This blog post was originally published for the CS-AWARE-NEXT project: https://www.cs-aware-next.eu/

Don’t remember if have heard of this incident before, but this could actually be a great base scenario for CS-AWARE-NEXT. It is about the May 2021 ransomware attack on the Health Service Executive (HSE).

At the end of the year 2021, a report was published, that had been commissioned by the Health Services Executive (“HSE”). The report counts about 100 pages – so it is not what one might regard as a convenient reading for an evening discussion. However, there are many generic cybersecurity issues that the report raises that are to be addressed in the CS-AWARE-NEXT project

As the authors of the report note, “a number of the vulnerabilities that the ransomware attack highlighted are not unique to the HSE, and issues identified in this report will be found in other organisations”, concluding that “All organisations therefore need to consider the extent to which they are protected from a major cyber incident, and be prepared to respond and recover should they experience such an event” [page 12 of the PwC Independent Post Incident Review 2021].

There are two trends to identify here: On the one side, there is the European Union lawmakers that take a fast pace and propose a new set of rules to apply to smart devices so anything like an Internet-connected ‘smart’ washing machines or connected robot vacuum cleaners or toys, so any products that include or posses ‘digital elements’ so that these shall are shipped with features that take care for security support against several types of vulnerabilities – this is what the EU Cyber Resilience Act is about, and the President of the Commission, Dr. Ursula von der Leyen, epitomised its value very well, saying that “If everything is connected, everything can be hacked.” You would agree that sometimes politicians may bring us to the point faster than any scientists or domain experts. So far so good.

On the other side, one may see the large number of public organisations that (such as the NHS in the UK) professionally fail to see the need for cyber security strategy and leadership. One may always ‘buy’ services from 3rd parties – this is the case of local public administrations purchasing, as we expect to happen, from CS-AWARE Corporation as the main vehicle for exploitation of the project results, services that will allow them to protect themselves from malicious attacks. But to reach this level, a public administration needs to become aware of the threats they are facing and the risks that ignorance can cause to their daily operations and whatever they regard as their ‘core business’.

For this, we see the need to invest on a continuous process of nurturing leads that will allow us to consciously and purposefully engage our target customers by offering to them all types of relevant information and supporting them in all possible ways. It is in this respect that reports like the aforementioned Independent Post Incident Review may read like advertisement for CS-AWARE-NEXT.

We can imagine three excuses many of our target customers (and also targets of potentially future cyber attacks) may articulate:

  • We are too small – something like this may never happen to us!
  • Even if it happens, there will be some (higher-ranked) government service that will come to rescue us, and last but not least:
  • Even if we wanted to acquire the CS-AWARE service, we don’t have the money or we don’t have the human resources to apply it to our organisation.

As already mentioned, all three aforementioned are excuses. To each of them we offer as a consortium an open platform for organisations to contact us and, most importantly, to connect with us in order to acquire all the necessary know-how and build basic capacities that will help them improve their awareness and competence levels.

Finally, we plan to operate a support office to assist them to access to funding.

– The CS-AWARE Team.