WannaCry ransomware attack shows the wisdom of having an offline Plan B
Kai-Lung Hui says organisations providing critical services must have a backup plan that does not rely on the internet in case of a crippling cyberattack
The latest ransomware attack sent the world into turmoil this week. Malicious software called WannaCry infected more than 200,000 computers worldwide, locking out users unless they paid a ransom in bitcoins to the attackers. Some of these locked computers are used in hospitals, petrol stations, schools and power companies.
Most IT security specialists advise victims not to pay such ransoms, but some organisations may feel they have no choice. After all, peoples’ lives could be in danger if, say, medical practitioners cannot access health records.
This raises a pressing issue: when technology is so embedded in our daily routines and incorporated in rudimentary services such as health care and the provision of utilities, how can we reduce our risks in the event of a cyberattack?
In the case of WannaCry, IT experts have advised us to patch our operating systems, use anti-virus software and firewalls, and not to download files or open email attachments from unknown sources. This is good and practical advice, but it is insufficient at a time when cyberattacks are evolving fast and new means of attack are constantly emerging.
Today, novice hackers do not even need to know how to write encryption programs; they can deploy off-the-shelf ransomware to blackmail others. Some underground criminals offer dial-a-hacker services on the “dark web”, the encrypted segment of the internet not familiar to most users.
No doubt, defence tactics such as enabling firewalls or performing frequent backups will not suffice in the near future.
What we need is a change in attitude. Instead of betting everything on protection and defence, we should prepare for a scenario when the operating system is unavailable or critical data is not accessible from a computer. Hospitals should still be able to prescribe medication and conduct surgery when patients’ health records cannot be retrieved from servers. Power companies should have a backup system that can immediately take over the job and maintain the electricity supply to critical infrastructure services, in case of a security breach.
Preparing for such alternative systems is inevitably costly. But when IT is used as an integral part of services that affect people’s lives, we need to ensure that these services can continue when the system fails. The WannaCry attack shows this may not be the case with many organisations. It is now time for organisations, especially those providing critical services, to evaluate their contingency plans for when their IT systems fail; a “Plan B” is necessary, and this had better be one that can function without the internet.
Kai-Lung Hui is a professor at the HKUST Business School. The views expressed here are his own