On 14 May this year, Anne O’Connor, the Chief Operating Officer at the Irish Health Service Executive (HSE) is likely to have received a message from her IT Director with the news every senior executive dreads: we’ve been hit by a cyber attack.
It was a Friday. Cyber attacks always happen on Fridays.
In the hours that followed, O’Connor would have put her weekend plans on hold. On the Saturday, she took to Twitter, advising her 4,000 followers; “Many routine hospital appointments on Monday will be cancelled.” Over the next few days, the impact became clear: the HSE’s IT systems had been hit by a significant ransomware attack.
In case you are unsure, a ransomware attack encrypts servers and other connected devices, rendering them inaccessible. It is instigated by cyber criminals.
It was unclear whether the HSE’s back-up files were safe and uncorrupted. It was impossible to say whether any data had been deleted in the attack. In short, years of accumulated patient medical records were in jeopardy. In addition to encrypting the HSE’s servers, the criminal gang also exfiltrated data from the systems they targeted, with the aim of increasing the pressure on the Irish government to pay a ransom by threatening to release the data on the dark web, a growing tactic by ransomware gangs.
So not only were the senior leadership team scrambling to understand the extent of the attack in those first few days, but thousands of doctors and nurses were reverting to pen and paper, unable to check patient records, trying to make decisions on prioritising appointments with limited medical history to refer to.
Up to 14,000 daily outpatient appointments were immediately cancelled, affecting cancer patients and preventing scans and other vital laboratory-related testing from taking place. GPs were advised not to send samples to laboratories for testing unless it was vital for patient care. Patients took to the media to describe the impact on their lives from the delays. It was a chaotic situation.
Whether this scenario led to premature deaths amongst the Irish population is unlikely to be proven, but the reality that lives were put at risk as a result of the ransomware attack is clear.
Ireland’s political response to the attack was led by the Taoiseach, Micheál Martin, who said: “Look, at this stage, we’re dealing with this in accordance with the advice that we’ve received from cyber security experts, and I think we’re very clear we will not be paying any ransom or engaging in any of that sort of stuff.”
So, who was responsible for the ransomware attack? Cyber criminal gangs are often based in Russia, as well as other territories beyond the reach of international law enforcement, such as North Korea, Iran and China. According to many experts, and widely reported in the mainstream Irish media, the gang responsible for the healthcare attack was called Wizard Spider, a criminal group primarily based in Russia. The gang soon set out their demands: a $20 million ransom would lead to the release of a decryption key to unlock the healthcare’s servers, although even this solution would take months to resolve the issue.
Ransomware has become a very lucrative enterprise for criminal gangs like Wizard Spider. It is estimated that, in 2020 alone, ransoms totalled $350 million. The ransomware business model has evolved into a highly effective form of extortion.
These sorts of attacks cause such financial loss, business disruption and potentially threat to life that they ought to be considered as a national security issue. Certainly, this is how the new chief executive of the UK’s National Cyber Security Centre, Lindy Cameron, says they are being treated. As she put it in a speech in June: “… there is a moment now, to take our alliances in this space to a different level. And we in the UK are well positioned to play a key leading role in this. One of our strengths, in my view, is that we consistently treat cyber security not just as a national security issue but as a mainstream public policy issue.”
But there’s a gap between the rhetoric and the action. If you want to see why – and understand how we might properly respond to ransomware – then it’s worth looking back to the international community’s response to the Somali piracy crisis in the Indian Ocean a decade ago.
In 2010, I arrived at the Ministry of Defence to lead the UK’s policy and planning in the Horn of Africa, with a focus on Somalia. At the time, the world was gripped by the growing piracy crisis in the Indian Ocean. I found that piracy had spawned a cottage industry across Whitehall, with talented people “cutting about” full of well-meaning endeavour. However, it was obvious to me that the problem of piracy could only be resolved through action in Somalia, rather than at sea. It was an unpopular policy position at the time.
What were the origins of Somali piracy? When the Somali coast guard collapsed, reflecting the country’s political instability in the mid-2000s, foreign fishing crews began to encroach into its territorial waters to conduct illegal fishing. Local fishermen started kidnapping these crews and their boats, demanding payment for their return. It soon escalated into a full-blown criminal enterprise.
Commercial vessels and ocean-going private yachts sailing close to the coast were randomly targeted by pirate gangs who would board vessels, take crew and cargo hostage, and hold them, moored off the coast of Somalia often for months, until, after lengthy negotiations through intermediaries, insurers paid millions of dollars in ransoms for their release. Ransoms were delivered by various means, including via an East Africa-based private military company that dropped waterproof containers full of cash from a chartered C-130 aircraft into the sea, at pre-arranged locations close to the hijacked vessels.
As the value of ransoms rose, and with a stuttering response from the international community, the pirate action groups, as they became known, evolved their tactics, reaching far deeper into the Indian Ocean than ever before. With 40 per cent of global marine traffic, including oil for western countries, transiting shipping lanes adjacent to Somalia’s northern coastline, the EU in particular was concerned – and rightly – about the potential impact on the free passage of goods.
From its modest beginnings, the piracy business model brought huge benefits to those involved. The balance of power was heavily stacked in the pirates’ favour. They operated out of a semi-autonomous region called Puntland, north of the Somali capital Mogadishu, with hundreds of miles of accessible Indian Ocean coastline from which to launch their attacks. The Puntland administration was limited in its ability to influence the activities of the pirate kingpins, many of whom had become wealthy and influential, and there was a plentiful supply of unemployed youth willing to go to sea for a cut of the proceeds. The risk-reward calculus was on the side of the pirates.
It was a toxic cocktail: a permissive environment from which to operate, little effective deterrent from the ships, and an insurance industry, in most cases, willing to pay to get their vessels and people released. By the end of 2010, at the height of the crisis, over 1,000 crew members had been kidnapped by Somali pirates, and it was estimated that over $250 million was paid in ransoms in that year alone. The following year, 275 recorded attacks took place off the coast of Somalia, leading to the hijack of 45 vessels.
So what did the international community do to address this growing threat? In 2008 a United Nations-mandated EU naval task force, EU NAVFOR, launched Operation Atalanta. Made up of representatives from over 22 countries, including Russia and China, naval ships patrolled the huge expanse of the Indian Ocean to act as a deterrent against pirate action groups. But with between four and seven vessels at sea at any one time, and with only two or three maritime air assets available for tasking, the mission lacked the necessary concentration of force. Somali piracy continued to disrupt the lives of many, often with fatal consequences. Piracy action groups’ tactics also evolved: they started operating from “mother ships” deep in the Indian Ocean, giving them extended reach beyond their traditional hunting grounds.
In 2011, shipping companies were playing catch up. A coalition of maritime organisations issued the fourth edition of a booklet entitled Best Management Practices, offering advice to ship owners and masters who were likely to be transiting the high-risk area. This advice consisted of measures to improve a ship’s deterrence against attack. The premise was simple: if the pirates can’t board the ship, they can’t hijack the ship. Private security armed guards also began deploying on board vessels.
But it wasn’t enough. In September of that year, I shared my thinking with the man who was then defence secretary, Liam Fox, whom I was briefing on the situation in the region – and again suggested that Somalia should be the focus of our efforts. He didn’t take kindly to my alternative policy approach. For unrelated reasons, Fox found himself out of his job and back on the backbenches three weeks later.
But, crucially, the UK government had also, coincidentally, turned its attention to Somalia. After the prime minister, David Cameron, returned from that year’s UN General Assembly, where he had been overwhelmed by questions about Somalia, the penny finally dropped. Piracy was not the problem; Somalia was the problem. This long overdue change in policy signalled the end of the pirates’ advantage.
On 23 March 2012, a crucial decision was taken by the Council of Europe to allow EU NAVFOR to conduct military operations, using the most appropriate weapons systems available, against pirate paraphernalia on shore for the first time. On 15 May, the first reported operation was carried out that destroyed, and therefore disrupted, piracy groups in what had previously been a safe operating environment. Of all the initiatives that contributed to the decline in piracy operations, direct action ashore and a new commitment to processing suspected pirates through judicial systems in the region marked the turning point. Without the means to go to sea, and with the credible threat of imprisonment, the risk-reward calculus had finally shifted away from the pirate action groups.
Linked to this change of tactics was a greater engagement with coastal communities. As Lord Teverson, Chairman of the Lords EU Committee for External Affairs, wrote in a report in August 2012: “…reducing piracy requires reducing the incentive for Somalis to become pirates. As well as increasing the risk involved by improving detection and punishment of those engaged in piracy, we also need viable alternatives for Somalis to provide for their families.”
A marginally more stable political environment now allowed new policies to be explored around what incentives could be introduced to generate alternative livelihoods for those involved in piracy.
Although there are obvious differences between ransomware and piracy, the similarities are also striking. Ransomware gangs are faceless criminal enterprises committed to making huge sums of money through extortion and ransoms. They often choose victims at random, employing an array of tactics to achieve their ends. In the current ransomware crisis, intermediaries have emerged, acting as the interface between victims and the ransomware gangs, as they did in East Africa between pirates, owners and insurance companies.
The main factor common to both criminal business models is that they need to operate from a permissive environment, one that is beyond the reach of international law enforcement. In the case of Somalia, it was a lack of governance overall. In the case of ransomware gangs, it’s the tacit approval of host governments. Just as it was when dealing with the pirates, taking away freedom of action must be an option when it comes to disrupting ransomware gangs.
Cyber criminals conducting ransomware attacks are tolerated – even encouraged or sponsored – by their host governments as they are indirectly supporting the foreign policy objectives of those countries by disrupting the economic wellbeing of the West. So, do we sit back and accept ransomware attacks as a business-as-usual risk, instead focusing our national effort on preventing arguably more serious state-sponsored attacks on our democratic values and institutions?
Or is it time for the international community to step up, as Lindy Cameron suggested, through greater collaborative action at the governmental level, against ransomware gangs who are living under the protection of these regimes?
Earlier this year in the United States, a coalition of experts formed the Ransomware Task Force (RTF), whose aim “is to develop a robust plan to tackle the global ransomware threat, through deterring and disrupting the actors while helping ensure organisations are equipped to prepare and respond.” Although its extensive report was written mainly for a US government audience, international collaboration was central to its credibility, with experts contributing from around the world. And since President Biden’s engagement with President Putin over the issue, ransomware has risen towards the top of the policy agenda in many countries.
In the same way that guidance was issued through Best Management Practices to help ships prevent pirate attacks, the National Cyber Security Center offers advice on improving cyber resilience in the face of the ransomware threat. In the UK, certain sectors are mandated through regulation to maintain high levels of cyber resilience, even though large swathes of the economy remain vulnerable. And through specialist companies who monitor cryptocurrency transactions, progress is being made on monitoring ransom payments to make it harder for gangs to profit from their criminal activities. The role of the insurance industry also needs to be fully clarified as ransom payments, often paid indirectly to the victim, are widely considered to perpetuate the ransomware business model.
In the UK, there is significant work being carried out behind the scenes, drawing together the relevant agencies who have some skin in the game, including the National Cyber Security Centre and the National Crime Agency. But the question remains: is ransomware high enough up the policy agenda? Reducing its impact requires international collaboration, much like we saw in the formation of EU NAVFOR in 2008. The chronic weaknesses in the West’s cyber resilience, the freedom of action enjoyed by the ransomware gangs, and the ease with which ransoms are being paid using cryptocurrency, all point to a decision point for Western governments, similar to that they faced over Somali piracy.
A recent example of disrupting cyber criminals through cross border collaboration was carried out at the beginning of this year by Europol. The EMOTET malware had become the cyber criminals’ go-to solution for entering a victim’s network and was used as, in the words of Europol, the “primary door opener for computer systems on a global scale,” enabling ransomware and other attacks to take place.
EMOTET malware had been operating since 2014 and was delivered via email, containing a malicious link. Once downloaded, the malware infected the computer or network and was “sold” on to other online criminals via the dark web, who could then conduct ransomware attacks or steal information. It is estimated that EMOTET has been responsible for financial losses in the region of $2 billion. The Europol operation to remove this threat was complex. Whilst the tactical details have not been made public, for obvious reasons, the strategy of infiltrating this criminal network and collapsing it from the inside has removed a significant threat, and was a rare success in this sphere.
The question remains one of appetite, specifically whether the UK and our international partners have the resolve to reach for – and then pull – the appropriate levers of power. There are many options to put pressure on these groups, ranging from economic sanctions against any regimes harbouring their activities to covert actions to disrupt their operational capabilities in situ.
Back in Ireland, a week after the attack on the HSE, and to the surprise of global cyber security experts, the ransomware gang behind the attack released the decryption key to allow the HSE to unlock its files, whilst still demanding a ransom to prevent sensitive data from being released online. Ten weeks after the original attack, the HSE reported, “Patients may find their experiences far slower and less integrated compared to normal.” The impact on the health of Irish citizens from having delayed appointments and operations is impossible to measure.
Ade Clewlow was an Army Officer for 25 years, serving in Kosovo, Iraq and Central America. He led policy and planning for Somalia during the height of the piracy crisis between 2010 and 2012. His first book, Under A Feathered Sky: the untold story of NATO’s role in newly independent Kosovo, was published in 2020.
Photograph by Mohamed Dahir/AFP via Getty Images