By Tony Collins
Successful cyber attacks on parts of the NHS and some councils and universities have not been reported to the police – even where criminals have locked information and demanded ransom payments, an investigation by The Yorkshire Post found.
The National Crime Agency, which is the UK’s lead agency against organised crime, human, weapon and drug trafficking and cyber crime, has said that “under-reporting of cyber crime remains a key barrier to our understanding of its true scale and cost”.
Its comments were aimed at the directors in the private sector. But it’s clear that the public sector is not setting an example.
The Yorkshire Post says that the Mid Yorkshire Hospitals NHS Trust had two ransomware attacks last year in which data was encrypted on some departmental drives with demands for payment made to unlock it. While no payment was made and the information recovered from back-up systems, neither incident was reported to police.
Barnsley Council had 13 successful ransomware attacks since April 2016 and none was reported to the police. No ransoms were paid, data was restored from back-up systems and accounts were disabled and changed to “render any captured credentials of little use”.
Three of Yorkshire’s universities had almost 300 successful attacks in the last three years. None was reported to police.
The University of York had 237 incidents which included nine distributed denial of service attacks and a further seven incidents in which servers were “compromised” by hackers.
A spokesman for the university said: “We did not consider that any incident caused sufficient loss, either monetary or of data, to justify reporting to the police.”
The University of Huddersfield had 54 successful attempts and nothing was reported to the police “due to low level impact”.
Ensuring the buck stops nowhere?
In a National Audit Office blog, the NAO’s cyber director Tom McDonald and digital transformation specialists Yvonne Gallagher (who’s a former CIO in two government departments) and Max Tse pointed to a lack of accountability in the public sector for deterring cyber attacks and managing the risks.
In health, for example, the Department of Health’s delegates to NHS England, which funds over 200 local clinical commissioning groups to purchase care from local health trusts.
Social care is the responsibility of the larger local authorities who are accountable to their local electors.
NHS Digital has some overview of data and IT systems for the health and social care sectors (through its management of national NHS IT systems, such as the NHS Spine or N3 Network) and it has a dedicated Data Security Centre, but it has no authority over councils and trusts to ensure even simple security measures are implemented locally, such as software updates and patches.
The National Audit Office found that, across government, “there has been little coherence between the several lines of governance and senior oversight of cyber and information security”.
“A number of organisations and a plethora of working-level groups have been involved in cyber security and supporting digital transformation across government. The government itself has described these arrangements as an ‘alphabet soup’.”
There’s also a shortage of IT security skills in the public sector, which is exacerbated by the high number of so-called “transformation” projects and programmes and a reliance on legacy systems such as Windows XP which proved vulnerable in the WannaCry attack, said the National Audit Office.
The government could make it mandatory for Whitehall, councils, the NHS and other parts of the public sector – including the police – to report incidents to the National Crime Agency.
It’s unlikely to happen though.
There’s a woeful lack of reporting and accountability in the public sector on IT-related matters. WannaCry and hundreds of other “successful” incidents in public sector in the past year will not make any difference.
That the public sector will work to reduce the ill effects of cyber attacks is a given. It’s also inevitable that it’ll work hard at ensuring, in line with culture and convention, that, when there are “successful” incidents, the buck stops nowhere.
Thank you to Zara Pradyer for alerting me to the Yorkshire Post article.