May 17, 2017
The ransomware attack that shut down a number of hospitals in the United Kingdom (UK) on May 12 should serve as a wake-up call to defend critical infrastructure against cyberterrorism, according to an Atlantic Council analyst.

“I was never worried that ransomware was going to deliberately kill someone,” said Joshua Corman, director of the Atlantic Council’s Cyber Statecraft Initiative. Referring to hacking groups that identify as part of the Islamic State of Iraq and al-Sham (ISIS), he added, “I was worried about adversaries like Cyber Caliphate extremist groups who have the means, motive, and opportunity to take life.”

In a cyber security environment in which low-capability actors can access tools in the public domain to launch a widespread cyberattack, “there are no technical barriers to a sustained attack on any or all hospitals globally,” Corman said.

According to Corman, “what really should scare people is if an accident was able to take out forty-five or more UK hospitals this weekend,” a deliberate cyberattack on hospitals could have unthinkable consequences.

On May 12, nearly 200,000 computers in over 150 countries were infected by a ransomware virus that hobbled operations and demanded payment in return for the decryption of files. The virus was able to spread through systems which had not been updated with the most recent security measures. Computer systems and connected technologies in businesses, institutions, and hospitals were among those affected.

In the UK, forty-five hospitals were affected, unable to treat urgent-care patients, and mistakenly redirecting ambulances due to the computer systems infected with the malware, referred to as “WannaCry.”

Those affected by the ransomware “got very lucky,” since the virus was quickly shut down thanks to a malware researcher, however, “people are still vulnerable to this attack,” said Corman. He claimed a second wave, by a more malevolent actor, is imminent.  “We’re essentially in a footrace between the defenders successfully applying these patches and taking corrective action, and the adversaries coming out with a more robust second form,” he added.

All stakeholders in the cybersecurity of critical infrastructure must take immediate action to bolster their digital defenses, Corman said. “All systems fail and all software has flaws,” he said. “We will not prevent future failure, but we can be more prepared for those failures.”

“Healthcare cyber security is in critical condition. If this [attack] is not a wake-up call and a warning shot I don’t know what is,” he added.

Joshua Corman spoke with the New Atlanticist’s Rachel Ansley. Here are excerpts from our interview.

Q: Was last week’s global cyberattack preventable?

Corman: It’s hard to say because no attack is entirely preventable, but this is one of the ones we should have done a better job with. In this particular case, the vulnerability of Microsoft was both known and had patches available for quite some time. What this [attack] really exposed though is knowing that something is vulnerable and fixable does not necessarily give you resources in some of these industries to be prompt and agile in applying those fixes. So, technically it was very preventable.

Q: Is there a threat of a second wave?

Corman: Yes. The general belief is that these flaws are so pervasive and this particular attack shows significant residual exposure. People are still vulnerable. We got lucky in that whoever wrote this attack didn’t do a very good job, but we know there are already people writing more robust versions of the same attack that don’t share those weaknesses. We’re essentially in a footrace between the defenders successfully applying these patches and taking corrective action, and the adversaries coming out with a more robust second form.

Q: What can be done to prevent against further attacks?

Corman: We will always have vulnerabilities; all software has flaws. If a patch is available and a vulnerability is known, that has to trigger a very tight feedback loop to apply those fixes. What we’re seeing here is that even though we had plenty of heads-up on this one, target-rich, resource-poor organizations like hospitals need to invest more in securing their exposure to an adversary. What we’re seeing time and time again is that vulnerabilities can affect patient care. As for this last attack, the most recent count I saw was that forty-five facilities had degraded or cancelled patient care, which, if no one died, it will be a miracle. People die in urgent care facilities all the time, but the question is: was that exacerbated by electronic outages? Healthcare cyber security is in critical condition. If this is not a wake-up call and a warning shot I don’t know what is.

Q: Why are the vulnerabilities in connected medical devices left unattended if the stakes are so high?

Corman: Essentially hospitals are comprised of doctors and nurses and medical professionals. The overwhelming thrust of the budget has been driven by traditional biology. The problem is, when no one was paying attention, software and information technology [became] as important if not a more important part of modern healthcare delivery, and we have not culturally balanced the care required. We’ve been very lucky to date, but as we become more connected and more dependent, we’re now seeing that we have exposed ourselves to adversaries. That is the promise and peril of connected medicine. We adopt these things for their promise, but if we’re cavalier about the exposure and cyber security risks, a single attack may force hospitals to retreat to less sophisticated, less effective, but less [threatening] techniques.

Q: What is the role for governments in adopting and enforcing cybersecurity measures?

Corman: Any industry that has the ability to affect public safety tends to see some sort of government or private sector regulation. [The government] tends to cry resources in that the United States has one of the most expensive health delivery systems in the world. That is an incomplete truth, but [while] I understand we think we can’t afford more security, we have to look at this in its totality. If we can’t afford to protect it, then we can’t afford to connect it. If it’s just too costly to secure certain connected technologies, then perhaps it’s not responsible for us to connect everything to everything else.  The role of government needs to be to drive these evolutions before we have catastrophic failures and lose the trust of the public.

Q: Is there any way to mitigate the threat future attacks pose to civilians?

Corman: All systems fail and all software has flaws. We will not prevent future failure, but we can be more prepared for those failures. If you take it as a given that all systems fail, there are five ready postures you need to have. Number one, you should tell your customers everything you do to avoid failure. Number two, you should tell allies you’ll take help avoiding failure. Number three, you should have ways to capture, study, and learn from failure. Number four, you should have a prompt and agile response to failure. And number five, you should have a way to contain and isolate failure.

Our dependence on connected technology has grown much faster than our ability to secure it, and if we want to enjoy the benefits of that connected technology, we have to be prepared for failure.

Q: Will this attack be the necessary impetus to begin security reforms?

Corman: It is my hope that this massive attack is an inflection point that will bring people to the table sooner and adds a sense of urgency to things we know we need to do. My sense is that it’ll have to get a little bit worse before it’ll get a lot better, but there are more people engaged now. We should look at this as: we got very lucky and we should be very aggressive in preparing for when the next wave comes. I don’t think we have the luxury of waiting.

Q: Are there any further concerns that this attack has brought to light?

Corman: When we talk about the risks here, I was never worried that ransomware was going to deliberately kill someone. Most organized criminals are smart enough not to do that. I was more worried about accidents, like we saw this weekend, when it wasn’t on purpose, but it still had an effect on patients. More importantly, I was worried about adversaries like Cyber Caliphate extremist groups who have the means, motive, and opportunity to take life. What really should scare people is if an accident was able to take out forty-five or more UK hospitals this weekend, what could [a deliberate attack] do? There are no technical barriers to a sustained attack on any or all hospitals globally.

Rachel Ansley is an editorial assistant at the Atlantic Council. 

RELATED CONTENT