Gavin E L Hall Blog - Insights into my Mind

June 2017

WannaCry: The Role of Government in Cyber-Intrusions

The WannaCry cyber-incident of May 12, which involved the British National Health Service (NHS), has received a good deal of coverage. Comments focused on whether the attack was preventable and if it presents increased vulnerability for public sector organizations, with substantive focus on the use of the outdated Windows XP. Such analysis does, however, gloss over an essential question: What do we want the role of the government to be and, indeed, what could it or what should it be?
The role of the government in cybersecurity has two essential debates. First, the dividing line between corporate — including the public sector — and government responsibility. Second, if some role for the government is accepted, then which branch of government should have primacy or be involved at all? The 2016 National Cyber Security Strategy attempts to delineate the responsibility of the individual, corporate and government.

The strategy established that the NHS and other public bodies had “the responsibility to safeguard the assets which they hold, maintain the services they provide, and incorporate the appropriate level of security into the products they sell.” In light of the WannaCry malware infestation, from the operational perspective, the failure lies within the NHS itself as opposed to the government. However, with the strategic level in mind, it remains within the purview of the government “to protect citizens and the economy from harm” and that the government “is ultimately responsible for assuring national resilience … and the maintenance of essential services and functions across the whole of government.”

In order to begin to think about the roles and responsibilities in UK cybersecurity, consider who holds the information regarding cyber-intrusions and malicious activity in the cyber-environment. The National Cyber Security Centre (NCSC), as part of  UK Government Communications Headquarters (GCHQ), is the central data coordination point for government oversight of cyber-activity.

In March 2015, however, the government emphasized the role of insurance companies in managing and mitigating risk in the cyber-environment. Indeed, the cyber-insurance market has been growing in recent years and is expected to grow significantly following the WannaCry incident. Insurance companies, therefore, have an increasing amount of information on the preparedness and vulnerabilities of UK networks. How much of this information should be shared with the NCSC?

The immediate response is all of it. Considering that the exploit used by WannaCry was “identified long ago” by the US National Security Agency (NSA), perhaps a government agency as the central collation point for all cyber-environment data is not necessarily in the interest of enhancing security within the UK cybersecurity or, indeed, in the global commons.

So what could the government do?

The simple answer is not a lot. The removal of geographic boundaries, the increase in actors, the deniability of actors, the variations in potential target groups and the overall impact on social cohesion mean that the job is beyond the scope of the government as primary provider of cybersecurity for the nation, hence the blurred delineation seen in the 2016 strategy. Attempting to continue on the present course is reliant on the hope that no significant intrusions occur.

But cyber-intrusions will occur and the individual, corporate and public-sector bodies that utilize the cyber environment need to have a clear understanding that their data is their responsibility. The first step is an educational starting point that a cyber-intrusion will happen and you will lose data. The question then becomes how to minimize the loss and recover lost data, known as resilience. This role should be the government’s concern in the cyber-environment to help minimize the harm suffered by an intrusion across all levels of the UK cyber-environment.

Furthermore, the accountability for individual, corporate or public sector aspects of cybersecurity should be transferred to the insurance industry. This means that body X with good investment in cybersecurity will pay a lower premium than body Y which has negligible investment or reliant on out-of-date technology. The effect of such a shift would be that all entities would be forced to take cybersecurity seriously or face higher premiums and hit to the bottom line. For the public sector, not only will IT procurement have to be considered, but also a cost-benefit analysis of increasing premiums versus new infrastructure. It would be interesting to see a future intrusion in the public sector if the government has to admit that it chose the cheap option with its citizens’ data.

This article was originally published on
Fair Observer on 18th May 2017