Simple solutions to the huge cyber-attack that caused chaos in the NHS last week do not reflect the complex reality on the ground, says a Deloitte director.
Bryan Hurcombe, head of public sector cyber practice at Deloitte UK, said that answers such as lose legacy IT systems, secure by design and patching are not easy to implement.
Speaking at a Westminster eForum Keynote Seminar on cyber security, six days after the NHS cyber-attack, he said: “I think we need to talk about the reality of the situation and give ourselves a bit of a break”.
On legacy systems, Hurcombe said that “it’s not just a case of lifting and shifting them, these are deep in the heart of organisations and it takes time”.
The global cyber-attack, which has been attributed to a form of ransomware called ‘Wannacrypt’, exploited a known vulnerability in Windows XP.
Questions were raised over the weekend on why the NHS proved so vulnerable, with suspicion pointing at legacy IT systems.
Hurcombe said, “you’re absolutely right, we should get rid of legacy IT but it’s just not that simple”.
He also said that patching has been touted as the answer and “we should patch, it should be done, it’s just not easy to do”.
“I think that needs to be our key message – we get this, we understand this, we know it needs to be done but actually it’s really quite complex and takes time.”
The patch for this vulnerability had been released by Microsoft in March this year, and the company defended its role in the cyber-attack by laying the blame at the National Security Agency’s door for “stockpiling” the vulnerabilities.
He said that while everything should also be “secure by design”, legacy IT was never built to be secure.
“In the public sector we really struggle to find the right talent to help us implement secure by design principles”.
Hurcombe compared the virus to a worm called CodeRed in 2001, which he said the FBI had credited with “almost breaking the internet” and costing $2.75 billion in clean-up costs.
Hurcombe concluded: “I think what can’t happen again is in the public sector, we can’t ever be accused again of not getting the basics right”.
Some trusts, prior to Friday, had openly admitted to not covering the basics.
One of the worst hit trusts, Southport and Ormskirk Hospital NHS Trust, had published in its board papers just days before the attack that “the trust does not have plans in place for what to do in the event of a cyber security attack”.