Title Page
Title: Ransomware, Preparing for Disaster Name of the author: Jesse Schmitz
Student number: S2555263
University: Leiden University – Faculty of Governance and Global Affairs Study: Crisis and Security Management
Supervisor: Dr J. Shires Second reader: Dr T. Tropina
Assignment: Master’s Thesis – Final Edition Due date: Sunday 7 June 2020 – 23:59
Abstract
Cybercriminals are utilising ransomware on an increasing scale. While organisations attempt to prevent attacks from materialising within their digital environments, through the WannaCry strike in 2017 it became evident that crisis cannot always be averted. Hence, the need to devise processes that mitigate the impact of a successful ransomware strike. This Master’s thesis is focused on establishing the extent preparedness planning can shape the outcome of a ransomware attack. Through a process-tracing study of the National Health Services (NHS) within Great Britain (GB), configurations of causality were established. The devised causal configuration allowed for an in-depth comprehension of the relation between preparedness methods and the outcome of WannaCry. It was analysed that preparedness planning holds a positive relation with alleviating the impact of a materialised ransomware attack. Furthermore, interviews with cyber and ransomware experts were conducted to design specific ransomware preparedness processes.
Table of Contents
CHAPTER 1.0 – INTRODUCTION ... 5
CHAPTER 1.1–RESEARCH QUESTION……….8
CHAPTER 1.2–ACADEMIC AND SOCIAL RELEVANCE……….9
CHAPTER 1.3–ORGANISATION OF THE THESIS………9
CHAPTER 2.0 – THEORETICAL FRAMEWORK ... 10
CHAPTER 2.1–EMERGENCY MANAGEMENT……… 10
CHAPTER 2.2–PREPAREDNESS PLANNING………10
Chapter 2.2.1 – Challenges and Benefits of Preparedness Planning ... 10
Chapter 2.2.2 – Preparedness planning in Relation to Ransomware and Cybersecurity ... 11
Chapter 2.2.3 – General Preparedness Techniques ... 11
Chapter 2.2.4 – Cyber Preparedness Techniques ... 14
CHAPTER 2.3–HYPOTHESES………..16
CHAPTER 3.0 – RESEARCH DESIGN ... 17
CHAPTER 3.1–RESEARCH APPROACH………..17
CHAPTER 3.2–SINGLE CASE STUDY………..17
CHAPTER 3.3–CASE SELECTION……….18
Chapter 3.3.1 – Comprehending the Cyber Threat of WannaCry ... 19
CHAPTER 3.4–DATA COLLECTION……… 20
Chapter 3.4.1 – Causal Mechanisms ... 20
Chapter 3.4.2 – Types of Evidence in Process-Tracing ... 22
Chapter 3.4.3 – Evaluating the Strength of the Evidence ... 22
Chapter 3.4.4 – Interviews ... 24
CHAPTER 3.5–DATA ANALYSIS………. 25
CHAPTER 4.0 – ANALYSIS ... 27
CHAPTER 4.1–THE IMPACT OF THE WANNACRY ATTACK VIS-À-VIS THE NHSGB………27
Chapter 4.1.1 – NHS England ... 27
Chapter 4.1.2 – NHS Scotland ... 29
Chapter 4.1.3 – NHS Wales ... 31
Chapter 4.1.4 – Conclusion ... 32
CHAPTER 4.2–IDENTIFIED ELEMENTS OF PREPAREDNESS PLANNING CONCERNING THE NHSGB……….. 33
Chapter 4.2.1 – NHS England ... 33
Chapter 4.2.1.1 – Identified Preparedness Techniques ... 33
Chapter 4.2.1.2 – Level of Cyber Preparedness ... 34
Chapter 4.2.2 – NHS Scotland ... 35
Chapter 4.2.2.1 – Identified Preparedness Techniques ... 35
Chapter 4.2.2.2 – Level of Cyber Preparedness ... 37
Chapter 4.2.3 – NHS Wales ... 38
Chapter 4.2.3.1 – Identified Preparedness Techniques ... 38
Chapter 4.2.3.2 – Level of Cyber Preparedness ... 39
Chapter 4.2.4 – Conclusion ... 40
CHAPTER 4.3–WHAT LEAD TO THE OUTCOME OF THE WANNACRY ATTACK IN THE NHSGB?……….41
Chapter 4.3.1 – Preparedness Planning Vis-à-Vis the Outcome of the WannaCry Attack ... 42
Chapter 4.3.1.1 – Causal Mechanisms and Configurations ... 42
Chapter 4.3.1.2 – Causal Configuration – NHS England ... 43
Chapter 4.3.1.3 – Causal Configuration – NHS Scotland ... 46
Chapter 4.3.1.4 – Causal Configuration – NHS Wales ... 48
Chapter 4.3.2 – Comparing the Results ... 50
Chapter 4.3.3 – Alternative Explanations ... 53
Chapter 4.3.3.1 – Preventive Measures ... 53
Chapter 4.3.3.2 – The Kill-switch ... 53
CHAPTER 4.4–TRANSLATING PREPAREDNESS PLANNING TO RANSOMWARE……….55
Chapter 4.4.1 – Early Warning Systems ... 55
Chapter 4.4.2 – Scenarios and Simulations ... 56
Chapter 4.4.3 – Crisis Communications Systems ... 57
Chapter 4.4.4 – Stockpiling of Relief Supplies ... 58
Chapter 4.4.5 – Plans for a Coordinated Response ... 59
Chapter 4.4.6 – Metrics for Readiness Assessment ... 60
Chapter 4.4.7 – Conclusion ... 62
CHAPTER 5 – CONCLUSION ... 63
BIBLIOGRAPHY ... 65
APPENDICES ... 71
Chapter 1.0 – Introduction
Ever since the post-Cold War era, many nations now strive to protect their digital space as a top priority to adapt to changing geopolitical conditions, successfully securitising the concept of safeguarding cyberspace through the founding of the Commission on Critical Infrastructure Protection by president Clinton in 1996 (Hansen & Nissenbaum, 2009). In alignment with this changing notion of security, the term ‘cybersecurity’ was first coined by computer scientists in the 1990s as a response to an array of insecurities related to information technology systems and has evolved significantly over the last years (Hansen & Nissenbaum, 2009). It was soon understood that protecting cyberspace was not just a matter of technical implications; vulnerable cyberspace can have devastating societal effects due to an intensifying dependence on networked computers and information systems (Hansen & Nissenbaum, 2009).
However, since cybersecurity stands at a crossroads of a multitude of disciplines including Computer Science, Political Science, Information Law, Philosophy, Communication, Anthropology, Visual Culture, and Science Studies, and Information Technology (IT) being a common element in many security sectors, cybersecurity presents many challenges in its application (Hansen & Nissenbaum, 2009).
Cybersecurity has three main objectives, confidentiality, integrity, and availability; commonly referred to as the ‘CIA triad’ (Singer & Friedman, 2014). Confidentiality focuses on keeping information private through, for example, encryption and access control (Singer & Friedman, 2014). Additionally, integrity is concerned with ensuring data is not altered by unauthorised users (Singer & Friedman, 2014). Finally, availability refers to the use of information and systems by authorised users whenever required (Singer & Friedman, 2014).
However, the CIA triad is tested continuously by cybercriminals with malicious intent. These hackers continually develop new methods engaging in a digital arms race with cybersecurity experts, with each new threat requiring a different remedy to nullify its impact (Limnéll, 2016). One of the latest menaces of insecure cyberspace recognised as a risk to the continuity of organisations is ransomware (Deloitte, 2017). A ransomware attack is a vicious form of cyber misuse by exploiting malware to lock the targeted information system, assaulting the availability aspect of cybersecurity while only returning access when a ‘ransom’ is paid (O'Gorman & McDonald, 2012). Two types of ransomware exist. Locky ransomware which locks users out of their systems, and crypto-ransomware, which encrypts the victim’s files (Kok, Abdullah, Jhanjhi, & Supramaniam, 2019).
Locky ransomware prevents users from logging into their systems; however, this can easily be omitted through running the computer in safe mode or restoring the system (Kok et al., 2019). Crypto ransomware, on the other
hand, is far more challenging to restore since without a key the digital network is encrypted, in addition to payload persistence and restricting the system restore option to ensure data cannot be retrieved without paying the ransom (Kok et al., 2019).
Since such a cyber strike profoundly impacts the continuity of an organisation, they are incentivised to pay to regain access to their systems, hackers understand this, explaining a 340% increase in detection of attempts comparing 2018 and 2019 (Dosal, 2019). Additionally, while there were only 100 ransomware families in 2016, there were over 500 families identified by 2019 (Paquet-Clouston, Haslhofer, & Dupont 2019). Moreover, in 2019 the estimated cost of damage invoked by ransomware attacks is $11.5 billion (Poudyal, Dasgupta, Akhtar, & Gupta, 2019). Since in 2016, the total losses incurred by organisations was $1 billion, a significant increase in costs is determined (Brewer, 2016). The costs are attributed to lost production, loss of business, inconvenience for customers, and the loss of valuable data (Brewer, 2016). Finally, the amount of attacks is also increasing over the years. While in 2016, every 40 seconds an organisation was confronted by a ransomware assault, in 2019 this was expected to be every 14 seconds, further emphasising the need to have appropriate mechanisms in place to deal with this digital threat (Morgan, 2019). Furthermore, since payments are requested in cryptocurrency, mainly Bitcoins, cybercriminals enjoy relatively anonymous money exchanges and avoid the control of financial institutions (Paquet-Clouston et al., 2019).
Ransomware attacks follow a general flow called the ransomware life cycle (See Appendix A) (Zavarsky & Lindskog, 2016). Furthermore, ransomware is not a novel concept. However, it has seen dramatic changes over time (See Appendix B) (Richardson & North, 2017). One recent distributed crypto variant of ransomware which wreaked havoc was WannaCry.
On May 13, 2017, a ransomware campaign resulting in a worldwide digital hazard locking over 200,000 users out of their systems in 150 countries stole the spotlights as the worst cyber-attack of its kind (Mattei, 2017). Through a vulnerability in Microsoft Windows, hackers gained access to the victim’s systems and encrypted their files (Mattei, 2017). Even though Microsoft released a patch two months before the incident, an array of essential governmental and commercial organisations did not update their IT environment. FedEx, Deutsche Bahn, Telefónica, the Russian Central Bank, the, and the British NHS all fell prey to the malicious software in addition to a variety of other organisations (Mattei, 2017).
Of particular interest is the hit on the NHS, which resulted in a reported € 100 million in damages to its counterpart in England (Field, 2018). In addition to an estimated 19,000 cancelled appointments (Morse, 2017). WannaCry did not specifically target the NHS, yet it was able to disrupt its services significantly (Martin, Ghafur,
Kinross, Hankin, & Darzi 2018). The NHS falling victim to malicious software fits a pattern. Currently, the healthcare industry is recognised as an easy target by cybercriminals (Spence, Bhardwaj, & III, 2018). This is mainly credited to two reasons: the importance for healthcare organisations to store data regarding patient’s data such as medical records which are crucial to comprehend before conducting an operation and a weak IT
security system (Spence et al., 2018).
Through a study into data breaches concerning an increased mortality rate of acute myocardial infarction (AMI) victims, a “0.23-0.36 percentage point increase in 30-day AMI mortality rate was determined after a breach, effectively erasing a year's worth of improvement in the mortality rate” (Choi, Johnson, & Lehmann, 2019, P. 975). Besides, it is expected that the consequences of a ransomware strike have a far more significant short term effect than ordinary data breaches such as unauthorised access (Choi et al., 2019).Nevertheless, while data on deaths regarding ransomware does not yet exist, it is therefore plausible to assume lives are at stake when a ransomware assault succeeds, inclining healthcare institutions to pay the ransom (Mansfield-Devine, 2016). WannaCry is ransomware with a worm component, meaning it will replicate itself and spread through internal and external networks (Akbanov, Vassilakis, & Logothetis, 2019). Therefore, this type of ransomware will randomly target as many machines as are linked to one another. After a kill-switch was discovered, the spread of the virus slowed down; however, at that point, the damage had been done (EY, 2017). Nevertheless, while the NHS in England encountered a severe backlash from the attack, a different impact was identified in other NHS organisations within the United Kingdom (UK) (O’Dowd, 2017). The NHS Scotland experienced a moderate impact, and the NHS in Northern Ireland and Wales were not directly affected by the WannaCry ransomware assault (O’ dowd, 2017).
As becomes evident through the WannaCry strike, not all ransomware attacks can be prevented or mitigated. Thus, it is crucial to establish a comprehension of what to do in case such an attack materialises and disrupts an organisation, certainly when the foundation of society is threatened in its wake. Through preparedness planning, an uncertain and potentially catastrophic event can be mitigated or reduced in impact, this is useful when it is not known when an event will happen and is ambiguous in regard of insurance (Lakoff, 2007).
General cyber preparedness frameworks do exist, for example, the Massachusetts Institute of Technology Research & Engineering (MITRE) developed a framework (Bodeau, Graubart, & Fabius-Greene, 2010). However, these frameworks are not tested regarding ransomware preparedness nor is a generally accepted ransomware preparedness framework devised. Such a structure can serve as guidance for the critical infrastructure healthcare institutions such as hospitals are. Moreover, through a framework, an accepted set of actions and procedures
can be determined to prepare for when disaster strikes, mitigating the impact of ransomware attacks. Finally, policies regarding paying the ransom should be considered (Everett, 2016).
Chapter 1.1 – Research Question
As it becomes apparent that preparedness planning is a vital component of a proper IT environment, a study conducted by the Scientific Council for Governmental policies in the Netherlands (WRR) was released. This report found that when it comes to digital disruption through cyber strikes such as a ransomware attack, preparedness must improve, and organisations, healthcare institutions, and governmental bodies are till this day not prepared to deal with the consequences of a successful ransomware assault (WRR, 2019). Nevertheless, organisations such as the NHS in the UK experienced significantly different levels of impact through an invariable agent.
In light of this information, the following research question is formulated:
How does preparedness planning shape the outcome of a ransomware attack?
Through a process-tracing study focused on multifinality, the different outcomes for the same WannaCry strike occurring in 2017 concerning preparedness planning can be analysed. Since the NHS in the UK knows varying levels of impact when it comes to WannaCry, it is a suitable candidate to conduct the proposed study. Nevertheless, since Wales and Northern Ireland were both unaffected by WannaCry, and the aim of this study is to review the difference in impact in relation to ransomware and preparedness planning, the Nation of Wales is chosen as an object of interest as together with England and Scotland, it forms Great Britain (O’Dowd, 2017). Before mechanisms of causality can be established, first, these cases must be analysed separately. Through this analysis, potential differences or similarities when it comes to preparedness planning will be identified, allowing for further investigation. Understanding the impact of the WannaCry attack serves as a starting point for the research. Therefore, the following sub-questions are formulated:
Sub-question 1: What was the impact of the WannaCry attack on the NHS GB?
Answering this question is critical to understand the outcome of the WannaCry attack, which is used to conduct a process-tracing study. Furthermore, it is essential to understand the extent of the methodology enforced by the NHS GB and its level of preparedness concerning the malicious software. Hence, the second sub-question is formulated:
This analysis allows comprehension of the design of the preparedness planning of the objects of interest. This understanding is the key to later on determining its relationship with the impact of the WannaCry strike. Nevertheless, examining the aspects of preparedness planning involved does not specify why the outcome occurred as it did. Thus, the following sub-question is formulated:
Sub-question 3: What lead to the outcome of the WannaCry attack in the NHS GB?
Through examining this question, it will become evident whether, for example, Wales was unaffected by the WannaCry attack due to its preparedness planning, or whether a different reason can be established. It is expected this information does not yet suffice to determine a first ransomware preparedness framework. However, this input can serve as an initiating step in establishing a set of actions aligned with the preparedness methodology to mitigate the impact of a ransomware attack. Through interviews with cyber and ransomware experts, this first step can then be further developed, leading to the final sub-question:
Sub-question 4: How does preparedness planning translate to specific ransomware preparedness processes?
Chapter 1.2 – Academic and Social Relevance
Reducing the probability of damage to acquired values is noted as an essential aspect of security studies (Baldwin, 1997). Through this report, a comprehension of ransomware preparedness will be established, allowing for a reduced probability of damage to the acquired value of working information technology. Therefore, this question is of educational significance. Furthermore, understanding of how to prepare for a ransomware strike allows cybersecurity experts to compete with hackers in this arena. Moreover, ransomware preparedness may prevent social disruption since, for instance, the continuity of critical healthcare infrastructure can be safeguarded, making this a question of social relevance as well.
Chapter 1.3 – Organisation of the Thesis
The remainder of this report will outline the theoretical framework, the research design, the analysis, and the conclusion. In the conceptual framework, academic literature on preparedness planning will be reviewed. In the research design section, the choice of study, critical variables, data collection, the data analysis approach, and a justification for the chosen case will be presented. Moreover, in the analysis chapter, the results of the study will be shared. Finally, a conclusion providing an answer to the research question and hypotheses will be presented.
Chapter 2.0 – Theoretical Framework
Cybersecurity has been defined as “the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organisation and user’s assets.” (Von Solms & Van Niekerk 2013, P. 01). This definition combined with Baldwin’s notion of security as a low probability in the context of damage to acquired values, preparedness planning concerning the current cyber threat of ransomware has a perfect fit with the field of security studies (1997). In this chapter, the theories relevant to examine the research question are presented.
Chapter 2.1 – Emergency Management
Striving to mitigate risks and prevent disaster from occurring is certainly not a novel concept. Dealing with uncertainty can be traced back to early hieroglyphics thousands of years ago (Bullock, Haddow, & Coppola, 2017). Emergency management is defined as “The process by which communities identify the hazards to which they are exposed to and the physical (casualties and damage) and social (psychological, demographic, economic, and political) impacts these hazards might inflict, as well as assess and develop their capabilities to mitigate, prepare for, respond to, and recover from these impacts” (Lindell, 2013, P. 263). Besides, risk encompasses a broad array of issues and many different stakeholders and includes five distinct disciplines (Bullock et al., 2017). Namely, mitigation, response, recovery, communications, and preparedness planning.
Chapter 2.2 – Preparedness Planning
Preparedness planning does not seek to ‘prepare’ to avoid risk; instead, it assumes risk will one day materialise and consequently allows for planning according to the disaster to mitigate its magnitude (Lakoff, 2007). This manner of thinking was first adapted in the context of national security in the U.S. through the 1947 National Security Act, which focused on domestic war preparedness (Lakoff, 2007). Such planning exists out of goal setting, plans preparation, simulations, awareness and exercise training, and continuous evaluation of the process (Penuel, Statler, & Hagen, 2013). Also, crisis communication systems, as well as early warning systems, are part of the array of preparedness techniques (Lakoff, 2007).
Chapter 2.2.1 – Challenges and Benefits of Preparedness Planning
Depending on the organisation, many stakeholders may be involved in preparedness planning. Cooperation between stakeholders is therefore vital, however, since the quality and extent of the collaboration between
stakeholders severely influences the level of preparedness, this is identified as a challenge (Penuel et al., 2013). Nevertheless, through preparedness planning, resilience against a threat such as ransomware can be significantly improved; reducing its potential impact (Gilbert, 2010). Moreover, proper preparedness planning will allow for a much faster recovery to normalcy after a disaster. It may significantly reduce costs of an unplanned emergency as compared to a scenario where no preparedness planning exists.
Chapter 2.2.2 – Preparedness planning in Relation to Ransomware and Cybersecurity
Concerning cybersecurity, frameworks for cyber preparedness exist. However, these frameworks have not been explicitly designed for ransomware. Thus, their implications for ransomware assaults are ambiguous. Therefore, it remains unclear if existing structures of cybersecurity are sufficient to prepare for the mitigation of a successful ransomware assault. Also, currently, it is not known what aspects of general and cyber preparedness are most critical to reduce the probability of damage to acquired values. While preparedness techniques are not a novel concept, the translation to a specific implication for ransomware concerning a method such as an early warning system can increase cybersecurity capabilities of an organisation. Besides, preparedness planning follows a specific life-cycle (See Appendix C).
Chapter 2.2.3 – General Preparedness Techniques
There is a multitude of preparedness techniques known to mitigate the impact of a materialised crisis. In table 2.1, crucial preparedness techniques are shared. Preparedness is defined as “the measurable relation of capabilities to vulnerabilities, given a selected range of threats” (Lakoff, 2007, P. 267).
Table 2.1. Preparedness Techniques. Adapted from Lakoff. (2007).
Preparedness Techniques
Scenarios and simulations Early warning systems
Stockpiling of relief supplies Plans for coordinating response among involved entities Crisis communications systems Metrics for readiness assessment
Through simulations, the emergency response mechanisms are put to the test, which generates valuable insights vis-à-vis the capability and knowledge levels to deal with a specific crisis (Lakoff, 2007). To deal with a particular disaster, a scenario-based simulation is best utilised. Such approaches to preparedness hold the potential to
reveal weaknesses and strengths in the current methods designated to deal with it. Furthermore, one could argue that if such an exercise contains flaws, leaders are incited to release funds to improve preparedness planning (Lakoff, 2007).
Early warning systems are used as an indicator of emerging danger. Through this information, a party can act appropriately to mitigate the impact of said emerging danger (Basher, 2006). Thus, for this paper the following definition of early warning systems will be utilised, “the provision of timely and effective information, through identified institutions, that allows individuals exposed to a risk to take action to avoid or reduce their risk and prepare for effective response” (Basher, 2006, P. 2168). To be efficient, an early warning system has four crucial features. (1) ‘risk knowledge’, a comprehension of the relevant risks and the vulnerabilities they accompany; (2) ‘monitoring and warning service’, the technical capabilities to monitor, forecast, and warn for a threat; (3) ‘dissemination and communication’, the distribution of accurate and comprehensible information concerning the hazard; and (4) ‘response capabilities’, the knowledge, plans, and capabilities to take action (Basher, 2006). Crisis communications systems is a vital component in the preparedness methodology. To ensure organisational leadership, as well as internal and external communications, such as mechanism, is critical during a crisis (Bernstein, 2013). If a functioning crisis communication system is not in place, operational response will break down, stakeholders and other parties will not comprehend what is enfolding, possibly reacting negatively. Besides, a damaged reputation, as well as an increased resolution timeframe, can be a consequence (Bernstein, 2013).
There are several steps essential when it comes to crisis communications systems. For this study, pre-crisis mechanisms are critical and will be addressed. First, a crisis must be anticipated. This will allow for an understanding of what disaster the organisation is potentially threatened by, which in turn allows for the development of scenario-based responses (Bernstein, 2013). Second, the crisis communication team should be appointed, including the top executives and experts with specific knowledge concerning the identified crisis (Bernstein, 2013). Third, spokespersons should be trained to be the authorised personnel communicating during an emergency. It is crucial they have the right skills, right position, and training (Bernstein, 2013). Fourth, notification and monitoring systems should be established. This will enable reaching the appropriate stakeholders while simultaneously gather the essential intelligence required to communicate the crisis (Bernstein, 2013). Fifth, it becomes, therefore, crucial to understand who the relevant stakeholders are. This goes far beyond the scope of employees (Bernstein, 2013). Sixth, general statements to be used immediately after a crisis emerges, and during the crisis can be designed in anticipation (Bernstein, 2013).
Stockpiling of relief supplies is another critical component in preparedness planning. It is identified as one of the most difficult to manage techniques since information in relation to availability is often unknown and the supply of supplies through third parties can be unpredictable (Davis, Samanlioglu, Qu, & Root, 2013). Moreover, since many actors are involved, an emphasis on coordination is critical in stockpiling relief supplies (Davis et al., 2013). Two aspects are crucial, location and inventory quantity determination. The optimal location has been defined as “The objective is to minimise the average response time required to transport items from selected preposition warehouses or global suppliers to a regional demand location” (Davis et al., 2013, P. 563). Furthermore, through a scenario-based mathematical model, the quantity of required stock can be identified, resulting in an excellent relief supply (Davis et al., 2013).
As was briefly touched upon in the previous paragraph, managing multiple parties is a difficult task. Thus, plans for a coordinating response among associated entities are another essential factor of preparedness planning. Through an Incident Command System (ICS), disaster responses can be orchestrated, and coordination among the involved entities can be arranged (O'Neill, 2005). The concept of an ICS is based on five principles. (1) early adaptation before the crisis spirals out of control; (2) devotion to the ICS by all responders and relevant parties; (3) uniformity of the structure of the ICS and the assigning of experts in key positions; (4) a modular structure, allowing for adaptations such adding or removing an entity as the crisis develops; (5) standardised communication, titles, and terminology procedures (O'Neill, 2005). In addition, the hierarchy is crucial within the ICS. The incident commander is responsible for the response and organises the disaster activities. Moreover, safety officers are accountable as the point of contact for the media and information dissemination, while the liaison officer coordinates efforts with other parties (O'Neill, 2005). Finally, in more massive crises, a designated responsible party for operations, planning, logistics, and finance may be appointed. Everyone reports to the incident commander (O'Neill, 2005).
The final preparedness technique touched upon is the metrics for readiness assessment. This is realised by analysing the performance of capabilities, preparedness, and readiness (Doherty, 2004). It is critical to evaluated performance since without assessing, it is impossible to understand where to improve preparedness planning (Doherty, 2004). Furthermore, training protocols can be developed, and the need for training can be identified (Doherty, 2004). For a complete comprehension of understanding present performance levels and predicting future performance levels, it is crucial to assess five elements (Doherty, 2004). (1) The baseline, understanding the starting point of the capabilities, preparedness, and readiness; (2) trends, to understand whether procedures deviate from the chosen course of action; (3) control, to comprehend whether the crisis is handled within the defined boundaries; (4) diagnostic, metrics and performance measures to recognise areas that have a possibility
to breakdown or delay the crisis operation; (5) planning, through planning performance measures, insights into appropriate preparation for a future crisis can be established (Doherty, 2004).
Chapter 2.2.4 – Cyber Preparedness Techniques
As was recognised in Chapter 1, general cyber preparedness frameworks exist. The MITRE Cyber Preparedness framework identifies five levels of adversaries with an increasing degree of capabilities, intent, and technical sophistication and proposes specific defence mechanisms for each level (Bodeau et al., 2010). Three factors characterise the Cyber Preparedness levels. (1) The calibre and intent of the digital threat; (2) the technical and operational capabilities of the organisation that seeks preparedness; (3) the process capabilities through which the organisation assesses its cyber threat level following the threat it faces (Bodeau et al., 2010).
Table 2.2. Cyber Threat and Preparedness Levels. Adapted from Bodeau, Graubart, & Fabius-Greene. (2010).
Cyber Threat and Preparedness Levels
Level Cyber Threat Level Cyber Preparedness Level Typical Actor
1 Cyber Vandalism Perimeter Defence Hackers, small disaffected groups 2 Cyber Theft/Crime Critical Information Protection Political activists, terrorists,
domestic insiders, industrial espionage
3 Cyber Incursion/Surveillance Responsive Awareness Nation-state government entity, sophisticated terrorist group, professional, organised criminal enterprise
4 Cyber Sabotage/Espionage Architectural Resilience Professional intelligence organisation or military service operative
5 Cyber Conflict/Warfare Pervasive Agility Nation-state military possibly supported by their intelligence service, sophisticated and capable insurgent or terrorist group
The different preparedness levels all come with a different organisational perspective, organisational objective, as well as a specific corporate strategy (Bodeau et al., 2010).
Table 2.3. Characteristics Associated with Cyber Preparedness Levels. Adapted from Bodeau, Graubart, & Fabius-Greene. (2010).
Characteristics Associated with Cyber Preparedness Levels
Preparedness Level
Organisational Perspective Organisational Objective
Organisational Strategy
Level 1 Foundational Defence
The cyber threat is mainly external, and perimeter defence can keep the enemy at bay Focus on known external attacks and minor internal incidents
Establish and defend the information system perimeter. Focus on protecting against malicious malware and unauthorised internal access. Utilises commercial security products in response
Level 2 Critical Information Protection
Emphasises identifying and safeguarding crucial data, whether internal, external or merely on the parameter of the organisation
Focused on the prevention of critical
information
Critical data is first assessed and then protected. No matter of its location. The data is protected through encryption, identification, authentication, and access control mechanisms Level 3
Responsive Awareness
Adversaries are identified as penetrating the organisation’s digital infrastructure, and it is no longer assumed that depending on perimeter defence solution suffices to protect the internal information technology systems. Thus, an emphasis on awareness to promptly identify and respond penetrations
Adversaries are stopped from gaining access to the information technology solutions in any form or way
Detection solutions are utilised to allow for a swift response to targeted attacks aimed at the organisation’s information systems. In addition, procedures to understand methods of the adversary are in place
Level 4 Architectural Resilience
Understands that sooner or later an adversary will gain unauthorised access to critical information systems and expects not all attempts can be detected. Also, mechanisms to safeguard operational capability in the face of a materialised attack are established
Hampers attempts to extract critical data, maintains operations, and minimises the damage of an attack
Systems are designed and operated from the perspective that they limit the potential of loss of data while simultaneously can safeguard the continuity of the information systems. Finally, recovery after an attack is crucial
Level 5 Pervasive Agility
It is expected that adversaries are continuously devising schemes to gain access to the organisation’s digital infrastructure, which eventually will lead to a loss of control of critical systems. Furthermore, it is expected that data will inevitably be modified or misleading, thus, emphasising the need for agility and flexibility in order to guarantee organisational continuity Safeguard organisational continuity and adapt to current and future successful attacks
Focused on an extremely agile, adaptive, and flexible method in dealing with cyber-attacks. In all aspects of the organisation, allowing for the dynamic reshaping of the information technology environment when faced with a successful attack
Chapter 2.3 – Hypotheses
Through existing literature, it becomes evident that preparedness planning holds the potential to mitigate the damage inflicted by a successful ransomware strike.
Thus, the first hypothesis of this study reads:
H1: preparedness planning positively affects the mitigation of a ransomware attack.
Nevertheless, even though it is expected preparedness planning has a positive effect on a ransomware strike, the NHS GB experienced diverging levels of impact and damage. Therefore, the second hypothesis reads: H2: different techniques of preparedness planning has a different effect on the same ransomware adversary. Finally, since there is a multitude of different cyber preparedness levels, it is assumed that this holds an impact on the success of a materialised ransomware strike. For this reason, the final hypothesis reads:
H3: a higher level of preparedness, as outlined in table 2.3, allows for a better response regarding a successful ransomware attack.
Chapter 3.0 – Research Design
Now that relevant theories are identified, it is critical to operationalise them. Therefore, this chapter outlines the research approach. Besides, the selected cases will be further justified in this section. Furthermore, the data collection methods, as well as its analysis, will be presented. Finally, the limitations of the study will be shared.
Chapter 3.1 – Research Approach
Since data on ransomware preparedness is not readily available, nor is there a benchmark framework or theory accessible, a qualitative research approach is proposed. This method was selected since rich data must be generated in detail and the correct context to be useful (Maxwell, 2012). First, a process-tracing study is conducted to examine the extent preparedness planning mechanisms were present at the NHS GB when WannaCry affected them. This will allow for an in-depth understanding of the relationship between preparedness planning and ransomware in the selected case. Once this part of the research has been completed satisfactorily, interviews with cyber experts are conducted to devise a set of specific ransomware preparedness planning measures.
Chapter 3.2 – Single Case Study
To conduct a process-tracing study, it is essential to comprehend the background of the object of analysis. Therefore, it is critical to do a case study; as it allows for an understanding of the circumstances surrounding the object of analysis and provides the necessary material to answer the research question (Gustafsson, 2017). A case study is defined as “research focused on one or several cases that are explored in-depth, integrates diverse styles of observable evidence, and potentially sheds light on a broader population, which it represents in an imperfect manner (Gerring & Cojocaru, 2016, P. 03).
Through a single case study with embedded units, the researcher can examine an event while taking into consideration the data within the case review (Gustafsson, 2017). This enables the researcher to look at subunits found in the main study (Gustafsson, 2017). Considering that the NHS GB is reviewed by studying different NHS components (Scotland, Wales, and England), this is a perfect fit. Furthermore, examining the NHS GB allows for potential within-case variations to come to light (Gerring & Cojocaru, 2016).
Chapter 3.3 – Case Selection
Case selection has a critical role in conducting a case study (Gerring & Cojocaru, 2016). Certainly when the selected case is examined in the context of process-tracing research. As this report aims to establish how preparedness planning shapes the outcome of a ransomware strike, it is of pivotal importance to review a materialised ransomware attack which has an abundance of data available. Furthermore, examining the same ransomware attack, which had a different outcome for multiple involved entities, allows for a review of the result in relation to preparedness planning. Thus, an appropriate case to study would be one that (a) is interconnected to other cases hit by the same ransomware attack; (b) experienced a difference in the level of impact; (c) they must be similar organisations; (d) the cases must be well-documented.
Data is a significant issue when it comes to thoroughly recorded cases of ransomware vis-à-vis preparedness planning. Organisations, in general, do not want to make their adversary any wiser and fear the loss of reputation damage; therefore, they are incentivised to keep information in relation to cyber attacks, including ransomware strikes on an intimate level. However, since the WannaCry outbreak also hit governmental institutions who must report to the public of any critical developments; the NHS in GB has disclosed documents including data on utilised preparedness planning during the WannaCry strike. For example, the published document ‘Investigation: WannaCry cyber attack and the NHS’ by Mores (2017) in the name of the Department Of health.
However, while it is relatively easy to gather data of reported failures regarding ransomware preparedness planning, it is exceedingly difficult to lay hands on information concerning the application of successful preparedness planning. It is assumed that this is since organisations do not benefit from sharing their preparedness capabilities. Furthermore, proper preparedness may also make an adversary come across as insignificant, making it unnecessary to report to the outside world. As was mentioned in section 1.0, Wales was unaffected by the WannaCry attack. Nevertheless, there is data available on the WannaCry attack and its impact on the nation of Wales. For this reason, the NHS in Wales is an appropriate candidate. Moreover, Scotland was affected on a moderate level. Since Scotland was impacted by WannaCry, extensive documentation in the form of official audits was released by the government.
These cases have much in common, they are similar governmental organisations, operate in the same prone to ransomware vulnerable industry, and were all hit by the same ransomware outbreak at the same time. The only major difference is the dissimilarity in the outcome. Therefore, the case of the NHS GB is an excellent choice to compare, examine, and understand how preparedness planning shapes the outcome of a ransomware strike.
Chapter 3.3.1 – Comprehending the Cyber Threat of WannaCry
To examine the relationship between the NHS GB and the extent preparedness planning affects the outcome of a ransomware attack. First, the threat of WannaCry must be comprehended. According to the theory of Bodeau et al. (2010), there are five levels of cyber threat. These levels range from level 1 ‘cyber vandalism’ caused by small disaffected groups to level 5 ‘cyber conflict or warfare’ involving nation-state military, possibly supported by intelligence services (Bodeau et al., 2010).
On December 19, 2017, the United States of America officially attributed the WannaCry attack to North Korea. In a press conference, White House Homeland Security Advisor Mr Bossert stated that after a thorough investigation, Microsoft was able to trace the malicious software back to a cyber group affiliated with the North Korean government (Bossert, 2017). The associated organisation Mr Bossert referred to in his press release, is the Lazarus group, a state-sponsored hacking division active since at least 2009 in order to generate funds to advance the North Korean agenda (Guerrero-Saade & Moriuchi, 2018).
The evidence of the Lazarus group and the involvement of the North Korean state is the similarities in form and structure of the WannaCry virus in comparison with other malicious software previously attributed to the Lazarus group (Trautman & Ormerod, 2018). In addition, “common malware code libraries, IP addresses, email and social media accounts, proxy services, stolen credentials, and spreading WannaCry through the same infrastructure as previous cyber-attacks” were all reported as evidence pointing to the Lazarus group (Trautman & Ormerod, 2018, P. 528).
Through a review of the presented evidence, the responsible party for the WannaCry virus, the Lazarus group, is determined to be a cyber threat level 3. This due to the fact that the Lazarus group goes beyond a loosely affiliated group or ideological activists; which is a level 2 threat. Nevertheless, the related group is not a professional intelligence organisation or military service as is determined a typical actor of level 4 (Bodeau et al., 2010). A level 3 threat, ‘cyber incursion and surveillance’ is attributed to nation-state government entities or professional organised criminal enterprises (Bodeau et al., 2010). One of the typical reasons of intent associated to this type of attacker is identified as “to obtain or modify specific information and to disrupt cyber resources” (Bodeau et al., 2010, P. 06). Since the WannaCry virus was explicitly developed to encrypt the files of its victims in order to obtain cryptocurrency, the typical defined intent matches the outcome of the WannaCry attack impacting the NHS GB.
A level 3 cyber threat requires a corresponding level of cyber preparedness, namely, cyber preparedness level 3. Cyber preparedness level 3 identifies ‘responsive awareness’ as an appropriate degree of readiness versus such a cyber adversary (Bodeau et al., 2010). For the NHS GB, this means that it should comprehend that adversaries try to penetrate the organisation’s IT-environment, that perimeter defence is no longer sufficient to protects its data, and a high degree of awareness to identify and respond to transpiring events is required (Bodeau et al., 2010). Also, it should focus on deterring hackers from entering the IT-systems through a strategy revolving around capabilities to detect and respond to a potential threat (Bodeau et al., 2010).
Chapter 3.4 – Data Collection
Process-tracing is a fundamental tool in the arsenal of the qualitative researcher (Collier, 2011). It is defined as “the systematic examination of diagnostic evidence selected and analysed in light of research questions and hypotheses posed by the investigator” (Collier, 2011, P. 823). Analysing the cases chosen through this method allows for the evaluation of causal claims, which is of pivotal importance to answer the main research question (Collier, 2011). Moreover, process-tracing provides for a thorough examination of a potential causal mechanism between preparedness planning on the one hand and mitigation of the impact of a ransomware attack on the other hand (Beach & Pedersen, 2013).There are three types of process-tracing. Two variants deal with theory testing, and a third option is aimed at explaining the outcome of a case-centric scenario (Beach & Pedersen, 2011). Since the focus of this study is to understand how ransomware preparedness planning shapes a particular outcome, the third variant is chosen as a method for data collection.
Chapter 3.4.1 – Causal Mechanisms
In the previous section, process-tracing was associated with establishing causal mechanisms. A causal mechanism has been defined as “a set of minimal conditions and events that inevitably produce a specific outcome” (Rothman & Greenland, 2005, P. 144). In this definition, it is essential to note that ‘minimal’ refers to the acute conditions that are required to arrive at a conclusion (Rothman & Greenland, 2005). However, it is critical to note that the concept of causal mechanisms is highly debated (Blatter & Haverland, 2012). Nevertheless, a working definition is of pivotal importance when conducting research. Thus, for this study, the definition established by Rothman & Greenland (2005) will be adopted.
Furthermore, “a causal mechanism refers to a causal configuration that links generic social mechanisms in a multi-level model of causation” (Blatter & Haverland, 2012, P. 95). In order to establish a causal mechanism, three types of social mechanisms are required. They are: (1) the situational mechanism; (2) the action-formation
mechanism; and (3) the transformational mechanism (Blatter & Haverland, 2012). In addition, there is an input and outcome (Blatter & Haverland, 2012). The situational mechanism refers to a specific scenario or situation which an individual or organisation is exposed to. The situation has a particular effect on the behaviour of the individual or organisation on a macro level (Hedström & Swedberg, 1998). The action-formation mechanism is located at the micro-level. It is associated with a combination of desires, beliefs, and opportunities to generate a specific action (Hedström & Swedberg, 1998). The final mechanism, the transformational mechanism, refers to the transition back from the micro level to the macro level. It transforms the action formulated in the second mechanism into a certain outcome. This outcome can be intended or unintended (Hedström & Swedberg, 1998). Figure 3.1. Typology of Social Mechanisms. Adapted from Hedström & Swedberg. (1998).
In addition to the typology of social mechanisms, necessary and sufficient conditions are important to understand in relation to the outcome of a concern. These conditions refer to whether a cause is required for an outcome in configurational thinking (Blatter & Haverland, 2012). A necessary condition is one where the causal factor (X) is fundamental to the outcome (Y). Thus, conclusion Y can only exist when condition X is present. However, if X exists, Y does not have to occur. Therefore, Y cannot occur with the presence of X, but X does not imply Y from taking place (Blatter & Haverland, 2012). Also, a sufficient condition is recognised as a causal factor (X) if the outcome (Y) always materialises when X is present. However, Y can also occur when X does not occur (Blatter & Haverland, 2012). Thus, X leads to Y, but Y can happen without the presence of X (Blatter & Haverland, 2012).
Chapter 3.4.2 – Types of Evidence in Process-Tracing
In process-tracing studies, four different types of evidence are relevant. They are: (1) pattern evidence; (2) sequence evidence; (3) trace evidence; and (4) account evidence (Beach & Pedersen, 2013). Pattern evidence is concerned with statistical patterns in evidence, such as statistical data (Beach & Pedersen, 2013). Besides, sequence evidence is related to the chronology of events. It implies that for example, causal mechanism X took place after a certain event (Beach & Pedersen, 2013). Trace evidence confirms whether a mechanism or part of it exists. For example, minutes of a meeting, providing proof that a meeting took place (Beach & Pedersen, 2013). Finally, account evidence is associated with the composition of empirical data (Beach & Pedersen, 2013). For example, the meeting minutes from the example of trace evidence can be analysed to comprehend what was discussed during the meeting—going beyond proving that a meeting took place (Beach & Pedersen, 2013). Chapter 3.4.3 – Evaluating the Strength of the Evidence
After the causal mechanisms and configurations are established, it is critical to evaluate the strength of the different types of evidence found. If it is expected that X is a mechanism leading to Y, there should be observable evidence (Beach & Pedersen, 2013). When it comes to testing the strength of process-tracing evidence, two aspects are analysed, certainty (disconfirmatory power) and uniqueness (confirmatory power) (Beach & Pedersen, 2013). When finding evidence, the confidence in a correct hypothesis established in the causal mechanisms increases. Besides, when no evidence is found, the confidence in the theory decreases (Beach & Pedersen, 2013). Furthermore, if the evidence is highly unique, the confidence in a certain mechanism also increases (Beach & Pedersen, 2013).
Four different types of tests exist in process-tracing. They are (1) the straw-in-the-wind test; (2) the hoop test; (3) the smoking-gun test; and (4) the doubly decisive (Collier, 2011). The straw-in-the-wind test is the weakest test out of the four. Passing this test affirms the relevance of the hypothesis; however, it does not confirm it. In addition, failing the test does not mean the hypothesis is no longer possible (Collier, 2011). For example, reviewing whether ideas or other interests were of significant importance concerning the Soviet non-use of violence in 1989 by only considering the political views of Gorbachev (Beach & Pedersen, 2013). The political belief of one person, no matter how powerful, cannot tell the complete picture of whether interests or other ideas were essential in Soviet policymaking (Beach & Pedersen, 2013).
In contrast, failing the hoop test does imply that the hypothesis is false. Nevertheless, passing it affirms the relevance of the hypothesis but does not confirm it (Collier, 2011). Such a test involves certainty but not unique
events (Beach & Pedersen, 2013). For example, if a murder suspect was in town the day of the murder, it affirms the relevance of the hypothesis but does not necessarily prove it. However, if the murder suspect was out of the country the day of the murder, the test is failed, and the hypothesis is eliminated (Beach & Pedersen, 2013). The smoking-gun test offers a low amount of certainty from occurring; however, it is also a unique occurrence. Therefore, it is rare (Beach & Pedersen, 2013). Passing the test strongly confirms the hypothesis; however, failing it does not eliminate the possibility of it from occurring (Collier, 2011). Finally, the doubly decisive test offers the greatest proof. Passing this test immediately confirms the hypothesis and eliminates any other hypothesis (Collier, 2011). In addition, failing the test rejects the theory (Collier, 2011). A doubly decisive test is, for example, the recording of a surveillance camera of a crime scene. If the suspect is recognised on the tape, it is certain that they did it. In addition, if they are not identified, it is then evident that they are not the murderer (Beach & Pedersen, 2013).
Chapter 3.4.4 – Interviews
In addition, after the process-tracing component is completed, primary research to establish appropriate preparedness planning for ransomware will supplement the findings. Interviews with ransomware experts will allow for valuable contributions regarding devising a set of ransomware preparedness mechanism based on the preparedness methodology shared in the previous section.
This qualitative research approach is most appropriate to obtain information that is not yet available (Silverman, 2016). To reach a satisfactory conclusion, it is advised to hold interviews until saturation is achieved, and no new insights from interviews are collected (Baker, Edwards, & Doidge 2012). Besides, the type of interview also matters for the collection of appropriate data (Alshenqeeti, 2014). A structured interview approach can best be utilised when the researcher seeks to answer yes and no questions, in contrast, a semi-structured method is best adopted when flexibility in responding by the interviewee is crucial (Alshenqeeti, 2014).
Therefore, the semi-structured approach to interviewing will be used to gather data. This will allow the interviewee to elaborate on their justification of preparedness planning concerning ransomware and is thus best suited for the proposed in-depth-interviews. To allow for clarity and ensure the interpretations of the conducted interviews are value and bias-free, all interviews will be transcribed (Lee, 2004). Also, the availability of the transcriptions of the interviews will significantly improve the validity of the research as the results are more easily checked with the interviewees (Lee, 2004).
The interviews will be conducted with cyber and ransomware experts. This since at the time of conducting the research, a consultancy firm has agreed to allow its employees, if they consent, to be interviewed. However, this approach does come with a set of limitations and advantages that have to be clarified. All interviewees work for the same organisation; thus, they work with the invariable methodology, receive similar training, and are part of the same corporate culture. Therefore, one can argue that a particular bias is introduced during the interviews. Nevertheless, this method of interviewing also has a significant benefit; it grants access to high-level knowledgeable specialists whom without this exclusivity approach may not have agreed to be interviewed.
Chapter 3.5 – Data Analysis
Analysing the results of the process-tracing study is achieved by establishing a sufficient explanation for why the NHS GB faced a dissimilar outcome of an identical cyber threat (Beach & Pedersen, 2013). This is done by taking into consideration the systematic parts as well as the case-specific components. Even though this is a case-centric approach, it will allow for potential systematic mechanisms to be researched in different cases (Beach & Pedersen, 2013).
Furthermore, to analyse the qualitative data gathered during the conducted interviews, the transcribed interviews will be carefully examined. Besides, through the grounded theory methodology, one interview can be compared to the others to develop conceptualisations of similarities between the interviews (Thorne, 2000). These similarities can then be used to make sense of the translation of the general cyber preparedness framework to ransomware.
Chapter 3.6 – Limitations and Reliability
However, the proposed study does have limitations. A single case study will be conducted; thus, its generalisability is debatable (Shanks & Parr, 2003). Nevertheless, a case study allows for an in-depth comprehension giving valuable insights; “understanding one instance in depth can offer universal understanding that study of millions of cases cannot” (Easton, 2010, P. 15). Due to the nature of the proposed research and limited secondary available data on the topic of specific ransomware preparedness planning, answering the main research question will depend solely on the analysis of the process-tracing elements. Also, the obtained data in the interviews cannot be verified with existing sources.
Moreover, the quality of research severely depends on the level of knowledge of the interviewed experts. Thus, carefully selecting participants is of pivotal importance; if the interviewees have limited experience with ransomware in relation to preparedness planning, the reliability of the study will be affected. However, the validity of the conducted interviews will be safeguarded through transcribing the interviews and meticulous record-keeping, allowing a clear decision trail and ensuring value-free interpretations of data (Stiles, 1993). Furthermore, the respondents are asked to validate their interview transcript, and these comments will be included in the final report, improving the trustworthiness of the findings (Stiles, 1993). Finally, this study is repeatable from the perspective that the process-tracing component can be replicated. Another researcher, even one with a basic understanding of ransomware and cybersecurity, can repeat it to test its validity. However, since
the researcher may not have access to the same experts when it comes to interviews, this component of the research can be considered of lower repeatability.
Besides, the proposed process-tracing study has its limitations as well. Since process-tracing depends on consistency between the hypothesis and observed outcome, interpretation becomes a factor which possibly leads to bias (Schimmelfennig, 2015). Furthermore, a single case study will be conducted; thus, its generalisability is debatable (Shanks & Parr, 2003). Nevertheless, a case study allows for an in-depth comprehension giving valuable insights; “understanding one instance in depth can offer universal understanding that study of millions of cases cannot” (Easton, 2010, P. 15). Moreover, since the comparative analysis in this study focuses on the NHS GB, the assurance in the relationship between the analysed variables is less as compared to a study with a larger sample size (Schimmelfennig, 2015). Furthermore, the generated external validity of causal inferences is low. Nevertheless, it is essential to note that a process-tracing study does not seek to produce this; it does allow for maximised internal validity while simultaneously allowing for lower generalisability (Schimmelfennig, 2015).
Chapter 4.0 – Analysis
In this section, the theoretical framework will be operationalised. In addition, data gathered from primary and secondary sources will be analysed. The purpose of this chapter is to answer the sub-questions established in chapter 1.1 in order to derive at a conclusion to the proposed research question.
Chapter 4.1 – The Impact of the WannaCry attack Vis -à-Vis the NHS GB
To conduct a process-tracing study, it is vital to comprehend the ‘result’ or outcome of a certain event to establish causal mechanisms. Therefore, this section is devoted to understanding the impact of the WannaCry attack concerning the NHS GB.
Chapter 4.1.1 – NHS England
The WannaCry ransomware strike was initially first deemed a major incident by the NHS England at 4 pm, 12 May 2017 (Morse, 2017). In addition, the same night, the attack was abruptly stopped by a cybersecurity expert activating a kill-switch (Ghafur, Kristensen, Honeyford, Martin, Darzi, & Aylin, 2019). Nevertheless, the malicious software affected the NHS England services for one week and was finally remedied by 19 May 2017 (Morse, 2017). The NHS England is an organisation existing out of 236 trusts. The WannaCry attack had an impact on 80 out of the 236 trusts (Morse, 2017). This impact is identified as (1) a direct result of being infected by the malicious software or as; (2) an indirect effect, trusts chose to turn off their IT systems as a preventive measure resulting in a scenario where services could be continued (Morse, 2017).
Out of the 80 affected trusts, 34 were infected, and the IT-systems were compromised. This resulted in users locked out of their devices (Ghafur et al., 2019). The other 46 were not infected by the WannaCry virus, rather they resorted to pen and paper and halted the use of electronically assisted activities (Ghafur et al., 2019). In addition, in 21 trusts, the information technology environment was recognised as trying to establish a connection with the WannaCry domain. Nevertheless, they did not face any consequences. This is likely due to the trusts becoming infected after the kill-switch was activated, or it was part of a trust’s own cybersecurity procedure (Morse, 2017).
Figure 4.1. Impacted Trusts Per Category.
The infected trusts were exposed to two major types of disruption in their services. Namely, (1) staff no longer being able to access systems and devices critical for providing services; which resulted in no access to medical files (Morse, 2017). In addition, (2) medical equipment and instruments were no longer operable since the connected IT-environment was locked (Morse, 2017). Thus, medical experts at the affected trusts experienced significant disruption in the radiology and pathology departments as they heavily rely on IT-systems (Morse, 2017).
It is estimated that over 19,000 appointments were cancelled as a direct result of the WannaCry strike (Morse, 2017). Nevertheless, there are no reported cases of patients being harmed or wrongfully treated as a result of the digital virus (Morse, 2017). In addition, no information on patients was report disclosed as stolen or compromised; this was mainly attributed to the fact that it is believed that the WannaCry attack was not aimed at obtaining information (Morse, 2017).
Furthermore, emergency care for patients was affected. Within NHS England, 139 patients with an appointment to be checked for potential cancer could not be attended to, and the appointments were cancelled (Morse, 2017). In addition, some patients had to travel to other medical institutions, resulting in an increase in travel as five hospitals had diverted services (Morse, 2017). Nevertheless, no increase in mortality rates was reported amongst any of the infected, and affected trusts (Ghafur et al., 2019).
0 50 100 150 200 250
Directly affected Indirectly affected Total affected Not affected
The NHS England also faced financial repercussions. Nevertheless, it is reported that no ransom was paid by any of the trusts within NHS England (Morse, 2017). The economic impact encompasses staff working overtime, the costs of additional IT support, hiring third-party IT-consultants, and the costs accompanied by restoring the data and IT-environment (Morse, 2017). Calculating the exact financial losses attributed to the WannaCry attack is a difficult task (The Committee of Public Accounts, 2018). This was mainly accredited to the fact that collecting the necessary data from all the systems and trusts posed was identified as a disproportionate financial burden (Cybersecurity Policy, 2018). Nevertheless, an estimation of the direct costs based on lost output and IT-related expenses was established.
Table 4.1. Financial Cost of WannaCry Concerning the NHS England. Adapted from Cybersecurity Policy. (2018)
Financial Cost of WannaCry Concerning the NHS England
During the attack (£m) Aftermath (£m) Total (£m)
Lost output 19 0 19
IT-related 0.5 72 72.5
Total 19.5 72 91.5
Chapter 4.1.2 – NHS Scotland
Now that the impact on the NHS England is established, it is important to conduct a similar study into the effect of the WannaCry attack on the NHS Scotland. The NHS Scotland has a slightly different organisational structure as compared to the NHS England. Instead of trusts, the NHS Scotland is comprised of 22 ‘health boards’ Nevertheless, as the health boards are responsible for regional health services, they have a similar function as the NHS England’s trusts (Robertson, 2017).
The NHS Scotland knew a varied impact amongst its health boards. Three categories were identified. (1) no infection; (2) a minor infection; and (3) a more extensive infection (Robertson, 2017). In total, thirteen boards were affected by the WannaCry attack. Thus, nine health boards belong in the category ‘no infection. In addition, eleven health boards were identified to have experienced a ‘minor infection’. In this classification, health boards had between two to ten devices locked out by the malicious software. Besides, the impact generally
encompassed overtime resources and IT restoring procedures (Robertson, 2017). Finally, two health boards were impacted on a larger scale. This resulted in more than thirty devices infected with WannaCry and disrupted services; including rescheduling of non-urgent appointments (Robertson, 2017).
Figure 4.2. Impacted Health Boards Per Category.
Nevertheless, even health boards that belong to the category ‘no infection’ experienced disruption. This disruption, which was self-inflicted and identified as a necessary evil; encompassed voluntarily shutting down the IT-systems required to provide services and to disconnect from the network (Robertson, 2017). Therefore, the WannaCry virus can have implications for a health board even when the malicious software does not present itself in its systems. However, it is essential to note that all key-services were restored by Monday 15 May and all systems were running at full capacity within a week from the WannaCry strike occurring (Health and Sport Committee, 2017).
Besides, patient records were not available in all cases (Mattei, 2017). However, it was reported that no data concerning patients was compromised (Health and Sport Committee, 2017). Furthermore, the health boards that faced an impact also had to divert ambulances (Gayle, Topping, Sample, Marsh, & Dodd, 2017). Finally, it was noted that the financial costs are difficult to establish; however, there is no report of any health board paying the ransom demanded by the cybercriminals (Robertson, 2017). Nevertheless, it is assumed that most monetary resources were used up by inhouse IT and over hours to recover the network (Health and Sport Committee, 2017). 0 5 10 15 20 25
Minor infection Wider infection Total affected Not affected
Chapter 4.1.3 – NHS Wales
The impact on the NHS Wales is different as compared to the NHS England and Scotland. While the British and Scottish counterparts were exposed to the malicious software in their IT-environment, it was reported that the WannaCry strike “did not affect the integrity of NHS systems in Wales” (Jones, 2017, Para. 2). However, to state that the malicious software had no impact would be an exaggeration. On Friday 12 May, the NHS Wales Informatics Service (NWIS) received news that a cyber attack was currently transpiring at the NHS England (Morris & Rainbird, 2017).
The NHS Wales is constructed as a combination of health boards similar to Scotland, and trusts comparable to England; there are seven health boards and three trusts (NHS Wales, n.d.). As a method of response to the announced cyber threat, the NHS Wales decided to block all e-mail traffic besides from its health boards and trusts from 20:00 Friday 12 May 2017 until Friday 19 May 2017 08:00 (Morris & Rainbird, 2017). In addition, the received e-mails within this timeframe were deleted as of a precaution; thus, valuable information was lost, and a critical communication channel out of service (Morris & Rainbird, 2017). Therefore, the NHS Wales faced an impact on its e-mail information provision.
Furthermore, the WannaCry strike had an impact on the cybersecurity measures in place at the NHS Wales. External webmail was restricted, and firewalls limiting reaching the internet were some of the actions taken to prevent further attacks (Morris & Rainbird, 2017). Also, in alignment with tighter cybersecurity controls, one of the NHS Wales trusts, the Velindre trust, faced disruption as a consequence of the WannaCry strike (Morris & Rainbird, 2017). Its services were interrupted due to patch management as a response to the threat of WannaCry (Morris & Rainbird, 2017). Nevertheless, this resulted in radiology systems being unavailable between 19:00 Saturday 13 May 2017 and 04:00 Sunday 14 May 2017. Besides, several other systems required for cancer treatments were at times unavailable until Friday 19 May 2017, when business continued as usual (Morris & Rainbird, 2017).
However, the impact on patients was minimal. The BBC reported that appointments concerning 40 patients at the Velindre trust had to be rescheduled, resulting in a delay of one day before they could receive treatment (BBC, 2017). In addition to the identified patients by the BBC, two seriously ill patient treatments were also deferred to the next workday (Morris & Rainbird, 2017). Finally, while no direct costs of for example paying the ransom or not being able to service clients were identified, remedial actions such as patching the systems required funding; nevertheless, it is not shared what the total costs of the WannaCry attack was (Morris & Rainbird, 2017).
