Pádraig Hoare: What could the HSE have done to protect itself from the cyberattack? 

The HSE was victim of a a devastating ransomware cybercrime last week. What could it have done to protect itself from this growing worldwide threat, asks Pádraig Hoare
Pádraig Hoare: What could the HSE have done to protect itself from the cyberattack? 

He is not exactly the paragon of forward thinking or planning, considering his central role in the disastrous invasion of Iraq by US and UK forces in 2003, but Donald Rumsfeld’s befuddling musings at the Pentagon have become unwittingly prescient in the years since.

“There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don't know. But there are also unknown unknowns. There are things we do not know we don't know,” the notorious former secretary of defense told the world in 2002.

It led to much lampooning, but given how much data continues to grow exponentially in the 19 years since, and the increasing boldness of bad people who want it for criminal purposes, Donald Rumsfeld’s words are apropos when it comes to evaluating cybersecurity.

We hear time and time again of cyberhacks, cybercrime, cyberwarfare, cyberbreaches, and cybersecurity, but much like anything in life, unless it affects us directly, we tend to see it as someone else’s problem.

Petrol shortages in the US east coast, and medical records in Ireland possibly being released by hackers, have focused the mind in recent weeks.

"There are also unknown unknowns. There are things we do not know we don't know" - Donald Rumsfeld’s words are apropos when it comes to evaluating cybersecurity. File picture: AP Photo/Heesoon Yim
"There are also unknown unknowns. There are things we do not know we don't know" - Donald Rumsfeld’s words are apropos when it comes to evaluating cybersecurity. File picture: AP Photo/Heesoon Yim

In Rumsfeld-speak, hackers can get inside vulnerable systems - that we do know. In relation to “known unknowns”, we are aware that criminals are taking advantage of the chinks in the armour, we just don’t know how bad it is until after the fact.

Unknown unknowns

When it comes to “unknown unknowns”, it is the scale and size of these attacks, and their relentless nature, and what waves are likely to come, that we really don’t comprehend.

These corporate attacks are not going away anytime soon.

Most Americans would merely have known in passing what a cyberhack or data breach was two weeks ago. Now most realise just how serious they can be, if lines at petrol stations across the US east coast are any indication.

It emerged on Thursday that CNA Financial, one of the biggest insurance firms in the US, in late March handed over $40m (€32.7m) after a ransom demand in order to take back control of its network.

There is anecdotal evidence that in Cork, embarrassed firms have handed over ransoms in recent years, but not gone public because of the shame and reputational damage.

Only when high-profile attacks occur that we can gauge the significance and scale of such attacks - the HSE attack bringing various degrees of worry to homes across Ireland.

The Colonial Pipeline attack on the US east coast is evidence that what is someone else’s problem can quickly become the problem of everyday folks.

The firm shut down 5,500 miles of its pipeline earlier this month after its computer networks were breached.

Considering that the firm goes through 14 southern and eastern US states and supplied almost half of the east’s fuel from Texas to New York, a significant portion of the US population suddenly became aware of what is a new norm for companies.

A customer helps pumping gas at Costco, as other wait in line, on Tuesday, May 11, in Charlotte. Colonial Pipeline, which delivers about 45% of the fuel consumed on the East Coast, halted operations last week after revealing a cyberattack that it said had affected some of its systems. Picture:AP Photo/Chris Carlson
A customer helps pumping gas at Costco, as other wait in line, on Tuesday, May 11, in Charlotte. Colonial Pipeline, which delivers about 45% of the fuel consumed on the East Coast, halted operations last week after revealing a cyberattack that it said had affected some of its systems. Picture:AP Photo/Chris Carlson

Pictures beamed around the world of everyday Americans filling their cars with jerrycans of petrol, while other pictures showed petrol stations having run out of an everyday commodity that had suddenly become scarce.

According to The Guardian, the FBI said the attack on Colonial was the work of a firm called DarkSide, which specialises in ransomware. Colonial was compelled to stop pipeline operations so the FBI could fully investigate.

The Guardian said: “According to Intel 471, a security company that surveys the teeming cybercriminal ecosystem of the internet, DarkSide was first spotted in November 2020 on a Russian-language hacker forum, advertising for partners for a ransomware service.

“What it was pitching was a platform that “approved” cybercriminals could use to infect companies with ransomware and carry out negotiations and payments with victims. 

“We are a new product on the market,” it burbled, “but that does not mean that we have no experience and came from nowhere. We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn’t find the perfect product for us. Now we have it. 

“Not long afterwards, its software was found to be behind several ransomware attacks on manufacturers and legal firms in Europe and the US.” 

In his Guardian piece, professor of the public understanding of technology at the Open University, John Naughton, said: “Public discourse about cybercrime and its practitioners is way behind the curve...criminals are rational actors, not lone hackers with poor hygiene and a penchant for pizza.

“They see what they do as a low-risk activity with very high profit margins. And they operate in a networked world in which even large and wealthy companies are still failing to take computer security seriously. 

The significance of the Colonial hack is its confirmation of cybercrime as a major new industry.” 

In a world ravaged by Covid-19, vaccine information has suddenly become a hot commodity in the world of cyberransom.

The Guardian reported: “State-sponsored hackers from China, Russia, Iran and North Korea are engaged in concerted attempts to steal coronavirus vaccine secrets in what security experts describe as “an intellectual property war”.

“Western governments remain reluctant to point the finger of blame in all cases of hacking attacks for fear of diplomatic repercussions, with the UK, for example, particularly cautious about accusing China.” 

Facing up to the new world of cybercrime

Despite repeated warnings by Irish experts in the past decade, it seems that it is only now that Irish firms are facing up to the new world of known knowns, known unknowns, and unknown unknowns of cybercrime.

Aidan Magner, head of process excellence at Cork-based business consultancy firm 3Sixty, said firms did not need to be experts in cybersecurity to take practical steps to protect their data.

Having seen and helped businesses get back on track after interruptions and adversity countless times within his 25-year career, Mr Magner said that what they need to realise is that cybersecurity should be as important as other business continuity measures in case of emergency.

Just because firms have measures in place in case of IT systems failure, that does not necessarily mean cybersecurity is included - it should be, he said.

It seems that it is only now that Irish firms are facing up to the new world of known knowns, known unknowns, and unknown unknowns of cybercrime. File picture
It seems that it is only now that Irish firms are facing up to the new world of known knowns, known unknowns, and unknown unknowns of cybercrime. File picture

“There would always have been an IT risk in a business continuity plan. People would ask what they would do if their system goes down, what happens if their network goes down, what happens if a JCB goes through the internet cable outside the window. Companies were able to work on plans if such a thing happened. 

"This time last year, we all executed that plan right away, when we logged onto the office computer from home. Because it happened very quickly and very easily, a lot of people would have patted themselves on the back and said job well done, that our IT resilience is actually quite good.

“However, what we have seen is that the incidences of phishing have actually gone up over the last 12 months. There are vulnerabilities in the system - logging in from home, working from old networks, old laptops, things like that. We’re now seeing people come back to us and say we need to have more resilience in place.” 

The pandemic has shown that businesses are resilient, he said, so there should be no reason why they cannot shore up their cybersecurity measures.

“Does this become the new norm? It absolutely does. The need for forward thinking and looking at all the strategies out there needs to increase. 

The adage applies that a hacker only needs to be lucky once, whereas the company needs to be lucky every day,” Mr Magner said.

In the last 12 months, companies have dealt with pandemics, cyberattacks happening simultaneously in a number of cases, and supply chain interruptions - they are all different elements of business continuity disruption, he said.

“Previously, you might have looked at one of those elements happening every five or six years. We’re now seeing three of these things happening almost simultaneously - global shortages of semiconductors, global shortages of cardboard, shortages of soya beans and chocolate such as Flakes. 

"Depending where you are sitting, if your supply chain is interrupted, or a cyberattack happens, these are all risks to your business that you need to work through.” 

One side of assessing risk is identifying what can go wrong, but another is identifying what you can do about it if things do go wrong, he added.

“That’s part two of a business impact assessment. What is the 'in case of emergency, break glass' plan. Scratching your head thinking “now what?” means you are already behind the curve.

“If you have a warehouse with fire alarms and smoke detectors, and they go off, it is the sprinkler system that puts out the fire.

“You identify the risk, what is priority, and what can be done to protect yourself, so you now need to fill that middle bit yourself. That is when you might work with a specialist company that deals in cybersecurity.”

'Plan, Protect, People, and Prevention'

Shemas Eivers is chairman and co-founder of Cork-headquartered international IT firm Client Solutions, as well as founder of the National Software Centre in Mahon and co-founder of it@Cork.

Yet a seasoned expert like Mr Eivers is not above taking simple measures to protect Client Solutions, that he says every firm can and should take.

His own firm has four things that it applies in order to protect and insulate themselves as best they can from such attacks - the 4 Ps of Plan, Protect, People, and Prevention.

“We plan for it - if it is going to happen, what do we do if it does, what are the impacts, and what can you do to minimise that. There are simple things you can have prepared, such as who to contact and how to stop it becoming worse.

Plan, Protect, People, and Prevention - the 4 Ps to protect as is best possible from cyberattacks.
Plan, Protect, People, and Prevention - the 4 Ps to protect as is best possible from cyberattacks.

“Part of planning is to have a rapid response in place. You can notice these things early on but if you don’t react to it, within a couple of hours, it’s been made worse. If you catch it early, you can save an awful lot of damage.” 

Protecting your data is key, yet also simple, he said.

“You can encrypt your data these days. We use something called Bitlocker. Every laptop is fully encrypted. Why is that important? If your data on laptops is encrypted from your end, and the hackers do so from their end, then okay, you cannot get at it and it is still a problem, but they cannot decrypt that data and put it out on the open web. That may not solve the problem of you getting caught in the first place, but the damage is somewhat contained, and issues like GDPR where lawyers are up in arms,” he said.

When it comes to people, that is the most important element in many ways, according to Mr Eivers.

“With people, it is all about enforcement and education. You can enforce it all you like, but if someone for example clicks on the wrong thing and doesn’t tell you, you can still end up in trouble. We look at regular emails going out reminding people to be cautious, as one measure.

“It is important that senior people send out these emails and warnings, because what happens sometimes, if you have lots of emails coming from the IT manager, people ignore them.

“What we find is that if it comes from different people within the organisation, it prevents the blindness of the familiarity.” 

Prevention can be explained using the hard-boiled egg analogy, he said.

“The shell is used to keep them out. But once they get inside, you don’t want them to float around in the nice soft part. What every company should have done is a penetration test done by an independent person once or twice a year. Someone should come along and actively try to get in, and see what holes you have.” 

Firewalls on a company system should be rock-solid, he said.

“You should have firewalls. Everyone understands you have a firewall in your house on a small router, but in a company it is more complex. What we would say is that very few companies should manage their own firewalls.

“We ourselves, even though we have the technology to do it, we would outsource that to someone who specialises in it. They will be up to date on everything, because that is their job. The chances of you missing something or exposing a hole is higher if it is not your job, but if is theirs, the chances are far lower.” 

Firms simply must protect emails, while multi-factor authentication is one of the easiest steps to take, while preventing potentially huge problems, according to Mr Eivers.

“Have a system that monitors your emails, recognises threats, learns as it goes along, and stops automatically a huge volume getting to your users. That is key.” 

People working remotely on their own laptops and their own system connecting to the corporate system is another potential blind spot for firms, he said, but there is again a relatively straightforward solution.

“We have an endpoint security system, whether it is a phone or a tablet, it protects it at all times, even when they are not on a network. Your laptop should be fully encrypted, and then have some protection on that laptop being attacked. This is important in the current climate, as updates are not being done as often as they should be. At least these systems have those checks in place.” 

Eliminate the 'silly things'

Fundamentally, issues occur when people do silly things that they really shouldn’t, he said.

“That is the endgame. Eliminate those silly things, or the potential for silly things. People don’t like admitting to doing silly things, so you often hear about it when it is too late to mitigate.

“You cannot eliminate 100% of threats, but you can take an awful lot of them out by protecting yourself with multiple layers.” 

If it seems like a real pain to have to undertake these measures, just look at the quandary that the HSE, Tusla, and Colonial have found themselves in.

The health system in Ireland was rendered helpless overnight and has still not recovered.

Colonial’s chief executive admitted paying $4.4m to the hackers in order to restore its systems quickly.

In the bigger scheme of things, little annoyances and extra layers of protection are small change if it means keeping your business afloat.

The less known-unknowns and unknown-unknowns you face, the more you know, as Donald Rumsfeld might say.

More in this section

Lunchtime
News Wrap

A lunchtime summary of content highlights on the Irish Examiner website. Delivered at 1pm each day.

Sign up
Revoiced
Newsletter

Some of the best bits from irishexaminer.com direct to your inbox every Monday.

Sign up