Its clear from the failure throughout the NHS last weekend that something went badly wrong and there are huge numbers of people who have paid a very dear price for the chaos. The patients and indeed those who work for the NHS in nursing and health care are the ones on the front line. However the analysis which has been presented to us publicly may not be as accurate as we would believe. It is certainly clear that part of the problem was the use of out of date software systems, Windows XP in a number of places. However that is not necessarily the real cause for the shutdown. The fact is that our cyber security systems demand human involvement. The involvement of budget holders who decide how much will be spent on systems and on protection and those who answer publicly for what went wrong in situations such as at the weekend means that people whose skill is in making political judgements often feel obliged to make decisions that should be taken by people who understand the technology. Many of those who understand the technology are either ignored or so far away from the place of decision making that they are not being heard at the critical moments. The fact is that large systems were closed down on Friday by decision makers who interpreted the risk through political rather than technical eyes. Their decision probably cost 10 or even 100 times as much impact to the NHS as would have been the case had a small number of systems been impacted by the ransomware that was being used by those behind the attack. This multiplication effect is extended even further when the challenge of tracking down the perpetrators is taken into account. Their virtual fingerprints are much harder to find because wholesale switch offs took place as they did. The ongoing challenge is that people with even lower levels of understanding are now making decisions about individual pieces of technology which will not have the impact of the weekends shut down, but will consign perfectly usable pieces of technology to the dustbin simply because of ignorance. Imagine an administrator discovering that some of the hardware in a GP practice or in a hospital uses a system which is no longer supported. There are millions of pieces of hardware such as Blu Ray player, TV’s, room booking systems and intercoms that contain software systems that have not been supported for years. The same is probably true of medical devices. The reality is that for most of these systems there is no risk at all. They cannot be hacked into and in any event they cannot do more damage than simply stop working at a critical moment. That risk is far less than the closure of the whole of the NHS.
A number of years ago I had a role providing advice and support to around 1000 churches across Sussex. The work was exclusively focused on how churches could work together more effectively. As a consequence I was on countless peoples email distribution lists. Every so often news of an email scam would circulate. The speed with which such information circulated in a relatively limited but open network of organisations was mind blowing. Sometimes the scam was genuine, sometimes not. The fact was that the news of the scams was far more debilitating than many of the scams were. Our cyber threat is clearly real and needs to be taken seriously. However it also needs to be managed in an effective manner. Otherwise we could have shut downs like this weekend on a regular basis and that would be far more damaging to our NHS and other public services than some of the threats posed by small numbers of out of date systems. All software systems have a limited lifetime and occasionally mistakes will be made. We need to have confidence in those who do manage our public cyber estate. If there is an occasional failure of a non critical system, that is probably a cheaper price to pay than a wholesale withdrawal of such systems in a manner that creates even greater problems for all of us. Let us hope the next time an attack happens we are not in the middle of an election. That has clearly heightened the panic in this case.