By John McGregor, a translator and political violence researcher
Cyber attacks targeting private sector providers for essential public services result in additional waste of public resources. When public health care fails in cyber security, politicians are quick to blame staff on the ground. But when private companies become the weak link, state resources are spent on recovery and resilience to keep essential services running, effectively bailing out private providers and absolving them of this responsibility.
On 4 August, a number of UK National Health Service functions were knocked offline by a cyber attack on a private service provider, Advanced. The attack affected a wide range of services because Advanced are so deeply embedded in the systems that run the NHS. An email from the head of the Oxford Health NHS foundation to staff identified the various parts of the NHS under attack:
The cyber-attack targeted systems used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings, triage, out-of-hours care, emergency prescriptions and safety alerts. It also targeted the finance system used by the trust.
The attack was bad enough to force some NHS staff back to pen and paper. On 10 August, Advanced acknowledged that it was a victim of ransomware.
Adastra, one of the software products that was knocked offline in the attack, was initially developed in the 1990s. Its original developer, Adastra Software, was listed on the AIM in 2008 via a reverse takeover, becoming Advanced Computer Software Plc (and later simply Advanced). Advanced acquired a number of other businesses and progressively inserted itself into more and more of the British public health system. Aside from public services, Advanced also provides software and services to commercial ventures.
In 2015, Vista Equity Partners bought Advanced at a price of GBP 725m, and in 2019 Vista sold a 50% stake to BC Partners for GBP 2B.
On 10 August, six days after the outage started, Advanced explained how it would be preparing for the NHS services to come back online:
With respect to the NHS, we are working with them and the NCSC to validate the additional steps we have taken, at which point the NHS will begin to bring its services back online.
The National Cyber Security Centre was founded as part of the British signals intelligence security organization GCHQ in 2016, combining and replacing previous state cyber security bodies. It is at the center of British cybersecurity defense and GCHQ explicitly advertises that:
During the Covid-19 pandemic, protecting the NHS and the health sector more widely has been the top priority for the NCSC.
This seems like an eminently sensible focus at a time when the NHS is facing austerity-driven crises on every front. It also aligns with the NCSC cyber attack categorization system introduced in 2018, which establishes the highest category as a ‘national cyber emergency’, defined as:
A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.
Obviously anything that forces NHS staff out of their computer systems and knocks out communications and data sharing fits this definition, and therefore warrants the highest level of response:
Immediate, rapid and coordinated cross-government response. Strategic leadership from Ministers / Cabinet Office (COBR), tactical cross-government coordination by NCSC, working closely with Law Enforcement.
That is, effectively, the most powerful crisis response team in the UK and a massive mobilization of state resources. Aside from the NCSC, the response to the hack on Advanced also included Ministers, with both UK health secretary Steve Barclay confirming he was being regularly briefed on the issue, and health secretary for Scotland Humza Yousaf reporting that Ministers were “continually being briefed”.
When balanced against the necessity of keeping the NHS running, it seems like a sensible choice, and it is essential that the NHS can function. Nonetheless, the dynamics are little different to those of a bailout, with the public funding a costly emergency response to risks taken by the private sector. The NCSC makes this dynamic abundantly clear, highlighting that NCSC assistance is always free.
As acknowledged in a 2019 House of Commons Committee of Public Accounts report on cyber security in the UK:
Since 2010 government has taken a central lead in ensuring that the UK effectively manages its exposure to cyber risks.
The possessive ‘its’ hides who is really exposed to these cyber security risks. In this instance, Advanced has catastrophically failed to manage its exposure to cyber risks as a business. Nonetheless, the ones suffering the negative consequences are the staff and patients of the public health service.
A New York lawyer, Erik Weinick, commenting on the Advanced hack, demonstrated the inseparability of public bodies from their private providers:
Know your vendors. Know their vendors. Communicate with all of them regularly. Train side by side for emergencies… Ultimately, you are part of the same ‘network’ and what impacts one, impacts the others. Check your agreements. Understand who is responsible for what both [during] an emergency and in trying to prevent one.
Somewhat ironically, the NCSC sent a bulletin to NHS trusts in March 2022 warning them to increase their online defenses “following Russia’s further violation of Ukraine’s territorial integrity”. Whatever NHS trusts did in response, they couldn’t control what was happening at Advanced, which eventually proved to be the weak link. Advanced provided its most recent update on 19 August, claiming it would start the process of bringing organizations using Adastra back online in the coming week.
This is not the first time that the NHS has suffered a damaging cyber attack, it was also a victim of the WannaCry virus in 2017. This ransomware attack similarly hampered services at NHS trusts and GP surgeries, resulting in cancelled appointments and operations, but in the WannaCry case it infected NHS computers directly. As such, the blame was pushed back onto NHS trusts and local bodies. The National Audit Office made sure to note in the key findings of its investigation that:
The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015. In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry.
It also claimed that:
NHS Digital told us that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves.
As a result of these findings, the Care Quality Commission piloted unannounced cyber security inspections at NHS trusts (even as trusts were failing the announced ones).
When the Tories could keep the blame contained within NHS trusts and local organizations, it was not because of an over-worked labor force or resources decimated by years of austerity, it was because staff failed to implement the guidelines they were given. But when, despite extra internal checks and even fewer resources, it is not the NHS but an external private provider that becomes the weak underbelly for the public system, the British state is willing to pull out all the stops to defend big businesses.
This corporate safety net ensures that even when businesses fail catastrophically in their role within the public system, the state will step in to protect them. By doing so, it protects these business’ position within the system, and the public money this gives them access to, and thus defends the investments of private shareholders with further public resources.