Eleonora Harwich is the Director of Research and Head of Tech Innovation at Reform.
Last month, a woman in Germany died as a result of a cyber attack. Hackers disabled the IT system at Düsseldorf University Hospital and the patient, who was supposed to receive a lifesaving treatment, could not be transferred to a different hospital in time to save her. The German police has opened a homicide investigation – the first known to be the result of a hack.
This incident in Germany serves as a reminder of the horrifying consequences that a cyber attack can have in a hospital setting. Yet too much of our public sector remains highly vulnerable.
Last week, the London Borough of Hackney suffered a serious cyber attack which halted many of its services. This example is part of a long list of attacks experienced by local councils and public services in recent months.
One of the key risks has been the massive uptick since March in people working from home. Covid-19 has led to almost 50 per cent of the UK workforce doing some form of remote working, including most civil servants and many others employed by the public sector.
A sizeable proportion are unlikely to be adhering to basic security protocols like two-factor authentication, and many may be using personal devices as opposed to office equipment. This significantly increases the risk of cyberattacks.
A joint paper from the UK National Centre for Cyber Security and the equivalent body in the United States Department of Homeland Security warned in April that “malicious cyber actors are exploiting the current Covid-19 pandemic”, and in particular the vulnerabilities in home working. Interpol has reported an increase in cybercrime targeted at governments and critical health infrastructure since the start of the pandemic.
As was the case in Germany, these attacks can have very serious consequences for people’s lives. They can also be extremely costly for the public finances. In February, Redcar and Cleveland local authority suffered from a serious ransomware attack costing the council more than £10 million. The infamous WannaCry attack in the 2017, which led to around 19,000 appointments being cancelled, cost the NHS an eye-watering £92 million. Thankfully no deaths occurred as a result of the attack, but we may not be so fortunate in the future.
As the public sector increasingly digitises and collects more data about citizens, cyber security can no longer be seen as an add-on; it must be a core component of service delivery.
The UK is seen as a world leader in cyber security with its National Cyber Security Centre, two National Cyber Security Strategies and the Secure by Design guidance published by the the Department for Digital, Culture, Media and Sport (DCMS).
However, there is a gap between the available guidance and expertise held within these central bodies and what cyber security policies and practices actually look like on the ground.
Two years on from the ‘WannaCry attack’ last summer, over a million hospital computers were still running Windows 7, an operating system released a decade ago and no longer supported by Microsoft.
By July this year, following an offer of centrally funded Windows 10, 846,000 NHS computers had been fully upgraded. This suggests that there are still about 150,000 computers in the NHS which are using outdated and unsupported systems, and are therefore extremely vulnerable to hacks.
Dealing with legacy IT is only one of the challenges the public sector faces when it comes to cyber security. Reform’s latest report, Resilient public services in the age of cyber threats, highlights that skills, procurement and imbalances in knowledge sharing and communication between central and local levels of government are undermining cyber resilience.
According to the DCMS, 27 per cent of public sector organisations outside of central government departments, have a basic technical cyber security skills gap. Yet, a quarter of cyber leads do not even feel confident providing training materials or sessions to upskill their workforce.
The next National Cyber Security Strategy is due in 2021, and must have a strong focus on addressing this skills gap. It must also place a greater emphasis on basic cyber hygiene skills for all public sector professionals.
Reform recommends that the National Cyber Security Centre should increase the capacity of, and mandate attendance to, their cyber security training courses to anyone working in the public sector handling sensitive information. This would go some way in reducing the skills gap and ensure that data held by public sector bodies is handled securely.
Increasing the resilience of public services in the face of cyber threats also means adopting technology that has security built in. Yet it is currently very difficult for those procuring tech to know if what they are purchasing complies with the right security standards. A kitemark – akin to that used for food safety – would enable commissioners to purchase products confident that they meet government’s ‘secure by design’ guidelines.
Covid-19 has accelerated the digital transformation of public services – a positive legacy of this terrible crisis. But this also means that our public sector infrastructure is increasingly vulnerable to those who wish to hack it – whether for financial gain or nation-state destabilisation.
Failing to act now to enhance cybersecurity and protect our essential services – from the NHS to the benefits system, prisons to social services – will come at a high cost. We do not want the second homicide investigation stemming from a cyber attack to be in the UK.