Crisis of trust: Why recent ransom-ware attacks prove we need a better solution for sensitive data

Recently, there seems to be an increased media awareness and certainly greater coverage of large scale malicious cyber behaviour. As I write there is a massive scale attack being reported across the globe, and just in the last few weeks we have seen various private organisations and several public organisations here in the UK - including parliament and the NHS - suffer major cyber-attacks. These are striking at the heart of our civilisation with seemingly no moral compass behind them.  

The NHS example was an unstructured global attack on the 15th May 2017 via a ransomware cryptographic tool. It essentially encrypted the hard drive of the laptop that it had infected and then demanded payment in bitcoin to access the key that could decrypt the data. Within a day, this had spread to nearly a quarter of a million machines in over 100 countries. It exploited underlying weaknesses in the Microsoft operating system, which was patched on the 14th March 2017.  

The NHS suffered a severe impact to the point that critical services were suspended and people were turned away from hospitals. This just shows how much our country's essential infrastructure now relies on digital stability, security and availability. Think of the potential impact, if this was coordinated with a physical attack.   

To me, this highlights that current security philosophy is no longer fit for purpose. We are now in a world of highly distributed devices and systems that are critical to ongoing services. The idea of a physical and digital perimeter or barrier has no place. We can see from these events that a maintained firewall/secure perimeter did not impact on the insertion or the proliferation of the ransomware. To further exacerbate this - increasing numbers of devices, especially in healthcare are now smart, connected devices that are equally vulnerable to this type of attack. 

As well as the perimeter risk, many cyber security methodologies rely on ‘hub-spoke’ enforcement. This means that there is a central/global authority (the hub) that holds the configuration and rules, and then spokes that push the policy outward. So to create compliance, the spokes need to regularly connect back to the hub and get all of the latest rules and updates. This commonly is the architecture behind patching as well as other security configuration elements.   

We can see very clearly from the NHS impact that this methodology has not worked. The attack on the NHS (approx. 70000 individual systems) was 59 days after the patch was released. This patch closed the vulnerability. So the question is that if the hub/spoke update and security policy was operating effectively, why were those systems still affected?    

As well as this issue - there is the major concern of the impact of the loss of these devices. Laptops should be essentially transient, compute devices that can be replaced and are seen as a business commodity. They should not be a business critical asset and certainly not a part of critical services. The system impact of this type of attack I can understand - the service impact was shocking.  

I see this type of behaviour across many enterprise businesses in both private and public sector. It happens when the core IT infrastructure does not provide the flexibility and agility needed to get business done, often around data access and sharing. Employees and users resort to storing data on their machines and commonly sharing via email. Whilst this is easy and fast, it starts to build up a dependence on highly insecure and un-audited systems. Combined with a dated hub-spoke security architecture, you end up with critical data on insecure systems.  

This lack of sharing capability (both intra and inter business) results in many ‘shadow IT’ operations emerging where critical data is shared in spreadsheets via email, consumer cloud data storage as well as quite dated methods such as printing or memory sticks. These methods are very insecure and bundle lots of data together. These are commonly the source of bulk data breaches, where huge amounts of data is leaked out of secure control of the organisation. In many cases, sadly, this includes personal or business critical data. There are many cases where core intellectual property or personal data such as healthcare records etc are lost. Whilst this can have a huge direct impact on business, the social impact on the consumer or citizen is huge. This often carries reputational damage to the company or data owner at the time of the loss. 

This has led to a crisis of trust. People in general are much more aware of the value of their personal data. We are seeing companies reversing on previously accepted policies of highly intrusive data scanning and observation. Google recently have reverted their policy of creating advertising content based on scanned emails. The sheer volume and impact of data breaches and associated impact of this data getting into the wrong hands has created further fear in users of digital services.  

The problem of data security and privacy is not a new one, and has been unresolved since the birth of connected computers and the web. Whilst technology has raced to keep up with the threat, it has commonly relied on centralisation security. As we have discussed, this is no longer fit for purpose. There is however a new hope. 

Trust is an interesting concept - one which is very difficult to define. However it is the basis of life itself and the framework that allows a set of individuals to become cohesive community. It is the basis of functional and effective relationships. Without trust, we have nothing. In the finance world centralised intermediaries were created to hold our money and conduct our transactions. These banks are trusted through brand, longevity, regulation and the very cultural framework we exist in. This has allowed us to put our faith in them to hold and manage our finances on our behalf. With the creation of a digital currency, how can trust be achieved, where there is no bank or no intermediary? How can we trust in our finances, our transactions and the people or organisations that we transact with? This becomes very difficult, and is the very basis of what Blockchain is.  

Blockchain is an architecture to build trust into digital transactions, where there is an unchangeable record, created through a chain of data signing and hashing. The chain means that the sequential set of recorded transactions cannot be changed, as the chain will be broken and the gap will be identified. To protect this chain further, it is distributed to many systems where these hashes are calculated in parallel. This parallel processing allows consensus to be derived, ensuring a logic to create trust. Blockchain therefore is an ability to not only execute trusted transactions, but also to have an accurate and unarguable record of transactions and current state.  

Whilst Blockchain has been applied extensively to finance applications, the need to create trust in every transaction in a highly distributed environment starts to make a huge amount of sense in the context of the problems and risks discussed earlier. Moving away from attempting to create a centralised security policy, and be pushed to the edge - think of the power of having every device as part of a distributed fabric, where trust is an essential component of every transaction. Then where behaviour is outside of expected, trusted actions and where identity is assured with encrypted signatures, it is prevented in real time and reported in an immutable form. 

Blockchain has the power to change everything. However there is an immediate need in the infrastructure that runs private business and our public services particularly where data and digitisation are essential to ongoing operations. The application of Blockchain to assure identity and trust in data transactions as well as have a fully auditable record of all operations changes the dynamic on the ability to resist data breaches and exploits.  

In the case where critical data is stored on a Blockchain, and data sharing is done through consent based on permission, backed by absolute trusted identity - the risk of data breach or critical services being affected by an exposed laptop completely goes away. Critical data is exchanged and shared in a highly secure and threat resistant platform. No longer is data shared via email and spreadsheet, it becomes a digital asset that is managed and secured.  

Governments and regulatory bodies have been impacted by the ferocity and frequency of the recent spate of attacks. Regulation is being created and will be enforced for companies to acknowledge and communicate breaches (e.g. GDPR) meaning that the visibility of these exposures will show the real scale of the problem. As this is realised, and the reputational impact is felt, businesses will have to get serious on improving data practice. The need for organisations to leverage cloud technology and interact at the internet level with service providers also increases the need and ability to share sensitive data. It is a perfect storm for businesses to set a standard for good data practice and take accountability for their data privacy and security.  

This technology is maturing quickly and will change the way the world works in many use cases and environments as companies adopt this type of methodology. The ones who haven't will become increasing targeted. It will become an essential fabric for compliant and secure operation of business and personal data. It is disruptive and it does mean behavioural change as well as technology change. I believe however it will come, and it will become the standard for creating trust and security in these distributed environments. 

Ian Smith, CEO and Founder, Gospel Technology 

Image Credit: Carlos Amarillo / Shutterstock