The NHS malware case highlighted the need to deal with the necessity of digital records and security
At a session with Google geeks at their ZeitgeistMinds meeting last week, someone asked how long would it be before the kind of hacks we have seen hit governments’ security services came home to people in their daily lives.
As if by malware magic arrived news of Friday’s major cyber-attack, whose victims included a large number of NHS organisations. It is a safe bet that if you have thought of a bad scenario, it is probably on the way to happening. But beyond a quick fix of Windows updates by sleepy NHS trust IT managers, this onslaught illustrates a trend policymakers and governments need to heed and communicate far better.
Largescale hacks shake faith in data protection. Yet in all the exchange of blows on NHS funding and the moribund argument about reforming a health system that relies so heavily on IT to function, no politician has dealt extensively with the tension between digitisation and security.
Google gets a bad rap these days, often fairly, for its stubborn tin ear on the effect of its advertising model on the future of responsible journalism and the tendency to want to solve all the world’s woes, except the ones it is directly involved in. But it is thinking more intelligently about cyber-threats and their impact on policy and politics than many in the sector. Other big platforms and providers need to think more strategically about how risks will evolve and their impact.
This time, the National Security Agency will come in for the usual criticism for a policy of “back-door” access to big tech systems, a continuum of Barack Obama’s cyber-security policy, which relied heavily on this as its main defensive option. The NSA habitually assumes too readily that its own secrets are secure, when they are patently not.
But the real dangers of flashpoints are what one source compares to traditional hierarchies of warfare – big state actors, notably Russia, China and Syria, out to destabilise democracies, flanked by “warlords”, who control bits of cyber-territory and “mercenaries” involved for the money or kudos. I doubt that the drivers in the hack that hit the NHS are purely financial. They are often the result of a mindset that relishes shaming established powers and institutions, while the lack of effective sanctions emboldens them.
In foreign policy and security, cyber-hacks are growing components of election races and the treatment of conflicts. The recent gas attack on the opposition in Syria was followed by a welter of disinformation, disseminated through social media, to “prove” that the obvious (and true) explanation – that Bashar al-Assad ordered the attack – was not so obvious at all. Moral relativists thrive on this stuff. There is some light in the darkness. The hack of the Emmanuel Macron campaign was offset, in part, by his team’s counterinsurgency approach, undermining the hackers’ work, disrupting it with distracting information and thus undermining its value. Who can remember now what the point was?
Cyberwars are a new battlefield, but they respect some old rules. One is that being defensive is not enough. The other is that we, the public, need to be wise to the fact that attacks will happen, but that the hackers do not always prevail. “I am the Spirit of Eternal Negation,” boasts Mephistopheles in Goethe’s Faust. Today, he’d have been at the top of a malware organisation.
Anne McElvoy is senior editor at the Economist
guardian.co.uk © Guardian News & Media Limited 2010