a blueprint for the types of disruption that may come to critical infrastructure in the near future.
Also, keeping in mind that criminal actors have taken note and perpetrated disruptive, copy-cat style attacks (see Atlanta), we should be very alarmed.
The attack was relatively unsophisticated but like so many security operations around the world, the NHS wasn’t fully prepared; as investigators later found, the trusts didn’t apply the Windows 7 patches directed by the UK Department of Health which could have prevented the detrimental impact. The Department of Health had no mechanism to follow up on its compliance directives and no concrete plans in place to respond to a cyber attack.
One year on, “plans to implement the lessons learned are still to be agreed”, said Meg Hillier, Chair of the UK Parliament’s Public Accounts Committee. The reason: “The Department still does not know what financial impact the WannaCry cyber-attack had on the NHS, which is hindering its ability to target its investment in cyber security,” her committee reported.
“This case serves as a warning to the whole of Government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack,” Hillier added.
It’s a warning to cybersecurity defenders everywhere: No visibility into the financial impact of potential cyber events means no support from decision makers – which means no investment in cyber defense, even in the face of a clear and present danger.
How is this situation even possible? The NHS can’t lack for financial data to build out risk models; the hospital system sees 1 million patients every 36 hours. We’re guessing that it has a pretty good handle on the cost and likelihood of patient treatment.
But, if the NHS is like many organizations, it treats cyber risk as a special snowflake that’s somehow different from the other risks the enterprise manages. This is because, for far too long, cybersecurity experts have believed that quantifying cyber risk in business terms is impossible. They’ve settled on qualitative models for cyber risk which do nothing to communicate the potential severity of an attack (in dollars, cents or BPS) and thus do nothing to help the enterprise understand why investments are needed.
The FAIR model that powers the RiskLens application is based on another premise – that any organization (especially one like the NHS) has plenty of available data to build out risk models based on calibrated estimates that will show decision-makers a range of possibilities of likely outcomes for risk. Those can be measured against the cost and effectiveness of controls and compared to the risk appetite of the organization. No special snowflakes allowed.
The Public Accounts Committee gave notice to the NHS to update it by the end of June on “the financial implications of WannaCry and future attacks across the NHS”. That’s not a lot of time so we’d suggest the NHS start here: The FAIR Model Explained in 90 Seconds. And we’d suggest that all organizations get moving down this pathway – as Boards, the C-suite and regulators such as the US SEC are now mandating this level of visibility.
Putting those pressures aside – it is simply the right thing to do. Aligning cyber risk to the language of business has proven itself to be a mechanism for real change and better cybersecurity across all industry verticals and among some of the biggest brands in the Fortune 1,000 – you can follow their lead to better cybersecurity outcomes.