NHS hack wasn't about making money. It was about disgruntled hackers making a point

We need a better understanding of the human factor in cyberattacks.

“What happened?” was the most asked question following the intense media coverage of what global security expert Mikko Hypponen has described as the “biggest ransomware attack in history” last Friday.

However, why the NHS cyberattack happened seems to be a more interesting and relevant question. Both in the sense of resolving the current crisis (hint: don’t pay!) and preventing further attacks. Understanding the human “why?” is more important than knowing the technological “what?”

The backstory seems simple: a group of hackers, The ShadowBrokers (TSB), gained access to a powerful NSA cyberweapon that takes advantage of a vulnerability in Microsoft software. Microsoft was aware of the problem and issued a patch that many organisations failed to install. TSB tried to auction it, failed, and then spread the malware as ransomware to increase the group’s visibility.

In the UK, IT systems throughout the NHS were affected; there followed a heated political argument about responsibility, which largely avoided the boring technological conversation: could it happen again?

Understanding the human "why?" is more important than knowing the technological "what?"

Much like fighting terrorism, one of the keys to combatting cyberattacks and extortion cases is to understand the motivation of the protagonists.

Technological capabilities will always be a cat-and-mouse game, so the competitive edge to winning against hackers lies in understanding the human factor. Put simply, there are two human motivations: instrumental and expressive. If TSB wanted to make money (what professional crisis negotiators call an “instrumental motivation”) they would have targeted specific institutions, increasing the ransom demand dramatically, as hackers did last year with a hospital in Los Angeles that paid $17,000 in Bitcoin in ransom. If TSB just wanted money, the group would not have acted in a way that has forced government agencies to review cybersecurity implementation plans. When political candidates face cyberbreaches of their campaign systems or personal email correspondence it is the instrumental motivation of the hackers to undermine their credibility or affect election results. If money is paid, a president is elected, or a business competitor is destroyed – the instrumental mission is accomplished.

Expressive motivation is more challenging to deal with as it stems from the human need to feel significant and that a work, cause or belief system should be appreciated. For instance, Al-Qaeda’s purpose in the 9/11 attacks was to demonstrate to the US that it is not invulnerable. Once this motivation is understood and analysed, it gives cybersecurity professionals a clear path towards investigation, intelligence analysis and, once engagement is possible – as with cyber extortion negotiations – to communicate an understanding of the cause.

The international attack that occurred on Friday, when traditionally the number of visits to health facilities is lower, occurred via American-made malware with an embedded ‘kill switch’. The failure of the perpetrators to auction it for big money, the leveraging of a long-known vulnerability, the low ransom demand in global parallel attacks (which decreases chances of being paid) and the fact that Russia has been dramatically hit, are all signs that the perpetrators could be American hackers frustrated by their failure to make big money. The attack has the signs of being the work of a group that preferred expressive impact over a modest amount of money.

Last week’s attack was not made using classic instrumental ransomware – the malware was well-known to cybersecurity professionals. It was a global show of strength, an expressive one, that caused relatively low financial and operational damage, and ought to be used by UK government as a powerful reminder to revise its cybersecurity strategies. Businesses and organisations worldwide should thank TBS for this wake-up call, and cybersecurity providers should use this opportunity to understand the prevailing human factors behind any massive cyber extortion act.


Monday 15 May 2017