The Gist: Attack of the Cyber-Men
Ireland suffers its most momentous cyber attack, until the next one. This is The Gist.
Life in a pandemic is a funny old bit of business. Vaccines become household names, with their own national fandoms. The act of looking at things you don’t need in shops becomes an obscure object of desire. Academics and doctors assume the role of national figures.
Ticking away in the background is the effort to keep the regular functions of the health system still working. Lives depend on it. Which was why this week’s attack on the core computer systems of the HSE and the Department of Health seems so shocking.
In hindsight this shock is a strange idea. Just as unions don’t plan strikes on bank holiday Mondays, so attackers don’t confine their targets to non-vital systems that you can completely do without. The disruption is the point.
The consequences of the attack still hadn’t unwound into the following week. Maybe patient data had been spectacularly compromised, or you know, not, who can say, mused newly appointed Minister for Just Saying Words to Fill The Void, Ossian Smith.
While we waited to see if x-rays of famous people with intimately misplaced items would make their way to Facebook and add to the gaiety of the nation, people noticed reports that 38,000 HSE PCs were running on outdated versions Windows 7 and that the post of Director of the National Cyber Security Centre was so modestly funded that the position had lain vacant for months due to the uncompetitive salary.
Given that Ireland might have expected to attract unwelcome levels of attention from state actors thanks to its election to membership of the UN Security Council, coupled with the general criminal honeypot of increasingly centralised systems running on well-advertised old software it might seem that cheeseparing the salary of the person intended to keep us secure might not have been the best idea.
But, regrettably, it is all of a piece with the funding priorities of a government which spends more on subsidising Greyhound Racing than on the most significant data protection regulator in Europe.
Some of this may be a question of the age and tech literacy of those making the decisions. Some may be a reflexive assessment of spending money to avoid bad things is just money wasted. After all, if those responsible are successful, it doesn’t look like anything bad happened. Consider this the Y2K fallacy.
But, at base, deciding not to make securing critical infrastructure a priority is the result of a lack of imagination.
The Government has multiple plans for national, all-population scale databases. The Public Services Card. The Single Customer View. The Individual Health Identifier.
But in each case, the most severe risk- of a whole system compromise, risking the data protection rights of everyone in the country- is discounted as simply unlikely to happen.
This week, we encountered, once again, the hard reality of building a national scale data system. In the long run, all data leaks.