Table of Contents
Introduction
The global trend of institutional hacking has left many people asking why hospitals are vulnerable to such cyber-attack which goes a long way to affect the quality of health services. This article is purposed to illustrate how hackers infect institutional computers with malicious software that enables them to control the computers. The issue on global trends of institutional hacking is significant in the sense that it will allow institutions to be circumspect of the various techniques used by hackers to infect computers and have access to important information. One of the findings which is complex and continues to pose challenges to users’ security and confidence on the use the internet is botnet (Warner, 2012, p. 789). Botnet is found to be used for many purposes such as stealing confidential information or passwords, launch attacks on public or private networks and many other malicious uses. The findings indicate that irrespective of the threat of that botnet poses, steps can be taken to control the impact it has on institutions.
Background
Global trends on institutional hacking
Recently, there have been several cyber-attacks which have crippled institutions like NHS, international shippers FedEx and many other computers in over 150 countries. Reports on recent cyber-attacks indicate that over 300,000 computers across the world have been affected (Jang-Jaccard et al, 2015, p. 975). Countries which were most affected include Russia, Taiwan, Ukraine and India. One of such attacks is the spread of ransomware known as WannaCry which, according to Rid (2012, p. 10), is described as the biggest outbreak of ransomware in the history of cyber-attacks. The attack is launched after recipients of emails are tricked to open an attachment and after the attached file is opened the hackers release malware onto the computer. When the malware is released, it locks up every file on the computer making it difficult to access. The health service requires specifics attention and protection from hacking because people’s health information which is to be confidential is involved. This is one reason why the value and importance of health information is necessary to be protected from hacking. When the health information about top government officials, celebrities and ordinary citizens are hacked and published online, it will have serious implications which can even lead to the death of the person.
Causes or reasons why public institutions have become a target
According to Lindsay (2015, p. 60), public institutions have become a target of cyber-attacks because the hackers are motivated by reasons of scoring political or social point through cyber-terrorism. Padmanabhan (2012, p. 195) defines cyber-terrorism as the activity of hackers that result in violent acts such as large-scale disruption of computer networks through malicious scripts in order to score political points.
In cyber terrorism, the interest of hackers is geared towards accessing information of public institution with the intention of causing damages to their intended target. Hampson (2012, p. 511) indicated that when classified information are hacked, the information mostly ends up on Wikileaks for public consumption. A critical example of cyber-terrorism is the issue involving the breach at Mossack Fonseca and the subsequent publishing of the Panama papers (Thompson, 2016, p. 45). Sensitive information leaked by the hackers published institutions caught up in the scandal. Another reason for cyber-terrorism on public institutions according to Sommer et al (2011, p. 524) is to prevent their target from carrying out their routine activities. Cases of such attacks including Denial of Service or DoS are mostly directed at government institutions and political bodies.
In the view of Hughes (2010, p. 525), public institutions have become the target of cyber-attacks because of financial motivations. Public institution such as health service systems keeps sensitive information and for which reason hackers attack the institution and sell the information to marketers. Cyber-attacks motivated by financial demands come in the form of blackmail and it has an effect on the institution. The hackers operate by taken over the institution’s computer and offer to reinstate access to the computer only when a ransom is paid to them (Thompson, 2016, 49). An example of cyber-attack which occurred recently is WannaCry ransomware which encrypt every file in the computer and demands a ransom in order to decrypt the file. The attack saw more than 300,000 computers affected and a ransom demanded to unlock the victim’s files.
Issue
Hacking as a possibility at the NHS
Financial motivation and cyber-terrorism are the basis to state that the NHS could clearly become a target of possible cyber-attacks (Valeriano et al, 2014, p. 350). Since most of the attacks launched by these hackers are motivated by financial gain, hackers would definitely want to attack institutions that hold vital information of government official, celebrities and ordinary citizens. The hackers are always determined to blackmail individuals and institutions with classified information and hold those affected to ransom until some required amount of money is paid. Financial motivation makes it possible that hacking is possible at the NHS. Another issue that makes cyber-attacks possible at NHS has to do with the political and social points that the hackers achieve through cyber-terrorism. Cyber-terrorism through a system known as phishing vishing helps the hackers to acquire enough information needed to launch an attack (Dunn Cavelty, 2014, p. 710). What makes the NHS prone to cyber-attack stem from the availability of classified medical information which can help the hackers to make a political or social point.
Challenges in addressing the issue
Hackers are constantly becoming complicated and advanced in their technique: One reason which explains the challenges is that hackers are constantly becoming complicated and advanced in their technique (Jarvis et al, 2014, p. 70). Hackers used several programs to explore computers and networks of their target group. The malicious programs developed by the hackers allow them to log keystrokes. Once the keystroke is logged into the victim’s computer, hackers will be able to record each stroke of the computer and then access every data they needs. Others also gain backdoor access of their victim’s computers and then create different programs that search for unprotected pathways into networks systems and computers. Rid (2012, p. 15) mentioned that most hackers use fuzzing or fault injection to penetrate the source code of individual and institutional computers by inputting different code to crash the system. Several other sophisticated techniques used by hackers include denial of service attack, viruses, worms, trojans, malicious code, phishing, botnets and ransomware. These techniques are used by hackers to take advantage of security flaws in Window XP and the moment after the computer is infected, it will encrypt all files in the computer and spread to other computers.
Low levels of Cyber security infrastructure investment: In the view of Warner (2012, p. 791), the challenge in addressing the issue is attributed to low level of cyber security infrastructure investment especially technologies that make it hard to break into the systems and those that conduct surveillance on activities of users of computers of the NHS. Cyber security protection is needed to protect the economic, social prosperity and cyerspace-reliant society against cyber-threats. Although, there has been an increasing rate of attacks by hacker, the level of investment in cyber security needed to fight the attack is low. Thompson (2016, p. 47) mentioned that, investment on products needed to fight against cybercrime is estimated at $1 trillion from now until 2021 as compared to cybercrime damages estimated at $6 trillion from now until 2021. The figure presented shows how slow industries are investing in the fight against cyber-attacks. In recent times, companies are beginning to strengthen their cyber-security strategies; however, their efforts are not complementing the current trend of cyber-attacks.
Low levels of capacity building for employees on how to guard against hacking threats: Padmanabhan (2012, p. 200) indicate that the challenges in addressing the issue of cyber-attack is linked to low level of capacity building for employees on how to guard against hacking threats. Looking at how the cyberspace is networked and without borders, the danger of the attack is not limited only to one industry but several others are vulnerable to the attack. What it means is that when a company has a weak cyber security, it does not only affect the company but rather it affects a large share of companies globally. It is for this reason that cyber security capacity building is needed to control the rate of the attack on industries. Cyber security capacity building seeks to develop individual in an organization to obtain and retain the skills and knowledge need to guard against hacking threats (Lindsay, 2015, p. 63). In most companies, employees are not taking through processes that will enable them to detect malicious messages that can expose the company to hackers.
Approaches to solving the issue
Thinking huge and bringing others on board: The authorities can approach the issue with a stated goal and this should give a direction that will transform the entire operations at NHS. The ability to do this requires a collective collaboration of all employees in the sector. According to Hughes (2010, p. 540), such approach will bring people with different talents together. In the world of creativity, individual with great talents are needed to join heads together. In the view of Valeriano et al (2014, p. 358), when people with great talent are brought together for a common purpose of fighting against hacking at NHS, there is high probability that something profound would be produced at the end. In this case, a collective effort all employees within NHS with huge thinking must come together to take the opportunity to experience and build up strategies to solve the problem associated with hacking. Getting others to think with you in order to solve the issue of cyber-attack is determined by the ability of authorities of NHS to hack great team work who will work to bring a vision required to solve the threat of cyber-attacks.
Identifying problems specific to ones space: Another approach to solving the issue of cyber-attack according to Jarvis et al (2014, p. 88) is to reinvent the operational and system experience by first identifying major issues of cyber threats at NHS. To achieve this, authorities should brainstorm employee and acquaint them for with resources needed to identify the issue of cyber threats within the NHS sector. By way of identifying the specific problems associated with cyber-attacks, different method can be derived to offer solution and response to the problem associated with cyber-attacks. In the view of Dunn Cavelty (2014, p. 713), this approach is considered as one of the most effective ways through which NHS can be transformed. This means that high levels of vision should be a concrete and more manageable approach. Warner (2012, p. 793) mentioned that in order to achieve this, it is important that authorities at NHS move from simply dreaming but rather move into defining the problems of hacking which needs to be solved. How fast authority move from vision to developing problem statement will determine how efficient they can innovate in order to guard against cyber threats.
Breakdown the problem and identify specific solutions: The concept of cyber-attack is complex and can have so many issues surrounding it. Because of its complexity, it is often difficult to dig into it and analyze them for possible solutions which will enable authorities to guard against the threat. Fighting cyber-terrorism at NHS is difficult; however, authorities can adopt a technique that will enable them to focus their attention on finding the key drivers of the attack (Rid, 2012, p. 22). In order words, the problems can be broken down and the salient aspect of the problems which need to be solved will be greeted with specific solutions. Hughes (2010, p. 540) mentioned that if an organization such as NHS is finding solution to cyber threats, it is recommended that the problem should be broken down to enable the authorities to identify different ways that can potentially help them in solving the problem. Once the authorities are able to narrow in on the specific problem to solve in relation to cyber threat, they will be able to guard against the threat.
Apply solutions holistically: According to Thomson (2016, p. 47), authorities at NHS must apply solutions holistically to counter the problem of cyber threats. With this approach, it should be noted that when the authorities simply isolate the problem of cyber threat to solve will not yield fruitful result. The effectiveness of the solution identified would depend largely on aligning on a unified approach rather than isolation (Rid, 2012, p. 17). This can be done through brainstorming so that a spontaneous discussion would be done to produce ideas and ways of solving the problem. Technically, the discussion held during brainstorming will enable them to decide on the solution that needs to be applied on cyber-attack. Again, aftermath of the discussion would present opportunities which need to fix the specific problem associated with cyber-crime. It is possible that as the authorities brainstorm, there would be challenges and once these challenges are fixed, the approach is deemed workable.
Implications of the research
The current trend of cyber-attacks has really become a major problem to deal with especially in NHS. The need to guard against the threat is seen as an essential for which reason effort should be put in place to reduce the rate of attack. On the contrary, when nothing or little is done and NHS fall a victim to the attack, it can go a long way to impact the financial capacity of the institution. Any attack launch on NHS means that authorities would have to spend month and years to recover from the attack and would require the hospital to spend more money than what is expected in an attempt to recovery process. If nothing is done to control or the guard against the attack, it will jeopardize the safety of patients and employees. Since the privacy and security of patient and employees information are very vital, anything done to make it public will affect the reputation of both the patient and the hospital as a whole.
Practical Recommendations
Investing in cyber security infrastructure: A deep look at the rate of cyber threats and how it is growing in a big way requires huge investment in cyber security infrastructure. Because of the current trend of attack on institutions across the world, cyber security infrastructure has become very important area worthy of investing and it is important that companies respond to it accordingly. The need to invest in cyber security infrastructure is again essential for institutions as a result of ongoing digitization and increasing connections to the critical infrastructure. Any sabotage will lead to a disruption of critical infrastructure and important sectors globally.
More capacity building for employees is needed: Because capacity building helps employees to improve upon their effectiveness at work, it is important to conduct more capacity building for employees. The nature of cyberspace and how it is networked makes the threat of cyber-attack difficult to control only by a small fraction of the entire sector. Employees should be equipped with knowledge and skills needed to circumvent and guard against cyber threat. For instance, employees can be taken through the deception associated with ransomware and how they can detect it in order not to fall victims.
Decentralising the NHS IT system: Decentralizing the NHS IT system involves a systematic effort to bring a dispersal of the IT system to several units within the organization. When the system is decentralized, it will facilitate diversification of activities and this will make it less likely to harm the whole system with a single attack. Apart from making the whole system less likely to harm, it will ensure that the sector attains maximum possible growth through such policy that ensures the creation of self-sufficient units under the coordination of one of a superior system. In this case it becomes difficult for hackers to have a total access to the entire files of NHS.
- Dunn Cavelty, M 2014 ‘Breaking the cyber security dilemma: aligning security needs and removing vulnerabilities’, Science Engineering & Ethics, vol. 20, no. 3, pp. 701-715, viewed 3 May 2017, <http://go.galegroup.com.ezproxy.lib.swin.edu.au/ps/i.do?&id=GALE|A322480762&v=2.1&u=swinburne1&it=r&p=AONE&sw=w&authCount=1>.
- Hampson, N 2012, ‘Hacktivism: a new breed of protest in a networked world’, Boston College International and Comparative Law Review, vol. 35, no. 6, p. 511, viewed 3 May 2017, http://web.b.ebscohost.com.ezproxy.lib.swin.edu.au/ehost/detail/detail?sid=5a2d15c5-03c1-4749-abe9-c4a65dfcc651%40sessionmgr103&vid=0&hid=115&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#AN=80131321&db=a9h
- Hughes, R 2010 ‘A treaty for cyberspace’, International Affairs, vol. 86, no. 2, pp. 523-541, viewed 3 May 2017, <http://onlinelibrary.wiley.com.ezproxy.lib.swin.edu.au/doi/10.1111/j.1468-2346.2010.00894.x/full>.
- Jang-Jaccard, J & Nepal, S 2015 ‘A survey of emerging threats in cybersecurity’, Journal of Computer and System Sciences, vol. 80, no. 5, pp. 973-993, viewed 3 May 2017, <http://www.sciencedirect.com.ezproxy.lib.swin.edu.au/science/article/pii/S0022000014000178>.
- Jarvis, L, Macdonald, S & Nouri, L 2014 ‘The cyberterrorism threat: findings from a survey of researchers’, Studies in Conflict & Terrorism, vol. 37, no. 1, pp. 68-90, viewed 3 May 2017, <http://dx.doi.org.ezproxy.lib.swin.edu.au/10.1080/1057610X.2014.853603>.
- Lindsay, J, R 2015 ‘Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack’, Journal of Cybersecurity, vol. 1, no. 1, pp. 53-67, viewed 3 May 2017, <http://go.galegroup.com.ezproxy.lib.swin.edu.au/ps/i.do?&id=GALE|A468851467&v=2.1&u=swinburne1&it=r&p=AONE&sw=w&authCount=1>.
- Padmanabhan, S 2012 ‘Hacking for Lulz1: employing expert hackers to combat cyberterrorism’, Vanderbilt Journal of Entertainment & Technology Law, vol. 15, no. 1, pp. 191-216, viewed 3 May 2017,
- Rid, T 2012 ‘Cyber war will not take place’, Journal of Cybersecurity, vol. 35, no. 1, pp. 5-32, viewed 3 May 2017, <http://www-tandfonline-com.ezproxy.lib.swin.edu.au/doi/abs/10.1080/01402390.2011.608939>.
- Sommer, P & Sommer, I 2011 ‘Reducing systemic cybersecurity risk’, OECD Research Report, pp. 5-8, viewed 3 May 2017 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1743384>.
- Thompson, M 2016 ‘The ADF and cyber warfare’, Australian Defence Force Journal, vol. 200, pp. 43-48, viewed 3 May 2017, https://commons.swinburne.edu.au/file/b3f3ace2-cb19-4d15-bd52-19137d31d797/1/1320-2545_vol.200Nov_Dec2016pp43-48.pdf
- Valeriano, B & Maness, R 2014 ‘The dynamics of cyber conflict between rival antagonists, 2001-11’, Journal of Peace Research, vol. 51, no. 3, pp. 347-360, viewed 3 May 2017, <http://journals.sagepub.com.ezproxy.lib.swin.edu.au/doi/abs/10.1177/0022343313518940>.
- Warner, M 2012 ‘Cybersecurity: a prehistory’, Intelligence and National Security, vol. 27, no. 5, pp. 781-799, viewed 3 May 2017, <http://www-tandfonline-com.ezproxy.lib.swin.edu.au/doi/abs/10.1080/02684527.2012.708530>.