The CEO Pat Larkin, of Ward Solutions was invited to present at an Oireachtas Committee on National Cyber Security
”We need a Radically Different Approach to Ransomware and Cybercrime”
– Pat Larkin, CEO of Ward Solutions
As we recover from the wake-up call of the largest cyber-attack in our history we need to focus on the priority of helping recover our healthcare systems.
The apparent partial climb-down by the HSE attackers needs to be treated with caution, but points to an opportunity to adopt a radically different approach to securing Ireland from future attacks.
There is some important context to the threats we face. We are one of several countries whose healthcare systems and other critical services have and continue to suffer significant cyber-attacks. Attacking a healthcare system regardless of actor or motivation is a very insidious and repugnant activity, with a high potential impact on patient care and mortality outcomes, says Pat.
Aside from damage to business and citizens there is the potential, based on suffering further crippling attacks on critical services of increasing brand damage to Ireland Inc. This could lead to a perception that we don’t take national security seriously and therefore are not a safe place to do business or invest in.
Well-intentioned approaches to date nationally and globally are failing by any objective measure.
The solution lies in full-blooded, visionary commitment to a new international consensus on cybercrime, and leadership to build and enforce this consensus.
We have some cards to play that may have been a factor in the recent events. We have a vibrant, emerging cybersecurity sector, good non-aligned international relationships, a seat at the UN Security Council, and recent street-cred of being a relatively innocent victim to a crippling attack.
We now need to lead a reshaping of our national and the global approach to this online terrorism, crime, and warfare. Doing so will project a strong message of our commitment to securing our country and its services, undoing any brand damage to Ireland Inc. resulting from this attack.
”We need to Stop Blaming victims, it Makes the Attackers’ Job Easier.”
Industry, customers, regulators often focus their blame on the victim organisations citing inadequate security on their part as reasons for the attack. This incorrect focus adds pressure to the organisation under attack.
Fear of loss of customers, regulatory fines etc. increases pressure on organisations to pay ransoms or not to disclose attacks. Instead, our collective efforts should be to support the victim, relentlessly pursue and neutralise the perpetrators, shamelessly disclose the attack so we all can learn.
The debate as to whether current international law is adequate for cyberspace needs to end. Ireland can help establish a clear Digital Geneva Convention and definitive international cyber norms governing international behaviour in cyberspace, covering cyber-warfare, cyber-weaponisation and cyber-crime. Microsoft President Brad Smith first proposed the idea of a Digital Geneva convention in 2017.
Once consensus is established We need a structure to effectively govern, regulate and enforce this new norm. The United Nations seems to be the obvious organisation, but long standing questions as to the effectiveness of the UN Security Council in relation to current international crises as well as cybercrime, cyber warfare would suggest that a change of modus operandi is required. Some of the alleged malevolent and ambivalent states with respect to cyber warfare and cybercrime currently sit on the UN Security Council with a veto.
If the UN cannot be fixed, then we should seek alternatives.
We then need to establish the treatment of cyber-attacks on healthcare and critical national infrastructure as a higher order of international crime. Attacking critical national infrastructure or health systems is effectively a combination of potential offences. If nation states are involved then it is a potential act of war and a breach of the Geneva Convention.
If cyber criminals are solely involved, given the scale and cost of destruction and inevitable impact on citizens and patients in terms of poorer patient outcomes, increased mortality, effectively the offence is a combination international terrorism, arguably reckless endangerment and potentially large scale manslaughter or murder. Lastly it is a traditional financial crime. New offence definitions may be needed to cover the cyber realm.
We should seek to make the cybercrime ecosystem pariahs in the international community. They need to be brought to trial with suitable agreed substantial common punishment. If necessary we may need to bring them to trial using the International Criminal court, particularly from ambivalent of malevolent states.
The consensus would also treat nation states that are ambivalent to or supportive of cyber-crime or cyber warfare as pariahs. We need to advocate for and lead in the construction of coordinated and sustained use of all global policy tools such as trade and digital sanctions, isolation, including internet isolation in a graduated fashion until they either cease their support or their support becomes ineffective.
Consensus allows states to invest in and focus our local and global intelligence, policing, defence and industry resources on a coordinated, collaborative and fully committed effort in pursuing, harassing, attacking and eliminating the attackers and their safe havens. This response should also ruthlessly pursue the attacker’s assets. We should regulate the crypto currency and related payment systems that shield and launder the attacker’s ill-gotten gains.
Cyber weapons have equivalent potential societal disruptive effect as controlled weapons such as chemical, nuclear, cluster mines etc. We have seen examples of nation state stockpiling of vulnerabilities, cyber weapons co-development with questionable 3rd parties. We need international consensus, legislation and control of their production, distribution and use.
We need to appropriately task and fully resource all National Defence, Policing, Intelligence and Foreign policy resources to make cyber security one of our top priorities in our national and global security.
We need to be more innovative, eliminating traditional internal silos and legacy mind-sets within our collective national security apparatus. Every soldier should be a cyber-soldier in addition to their skills in land, sea and air.
An Garda Síochána has made innovative investments in adding cyber skills and tools to their personnel, and work innovatively with academic and research institutions nationally and internationally in cyber policing. We need to build national and global capabilities collaboratively between government, industry, and academia to develop new tools and capabilities to constantly outgun the bad guys in cyber policing.
Unfortunately, in the absence of consensus and an improved coordinated global response in the digital world, the only alternative may be to enter a cyber arms race with cartels and nations states with a zero-sum position of Mutually Assured Digital Destruction (MADD) as a deterrent to cyberattacks. Ireland should lead such an alternative path.