By John McGregor, a translator and political violence researcher
Cyber attacks targeting private sector providers for essential public services result in additional waste of public resources. When public health care fails in cyber security, politicians are quick to blame staff on the ground. But when private companies become the weak link, state resources are spent on recovery and resilience to keep essential services running, effectively bailing out private providers and absolving them of this responsibility.
On 4 August, a number of UK National Health Service functions were knocked offline by a cyber attack on a private service provider, Advanced. The attack affected a wide range of services because Advanced are so deeply embedded in the systems that run the NHS. An email from the head of the Oxford Health NHS foundation to staff identified the various parts of the NHS under attack:
The cyber-attack targeted systems used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings, triage, out-of-hours care, emergency prescriptions and safety alerts. It also targeted the finance system used by the trust.
The attack was bad enough to force some NHS staff back to pen and paper. On 10 August, Advanced acknowledged that it was a victim of ransomware.
Adastra, one of the software products that was knocked offline in the attack, was initially developed in the 1990s. Its original developer, Adastra Software, was listed on the AIM in 2008 via a reverse takeover, becoming Advanced Computer Software Plc (and later simply Advanced). Advanced acquired a number of other businesses and progressively inserted itself into more and more of the British public health system. Aside from public services, Advanced also provides software and services to commercial ventures.
In 2015, Vista Equity Partners bought Advanced at a price of GBP 725m, and in 2019 Vista sold a 50% stake to BC Partners for GBP 2B.
On 10 August, six days after the outage started, Advanced explained how it would be preparing for the NHS services to come back online:
With respect to the NHS, we are working with them and the NCSC to validate the additional steps we have taken, at which point the NHS will begin to bring its services back online.
The National Cyber Security Centre was founded as part of the British signals intelligence security organization GCHQ in 2016, combining and replacing previous state cyber security bodies. It is at the center of British cybersecurity defense and GCHQ explicitly advertises that:
During the Covid-19 pandemic, protecting the NHS and the health sector more widely has been the top priority for the NCSC.
This seems like an eminently sensible focus at a time when the NHS is facing austerity-driven crises on every front. It also aligns with the NCSC cyber attack categorization system introduced in 2018, which establishes the highest category as a ‘national cyber emergency’, defined as:
A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.
Obviously anything that forces NHS staff out of their computer systems and knocks out communications and data sharing fits this definition, and therefore warrants the highest level of response:
Immediate, rapid and coordinated cross-government response. Strategic leadership from Ministers / Cabinet Office (COBR), tactical cross-government coordination by NCSC, working closely with Law Enforcement.
That is, effectively, the most powerful crisis response team in the UK and a massive mobilization of state resources. Aside from the NCSC, the response to the hack on Advanced also included Ministers, with both UK health secretary Steve Barclay confirming he was being regularly briefed on the issue, and health secretary for Scotland Humza Yousaf reporting that Ministers were “continually being briefed”.
When balanced against the necessity of keeping the NHS running, it seems like a sensible choice, and it is essential that the NHS can function. Nonetheless, the dynamics are little different to those of a bailout, with the public funding a costly emergency response to risks taken by the private sector. The NCSC makes this dynamic abundantly clear, highlighting that NCSC assistance is always free.
As acknowledged in a 2019 House of Commons Committee of Public Accounts report on cyber security in the UK:
Since 2010 government has taken a central lead in ensuring that the UK effectively manages its exposure to cyber risks.
The possessive ‘its’ hides who is really exposed to these cyber security risks. In this instance, Advanced has catastrophically failed to manage its exposure to cyber risks as a business. Nonetheless, the ones suffering the negative consequences are the staff and patients of the public health service.
A New York lawyer, Erik Weinick, commenting on the Advanced hack, demonstrated the inseparability of public bodies from their private providers:
Know your vendors. Know their vendors. Communicate with all of them regularly. Train side by side for emergencies… Ultimately, you are part of the same ‘network’ and what impacts one, impacts the others. Check your agreements. Understand who is responsible for what both [during] an emergency and in trying to prevent one.
Somewhat ironically, the NCSC sent a bulletin to NHS trusts in March 2022 warning them to increase their online defenses “following Russia’s further violation of Ukraine’s territorial integrity”. Whatever NHS trusts did in response, they couldn’t control what was happening at Advanced, which eventually proved to be the weak link. Advanced provided its most recent update on 19 August, claiming it would start the process of bringing organizations using Adastra back online in the coming week.
This is not the first time that the NHS has suffered a damaging cyber attack, it was also a victim of the WannaCry virus in 2017. This ransomware attack similarly hampered services at NHS trusts and GP surgeries, resulting in cancelled appointments and operations, but in the WannaCry case it infected NHS computers directly. As such, the blame was pushed back onto NHS trusts and local bodies. The National Audit Office made sure to note in the key findings of its investigation that:
The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015. In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry.
It also claimed that:
NHS Digital told us that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves.
As a result of these findings, the Care Quality Commission piloted unannounced cyber security inspections at NHS trusts (even as trusts were failing the announced ones).
When the Tories could keep the blame contained within NHS trusts and local organizations, it was not because of an over-worked labor force or resources decimated by years of austerity, it was because staff failed to implement the guidelines they were given. But when, despite extra internal checks and even fewer resources, it is not the NHS but an external private provider that becomes the weak underbelly for the public system, the British state is willing to pull out all the stops to defend big businesses.
This corporate safety net ensures that even when businesses fail catastrophically in their role within the public system, the state will step in to protect them. By doing so, it protects these business’ position within the system, and the public money this gives them access to, and thus defends the investments of private shareholders with further public resources.
Thats a reality check for what a Public Private Partnership is.
Privatizing the profits, collectivizing the costs.
There are, in effect, relatively simple solutions to corporate cyber-security. The first thing you need to ask yourself is “does a nurse’s station designed to enter and view data about existing patients need to be connected to the Internet?” The answer is obviously “no”. So who in the NHS needs computers that connect to the Internet? Quite a few obviously do: purchasing reviewing order fulfillment, doctors reviewing the latest treatments and quite a few others.
So the question becomes “can we separate the computers of people who need access to the Internet from the Internet itself?” And the answer is yes. There are a number of technologies designed to do just that: Microsoft’s Remote Display Protocol, Citrix’s products, and many others. These technologies sit on a server and run the actual application (a browser in this case) and project the interface to the user. So you can have a set of browsers running on a highly controlled and maintained server where all of your downloads end up, and you can’t accidentally download a virus to the PC you are using. Then you simply put a firewall in place that doesn’t allow that server to connect to any internal machines to infect them with anything.
With minor quibbles (Microsoft’s RDP has its own security flaws), this structure solves most cyber-security issues. So why doesn’t everybody just do this? The answer is simply ignorant management, poorly qualified and educated IT staff, and end users who demand direct access to download whatever they want. Note that none of these issues are fixed by hiring an outside cyber-security vendor. But hiring an outside cyber-security vendor relieves management and IT from responsibility and accountability.
I am not sure what to make of this post. Of course national services pass money to private interests via public-private ‘partnerships’. That is no surprise. The rationale used to justify public-private partnerships has proven its absurdity through many other examples over several decades at this juncture.
Concern about … national concern … about cyber security seems comical. I do not know the situation in Britain — my impression of the u.s. national stance on cyber security of public systems is that the u.s. government favors and helps create cyber risk and insecurity in public software. Several large government agencies with large — although largely occulted funding lines and levels — have worked tirelessly to promote and exploit cyber insecurities for their own occulted purposes. The government only becomes upset when the unauthorized make use of those same insecurities.
Remarking on some of the items in this post — “The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015.” Windows? Windows XP? letters of concern? a government system … tied to the Internet … and loaded with oodles of sensitive private data? and one worry was whether all the patches had gone in for an old exploit “Wanna Cry”[May 2017]?
Cyber security is a concern — a national concern? a government agency concern? a concern of private Corporations? I believe this post provides yet another example of the true quality of that concern.
I say it’s time we got rid of the middleman 😎 kidding… but not kidding. I suppose the artifice keeps the proles hoping, though, apparently not the services running.
So no claw back provisions in contracts to cover failures or government expenses on behalf of the private providers?
If not, why not?
This is the model of the endless war game. The tax payer is paying the cost of corp. so they can stay in a platform that would collapse if not feed more $$$$$$$$$$$$$$$$$.
Thanks John McGregor really good stuff
Just swap the old rug for a new one, if the last one has too much dirt under it. The new rug will have Peter Thiel under it, who I hear is very good at cleaning up. And employing previous rug sweeper under-ers.
“Palantir: Trump-backer’s data firm that wants a big NHS deal
“Company co-founded by Silicon Valley’s Peter Thiel has been criticised for US defence and immigration contracts
…
“Speaking at London Tech Week last week, the health secretary, Sajid Javid, said: “This is the perfect moment to bring data together and reap the benefits.”
“The ambitious scope of the platform has alarmed campaign groups, who fear for patient confidentiality, privacy and data security, but the identity of the frontrunner has also caused concern.
….
https://www.theguardian.com/society/2022/jun/21/palantir-concerns-over-data-firm-poised-to-be-operating-system-of-nhs
“A second NHS official is set to join for Palantir after it was reported that the US software company has emerged as a “front-runner” for a £360million contract.
“Harjeet Dhaliwal, deputy director of data services at NHS England and NHS Improvementwill follow Indra Joshi, former NHSX director of AI.”
https://www.digitalhealth.net/2022/06/second-nhs-official-to-join-palantir-as-it-guns-for-360m-contract/
I never understand why we don’t get DoD Cyber to do such contracts. They already have backdoors. May as well admit them into the front door.