By Tamlin Magee
May 17, 2017
While Hunt is right that anyone can be hit by ransomware, that it is fairly common, and that it can be mitigated against to a degree, he doesn't mention the funding required to do so. The Guardian's Charles Arthur links underfunding in the NHS to the success of the attacks, where he mentions previous ransomware incidents such as that suffered by Papworth hospital in 2016. The IT director of that hospital said of that attack: "If we'd been doing a heart operation on a Sunday, it would have been a huge problem."
"A lack of funding or priority for investments will have certainly played a big part for a cash-strapped NHS," says Martin Courtney, principal analyst for TechMarketView, speaking with Computerworld UK. "The way it is set up, individual NHS trusts would have to be upgraded from Windows XP one by one, rather than within any national programme or co-ordinated timeline, leaving ongoing protection against cyber attacks patchy at best.
"Nor is it just PCs and laptops at risk, there is likely to be a lot of bespoke medical equipment that uses Windows XP embedded with similar vulnerabilities, so any upgrade would be expensive, disruptive and time-consuming."
At least in the UK, the real-world physical impact of the attacks is like nothing that's ever been seen before. But whether the attacks will serve as a 'wake-up call' is up for debate.
"If it is to be a wake-up call, it's one that has been sounded many times before and either successfully ignored or effective remedial action delayed," says TechMarketView's Martin Courtney. "The UK government knows the country is vulnerable to cyber attack and has consistently urged private companies to up their game - it seems to have ignored its own advice."
"The scale of this particular incident should bump cyber security improvements to the top of the priority list for any UK Critical National Infrastructure provider, though given the crisis elsewhere in the NHS, I wouldn't hold my breath."
Most security professionals understand that it's not a case of 'if' but 'when' an organisation will be hit by an attack. Mitigation as well as prevention is key, but it's something that is difficult to achieve without recognising cyber security as a serious priority.
More alarming still, the chain of IT disasters caused by this attack seem to have been an unintended consequence - the attacks are thought to be the responsibility of an organised criminal gang with the primary driver being financial.
But it doesn't take much of a leap to imagine the damage that could be achieved if it was deliberately designed to do so against under-funded public sector departments and other vital public infrastructure.