The British government has admitted publicly for the first time that it is all but certain North Korea carried out the “WannaCry” malware attack which devastated NHS IT systems in May.
A report released by the National Audit Office (NAO) on Friday found that hospital trusts were left vulnerable to the attack because basic recommendations on cyber-security were not followed.
Speaking on the BBC’s Today programme, the security minister Ben Wallace said the government now believes a North Korean hacking group was responsible, but stopped short of suggesting the UK could carry out retaliatory attacks.
“This attack, we believe quite strongly that this came from a foreign state,” Mr Wallace said. Adding that the state involved was “North Korea”, he said: “We can be as sure as possible. I obviously can’t go into the detail of intelligence, but it is widely believed in the community and across a number of countries that North Korea had taken this role.”
Asked what the UK could do in response to the attack, the minister admitted that it would be “challenging” to arrest anyone when a “hostile state” was involved.
He called on the West to instead develop a “doctrine of deterrent” similar to that used to prevent the use of nuclear weapons. “We do have a counter attack capability,” he said. “But let’s remember we are an open liberal democracy with a large reliance on IT systems. We will obviously have a different risk appetite. If you get into tit for tat there has to be serious consideration of the risk we would expose UK citizens to.”
Earlier an independent investigation concluded that the cyber attack which crippled parts of the NHS could have been prevented if “basic IT security” measures had been taken.
The head of the NAO warned the health service and Department of Health to “get their act together” in the wake of the WannaCry crisis, or risk suffering a more sophisticated and damaging future attack.
The NAO’s probe found that almost 19,500 medical appointments, including 139 potential cancer referrals, were estimated to have been cancelled, with five hospitals having to divert ambulances away after being locked out of computers on 12 May.
The malware is believed to have infected machines at 81 health trusts across England – a third of the 236 total, plus computers at almost 600 GP surgeries, the NAO found.
All were running computer systems – the majority Windows 7 – that had not been updated to secure them against such attacks.
Mr Wallace accepted that the attack could have been avoided if software had been properly updated.
“It’s a salient lesson for us all that all of us, from individuals to governments to large organisations, have a role to play in maintaining the security of our networks,” he said.
British systems came under attack on a weekly basis from organised criminals and “a number” of foreign countries which seek to collect intelligence or carry out a “state-sponsored criminal attack”.
Expanding on the prospect of the UK fighting back back online, he said: “Other countries do have doctrines and military thinking along that line, but the West – the United States, Europe and the United Kingdom – are much more thoughtful about these things because, ultimately, if we were to take some action, we have to remember that some of these states may, as we have seen with this WannaCry, strike out at the rest of our functions.”
In a report cataloguing the failures which led to May’s attack, the NAO said that while the health service’s IT arm NHS Digital had issued “critical alerts” about WannaCry in March and April, the DoH had “no formal mechanism” to determine whether local NHS organisations had taken any action.
NAO head Sir Amyas Morse said: “There are more sophisticated cyber threats out there than WannaCry so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
More than 300,000 computers in 150 countries were infected with the WannaCry ransomware.
It crippled organisations from government agencies and global companies by targeting computers with outdated security.