Weekly podcast: UK Cyber Security Strategy, malware delays ops, and inept cyber criminal caught

This week, we discuss the launch of the UK’s National Cyber Security Strategy for 2016 – 2021, a malware attack on Northern Lincolnshire and Goole NHS Foundation Trust, and how a cyber criminal was caught by the FBI.

Hello and welcome to the IT Governance podcast for Friday, 4 November. Here are this week’s stories.

The Chancellor of the Exchequer, Philip Hammond, this week launched the UK’s new National Cyber Security Strategy for 2016 – 2021. “[We] will not only defend ourselves in cyberspace,” the Chancellor said; “we will strike back in kind when we are attacked.”

The Strategy will be underpinned by a £1.9 billion investment in three areas – defence, deterrence and development – which will be supported by the new National Cyber Security Centre (NCSC), whose CEO, Ciaran Martin, last month announced that the centre would be “exploring a flagship project” to work with Internet service providers to block known malware and bad addresses with DNS filtering – a project already dubbed ‘The Great British Firewall’ by many parts of the media.

As the Chancellor said: “when businesses or government bodies, or academic organisations report a significant incident, the [NCSC] will bring together the full range of technical skills from across government and beyond to respond immediately.”

However, “government cannot be solely responsible for managing cyber risk,” Mr Hammond added. “Chief executives and Boards must recognise that they have a responsibility to manage cyber risks, just as they would any other operational risk.”

The Chancellor spoke on the same day that the Director General of MI5, Andrew Parker, told the Guardian that Russia was increasingly engaging in cyber warfare, and targeting “military secrets, industrial projects, economic information and government and foreign policy.”

The Kremlin has dismissed the allegation. “Those words do not correspond to reality,” said Kremlin spokesman Dmitry Pesko. “Until someone produces proof, we will consider those statements unfounded and groundless.”

As the government steps up its approach to cyber security, the need for more robust defences was amply illustrated on Tuesday when the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG) announced that an unspecified malware infection had infected its electronic systems, forcing it to shut down much of its network, and cancel planned operations and appointments as a result.

According to the BBC, “NLAG runs hospitals in Goole, Grimsby and Scunthorpe, and its computer system is linked to that at United Lincolnshire Hospitals Trust.”

MetaCompliance quotes NLAG as saying: “All patients should presume their appointment/procedure has been cancelled unless they are contacted. Those who turn up will be turned away.”

According to ITV, an updated statement posted on 2 November explained that “Inpatients will continue to be cared for and discharged as soon as they are medically fit. Major trauma cases will continue to be diverted to neighbouring hospitals as will high risk women in labour. Our clinicians will continue to see, treat and operate on those patients who would be at significant clinical risk should their treatment be delayed.”

At the time of this recording (Thursday afternoon), NLAG’s homepage bore the update: “The majority of our electronic systems are now back up and working. If you are due to come in for an appointment, procedure, operation or scan on Thursday November 3, please attend.”

A spot of lighter news to end…

The Register reports on “what appears to be one of the most inept pieces of computer crime in recent history”. 27-year-old Dwayne Cartouche Hans Jr of Richland, Washington, was charged last week for computer fraud, wire fraud and money laundering, after allegedly “stealing $134,000 from a bank and trying to get another $1.5m after working out how to game the bank’s computer system and a government payment site” – the US General Service Administration System for Award Management (SAM).

And how was this criminal mastermind caught, I imagine you’re asking. Well, according to court documents, he used his own name, date of birth, home address and phone number when he set up five bank accounts to launder the money. Oh, and he also used his own email address and IP address when he accessed SAM.gov.

Bad luck, Dwayne.

Well, that’s it for this week. If you enjoy these podcasts, please share them, using the hashtag #itgpodcast, and, until next time, remember that you can keep up to date with the latest information security news on our blog. And don’t forget to check out our book of the month, Managing Information Security Breaches – Studies from real life by Michael Krausz. Full of useful information about real-life incidents and breaches, this thought-provoking guide explains how to get your risk profile right, and how data breaches can be avoided and mitigated. Head over to our webshop to find out more – and save 10% if you buy by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.