NHS IT is not healthy, a strong and stable response from government, society and the media is needed to build immunity.
The global WannaCrypt ransomware attack has pushed information security front and centre of the media and political agenda. Just four days after the initial outbreak on the 12th of May there were more than 200,000 victims in over 150 countries.
Theresa May was quick to point out that the problem was a global one. Yet, the impact of WannaCrypt was felt particularly keenly in England and Scotland’s NHS. A major incident was declared, hospitals and GPs admissions were paralysed, IT staff across the NHS were in crisis mode. Days later the largest NHS group, Barts, was still advising patients to use other parts of the health service where possible. The incident was dubbed “#NHScyberattack” even if the experts in the field could dispute all elements of that hashtag.
Why this is significant looking at political media messaging is that here was a technology field story with very concrete, potentially life and death, consequences. The consistent problem that NGOs and technology activists have had is that issues such as data protection and surveillance simply don’t appear to impact the day to day reality of people’s lives. The concept of having all your web browsing tracked doesn’t feel like it changes anything to most people, they don’t believe they are about to be carted off to prison. This is why the big political parties don’t place tech-politics issues centre stage. Until now at least, there has been little to be gained from it in terms of voter sentiment.
The fact that the ransomware attack has taken place during a General Election campaign has inevitably politicised it. It might normally been seen more as a management or IT issue. But finally it is becoming evident for major parties that there is a need to be across such stories in media and policy terms.
As so often when something goes wrong, there has a rush to assign blame. Different interests have interpreted the effects of the ransomware attack in a way that supports their own ideological and political narratives.
Blaming NHS Underfunding
The most obvious line was from Labour and the broad left which was to highlight the already existing theme of NHS underfunding and fragmentation of the service under the Conservatives.
Jeremy Corbyn put the incident in the context of pledging an extra £37 billion to the NHS, specifically mentioning £2 billion for infrastructure including IT.
The tendency on the left was to see the ransomware attack as a symptom of the Conservative attitude to the NHS and austerity in general, rather than an issue in its own right requiring a range of responses and competency. A typical take was Paul Mason tweeting:
We're upgrading Trident but can't afford to upgrade the NHS off Windows XP; thankfully this not a state vs state cyber attack, eh, Theresa?
— Paul Mason (@paulmasonnews) May 12, 2017
Blaming Public Bodies
Of course many pointed out that much of the impact should have been avoided by patching and updating of systems, essentially making it a management problem. This is rather to ignore why management problems arise in the first place, in particular not continuing the £5.5 million support deal for Windows XP in the NHS.
The Mail sought to weave this approach in to its sceptical line on public services. The Sunday edition front page highlighted NHS failures to report “cyber attacks” to the police. This is not directly related, but the inference is obvious, that blame is to be placed with Trusts rather than the government or security agencies.
Blaming lack of Technical Expertise
Hannah Jane Parkinson made the point in the Guardian that “government needs to start taking tech seriously and investing in those who understand it”. She has a point, the list of politicians that seem to come a cropper when talking about technology is long.
“Government needs to start taking tech seriously and investing in those who understand it”Hannah Jane ParkinsonParticularly concerning is that Home Secretary Amber Rudd is one of them, with her much derided quote about deploying the “necessary hashtags”.
Again, this disconnect is a function of technology policy being seen as peripheral, rather than a core competency like economics, health and education. This chimes with the long standing theme of digital rights groups, that the government is determined to push through legislation like the Digital Economy Act without properly taking on board the views of experts or listening to industry.
Blaming the NSA
Much has been made of the apparent source of the ransomware’s ability to compromise the IT platforms it did, exploits stolen from the NSA. Security agencies have insisted that they need “equipment interference” capabilities, and that they exercise them in a responsible manner. However this incident has shown the inherent tension in the security services wanting to make systems vulnerable and protect them at the same time.
The most telling articulation of that point was in an unprecedented broadside from Microsoft : “…exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen”.
“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen”Brad Smith - MicrosoftTo a certain extent, this was a way of deflecting bad publicity from their brand and Microsoft’s own responsibility, but they have reopened doubt on the security agencies in a way that even Mr Snowden hasn’t been able to recently.
The point about the potential dangers of equipment interference and hoarding of vulnerabilities has been made repeatedly before, but it has never gained much broad political traction as it has appeared too theoretical and complex. That there is now a concrete example of why this matters utterly changes the dynamic and makes it much easier to communicate these potential dangers.
What this says about our security services role in protecting our vital infrastructure, especially from the exploits developed by our erstwhile allies is also important here. Surely there are questions for GCHQ on what their role should have been and will be in future.
Strong But Unstable
The incident had a broader impact on the narrative of the 2017 General Election. The key theme for the Conservatives has been the mantra that they are “stong and stable”. This is to capitalise directly on the woes of the Labour party.
However paralysed NHS infrastructure does not indicate stability, rather it amplifies public anxiety. Amber Rudd did her best to try and close this avenue down on the Today programme, but it is hard to escape responsibility after 7 years of Conservative led government. It was far from ideal for Michael Fallon to be having to fend off questions about the safety of MoD IT. The assertion that there is a specific “Windows For Warships” won’t help quell concern as it sounds antiquated and a bit absurd.
Many on social media sought to directly couple the Tories to the sentiment about the crisis. The Conservatives were described on Twitter as “the party of Windows XP” – a message which now conveys out-of-date, technically incompetent and vulnerable. This is entirely unrelated to the incident in substance, but rings emotionally true given how events have unfolded.
The question is to what extent that will affect the demographics that the “stong and stable” message is aimed at. For many older voters, the idea of GPs using pen and paper more may well sound like a better option anyway.
Beyond Blame Messaging
Many voters are well used to interpreting blame messaging and its intent. It’s probably Jonathan Ashcroft who has got the response most right. He started from the point of condemning those most responsible – the people behind the actual attack. Then he set it in a broader context asking the most pertinent questions – what arrangements are in place for protecting infrastructure and what resources are being allocated to deal with the immediate major incident?
In the longer term there is plenty to learn from how this has unfolded and what politicians, NGOs and public bodies should consider next.
Reexamine how cyber-security spending is allocated
There is a clear disconnect between government cyber-security spending, the latest budget being £1.9 billion, and much needed practical measures, in this case supporting NHS infrastructure.
Have a major cyber-incident policy
Public bodies should have clear policies on how to deal with incidents such as ransomware, and politicians should be pressing for that to reassure the public. In particular a clear non-payment policy would be a strong message, even if it could not guarantee to deter all attacks.
Learn from this incident in designing new systems
Its clear that health data is hugely sensitive issue, and its use is coming under focus again with planned integration in health and social care. Programmes such as Greater Manchester’s GM Connect need to be robust and figures like the Mayor need to be able to assure the public that they are robust.
Reopen the debate on equipment interference and vulnerabilities
The tension that has opened up on the dual role of the security services when it comes to system vulnerabilities needs further debate, and examining politically as well as technically.
Involve experts in policy making even when its inconvenient
Consultations on tech policy must be open and as broad as possible. Not all the opinion will be convenient when it comes to fending off pressure from the like of the tabloid press. However ignoring advice can now seen to have a real cost.
NGOs and campaigners should focus on ‘real world impact’
Campaigners are often frustrated that their message isn’t gaining traction. It is tempting to fall back on blaming the media. What is clear is that people will pay attention when it is directly relevant to their lives.
Parties and public bodies must be prepared on digital issues
It is no longer possible to see digital issues as peripheral. They are woven throughout political life. Parties and public bodies must get the advice they need in developing policy and delivering messages.
Avoiding the avoidable
This was an avoidable incident, it didn’t need to happen and people didn’t need to suffer the impact, we have a responsibility to make sure that it doesn’t happen again. After all, the NHS isn’t the only major part of the UKs core infrastructure that relies on IT.