Adam Janofsky and Mara Lemos Stein, WSJ Pro Cybersecurity
Last week, the first WSJ Pro Cybersecurity Executive Forum took place in London. The event aimed to bring together c-level executives and brief them on key aspects of cybersecurity in the context of business. The conference brought together subject matter experts and a team of senior Wall Street Journal editors and journalists to conduct on-stage interviews.
Among the most anticipated speakers on the agenda was Dan Taylor, head of security at NHS Digital. Britain’s National Health Service was one of the first and most severely affected victims of the WannaCry ransomware, which effectively shut down several hospitals across the United Kingdom two weeks ago.
Nothing Prepares You
No matter how much time and resources an organization may spend on preparation, “nothing prepares you” for an attack like WannaCry, said Mr. Taylor. The attack exploited a vulnerability that was reportedly discovered by the National Security Agency and publicized by a group known as Shadow Brokers, and was designed to spread to all devices on the same network after infecting a computer.
“It started a much larger conversation” at the NHS, said Mr. Taylor, adding that the lessons learned “will make us better in the future.”
NHS leaders told the 12,000 organizations that make up the service to “do everything, but don’t pay the ransom,” according to Mr. Taylor, adding that none of the affected NHS facilities met attackers’ demands.
Another issue that many WannaCry victims didn’t foresee was the effect the attack would have on their ability to communicate, both internally and externally. At the NHS, some offices were unplugged and completely disconnected from email, according to Mr. Taylor.
Back to Basics
Upcoming regulations were a theme throughout the event and U.K. Information Commissioner Elizabeth Denham shared her advice with the audience: businesses must be prepared to “tell it all and tell it fast” if they experience a breach.
Ms. Denham advised organizations to “go back to the basics” when preparing for the landmark regulation, which goes into effect in May 25, 2018. GDPR will push companies to “minimize the data they collect and train their staff” better, Ms. Denham said.
There have been signs that companies are largely unprepared for the regulation, which lays out fines of as much as €20 million and requires organizations to report data breaches within 72 hours.
A survey released recently by software provider Varonis Systems Inc. revealed that 75% of 500 organizations polled in the UK, Germany, France and the U.S., said they will struggle to meet GDPR requirements by the time it takes effect. The most common challenges reported by these organizations were complying with the law’s “right to be forgotten” section, where they must automate the removal of data when requested by customers, and identifying personal information on their systems and restricting access to it.
Ms. Denham has stressed in the past that companies in the U.K. and elsewhere must prepare for GDPR even in the wake of Brexit, as the law applies to organizations that do business in the E.U.
Although Ms. Denham argued that her role isn’t to prescribe compliance methods, she said the right response to GDPR is for organizations to recognize that they “need to put individuals” at the center of their data protection efforts.
A Thankless Job
Mikko Hypponen, chief research officer at F-Secure Corp., discussed the recent ransomware attacks from the perspective of an investigator. He lamented the way a British security researcher who goes by the moniker MalwareTech was treated after he helped shut down the ransomware attack that rampaged through National Health Service systems.
Cybersecurity researchers came to the conclusion that saving the world is a thankless job.
When Mr. Hypponen was analyzing the malware and trying to fight it, he suddenly realized, “Holy hell, this isn’t spreading anymore, what has changed?” He soon found out a 22-year-old vigilante hacker had discovered a so-called “kill switch” that quieted the attack. “He didn’t slow down this worm, he stopped it,” Mr. Hypponen said.
The researcher who discovered the kill switch was soon unmasked by British media and lambasted tabloids for invading his privacy. He was offered a $10,000 reward from a security company but said he would donate it to charity.
“I’m dead serious when I say that guy deserves a medal,” said Mr. Hypponen, criticizing what he called the government’s lackluster response to someone who helped thwart one of the largest cyberattacks this year.
A Loss of Control
A panel of experts concluded corporations and governments need to build a relationship of trust to ensure greater collaboration on information sharing that could prevent cyberattacks and reduce their impact.
“Companies are worried about loss of control,” said Luke Dembosky, a cybersecurity and litigation partner at law firm Debevoise & Plimpton. They are worried about the government publishing statements that could embarrass the company and cause its stock price to fall, he said.
“They need to have a relationship before the crisis” so they know what to share, as most of the time the government isn’t really interested in proprietary data, said Mr. Debomsky.
By building relationships with government as part of a corporation’s cybersecurity-management strategy, companies would know who to approach in the event of an attack, said Cheri McGuire, chief information security officer at Standard Chartered Bank.
Concerns over a government’s hoarding of data and its own ability to protect data, as was brought to light by the data leak by former Central Intelligence Agency contractor Edward Snowden in 2013, are part of the reason why many companies are reluctant to collaborate with government, said Mr. Dembosky.
In the U.K., the role of government is outlined in the National Cybersecurity Strategy, a five-year plan detailing the government’s approach to securing its networks. The strategy makes it clear companies that collaborate with the government will get technical support in the event of a breach and be warned if an attack is imminent, said David Omand, a visiting professor a the department of war studies at King’s College, London.
“Sectors [such as financial institutions] need to understand the interdependence as well…it’s a two-way street,” said Mr. Omand, who is a former director of the Government Communications Headquarters, GCHQ.
The obligation to disclose a breach will become enshrined in the E.U.’s General Data Protection Regulation that comes into effect next May, which is expected to have a “big impact” on the way companies handle customers’ data, the panelists said.
More information about the WSJ Pro Cybersecurity newsletter can be found here. Future WSJ Pro Cybersecurity events will be advertised at cyber.wsj.com.