THE OPEN RIGHTS GROUP (ORG) is livid with the GQHQ and the US equivalents over the ransomware attack on the NHS because it says that the agencies have enabled it by being crap in general.
Echoing earlier remarks from Microsoft, ORG wants MPs to take its warning and the NHS issue very seriously, which is something that it does not think that it has done so far. According to ORG, and others, the attack was enabled by a leak of shared vulnerabilities from agencies that are charged with protecting us. It says that GCHQ should have been more open about their problems, and should have had a response plan lined up for such an issue.
"The NHS ransom shows the problems with GCHQ's approach to hacking and vulnerabilities, and this must be made clear to MPs who have given them sweeping powers in the IP Act that could result in the same problems recurring in the future," it said in a statement.
"The ransomware was built as the result of leaks of shared GCHQ-NSA software vulnerabilities by a group called shadowbrokers, specifically ETERNALBLUE".
GCHQ has four main problems according to the ORG, and they start with the fact that apparently ignorance is bliss at the outfit, and that a lack or pre-preparedness is obvious. Also GCHQ is supposed to protect us and failed to do that, and the ORG wonders if it can balance keeping vulnerabilities secret and saving us from hackers.
Importantly, the ORG reckons that GCHQ should drop responsibility for the National Cyber Security Centre (NCSC) because it just can't handle the responsibilities and let it run as an independent. It also raises some issues with the management of the Digital Economy Bill, something that the ORG has a long standing problem with.
"US and UK security agencies kept a widespread vulnerability secret rather than telling the companies so they could fix it. When the US leaked the vulnerability, it seems GCHQ had no plan to deal with the mess. GCHQ have a lot of questions to answer about their very dangerous strategy of hoarding knowledge of security problems. The National Cyber Security Centre should be made independent of GCHQ so these risks can be balanced without bias," said Jim Killock, executive director of the ORG..
"The government are asking for more powers to create vulnerabilities under the technical Capability Notices. MPs should be very cautious about the results, as there is little sign that the risks are being looked at within the authorisation regime."
Over at the Pirate Party the blame is being laid at the feet of Windows XP and an institution that cannot seem to drop its dependence on the elderly unsupported operating system.
"Keeping up to date with security patches is of utmost importance, especially in organisations such as the NHS that hold sensitive data and run vitallife-critical services. Due to cuts and lack of infrastructure investment weare now starting to see the results of not having a good cyber plan," said Pirate Party UK Secretary and IT Security Expert, Matt Johnson.
"Despite the huge investment in the new National Cyber Security Centre there has clearly been no proper consideration of the many other services that need looking after. Those currently identified as vulnerable to the ransomware are all Windows users, for versions from XP through to Windows 10. It's vital you ensure you take appropriate measures in terms of anti-virus and firewall precautions, and most importantly you must update your system regularly." µ
We should be shocked, but...
But the search giant has now squashed the bug
But it's not yet available here in Blighty