Was government response to WannaCry adequate?
Was government response to WannaCry adequate?

It's hardly a surprise that  opposition politicians criticised the government's response to WannaCry, demanding to know, how could this happen, why wasn't more money spent preparing for the problem earlier, and why did no-one tell us we were at risk when we cut spending or dipped into capital budgets? Sound familiar?

But what's the CISO perspective? What do we think actually did work, what didn't, and what more can and should we be doing?

Prime Minister Theresa May was quick to note, when asked to comment on the WannaCry cyber attack, that the government had allocated £1.9 billion to the UK cyber security strategy, and in particular the establishment of the NCSC as a support mechanism for industry.

And yet, one media commentator, cruelly but accurately observed in a private message: “Turns out a kid in his bedroom was more useful than the entire NCSC.”

And a CISO at a major part of the UK's critical infrastructure, who does not wish to be identified, when asked by SC about the level of support provided by the NCSC abruptly stopped the flow of his conversation and with pursed lips gestured to indicate ‘zero', intimating the same level of support was provided by the CNI helpline.

In contrast, cyber-security specialist Alan Woodward, visiting professor at the University of Surrey, told SC he believes that this criticism of the NCSC is misplaced because it is not really geared up to provide advice to individual organisations. By contrast, he said, those organisations who had joined the Cyber Security Information Sharing Partnership (CiSP) had been satisfied with the information they received.

And there was more praise for the NCSC from Emily Taylor of Chatham House, editor of the Journal of Cyber Policy, who told SC reporters that it was the basic principles set out by the NCSC which stopped more trusts from getting infected.

If you needed to know what to do, possibly the best advice to be found was by going back to the hair of the dog that bit you – back to the internet itself where vendors were falling over themselves to provide advice and even instant products to assist in patching and updating systems.  

And the online security media did themselves proud, reporting developments and the spread of attacks in real time, gathering research data to explain every facet of the attack, its origins, the role of the NSA, Shadow Brokers, ransomware as a concept, how to get bitcoins, who was paying, links back to Microsoft's patches and everything you could hope for from a crowd-sourced information stream.

But here, too, there was some criticism of over-zealous sales people hounding already overwhelmed hospital departments with what seemed almost literal ambulance-chasing, as they sought to peddle their solutions to a sector still under attack.

And one SC reader wrote to suggest that the role of the cyber-reserve was probably less than it might have been because the reserve does not have a London base, where much of the talent it might seek to recruit is actually located.

So – lessons learned beyond the software update, patching and maintained backups:

  • Do join your local CISP.
  • Have a contingency plan for dealing with a crisis.
  • For the NCSC, have an emergency call centre plan in place to disseminate accurate information quickly.

There were also calls for separation of the NCSC from GCHQ, to avoid any conflict of interest as the latter organisation may have a desire to, say, store vulnerabilities to conduct spying, whereas the NCSC should have an unmitigated brief to protect and remedy any vulnerabilities.

For politicians and organisations, it's time to push cyber-security further up the risk table – especially when it comes to budget allocations – and don't be tempted to backslide and dip into this allocation for other priorities.

And it's probably advisable to open a London office of the Joint Cyber Reserve to tap more of the talent where it is.