This is how it feels to face a major cyber attack

Some of those at the centre of some of the biggest cyberattacks of last year have given advice on what happened on the day - here's what they learned and how you can plan to respond if you're attacked.
Written by Danny Palmer, Senior Writer

Intense, stressful, petrifying: those are just some of the words used to describe what it was to be at the centre of some of the biggest and most high profile cyber attacks to take place over the last year.

The WannaCry ransomware indiscriminately spread to infect organisations around the world but its impact was felt particularly harshly by the UK's National Health Service, with the attack taking hospitals and local clinics offline and leading to the disruption of patient care.

Some parts of the NHS took weeks to return to normal, but in the first hours of the attack, it was up to the organisation's security and technology teams to figure out what was going on and find a way to counter it.

Dan Taylor, head of security at NHS Digital, was just returning from lunch when it became apparent the NHS was under attack.

"NHS Digital wasn't affected, we were secure, but monitoring across the NHS network we could see organisations falling over," he said, speaking on a panel about reacting to cyberattacksat the National Cyber Security Centre's CYBERUK conference in Manchester.

"It was petrifying," he said, describing how thoughts immediately turned to how the incident was going to impact patient care. "We don't deal in the bottom line, it isn't about balance sheets, it's about patient care and you have to have that focus."

While there was a certain amount of adrenaline fuelling the team in those first few hours, Taylor said having a plan in place and being able to stick to it was crucial.

"You kind of have to embrace the panic and the fear, that adrenaline gets you through the first few minutes. But also it brings a kind of composure, going back to our plan, looking at how to do it internally," he said.

Taylor's comments on the initial reaction to a cyberattack were echoed by Yochana Henderson, head of identity management at Parliamentary Digital. She was also forced to deal with a cyberattack, when hackers targeted the Houses of Parliament last year.

Unlike the WannaCry outbreak, the attack against Parliament gained speed slowly.

"One of the main things we had to look at was 'where are they going to hit next'? Just because that initial attack was over and we'd stopped it, didn't mean they weren't going to use anything else," she said.

See also: Cyberwar: A guide to the frightening future of online conflict

However, it soon became clear the attackers knew they were being watched. "They knew that we knew, so they ramped up their attack against us," Henderson said.

She described the incident as "very stressful" and "extremely intense", but also said the incident brought out a competitive side of the team.

"If someone is attacking you, you take it personally. Reputationally, you're thinking about your organisation and you want to win," Henderson said.

"But that got us through it. We got stuck in, people didn't go to sleep for thirty-something hours, people didn't go home, they stayed and it was all because of a good team effort, but also because of the intense, competitive nature of the environment," she added.

The situation was similar at the NHS during WannaCry, with staff willing to do whatever it took to fight against the attack and ensure systems were up and running as soon as possible.

"I gave a stand up to my team on the Monday morning, 72 hours later, and I was quite emotional because I was absolutely humbled at the effort of NHS Digital, not just the security team or the IT team, everybody in the organisation," said Taylor, who described how staff travelled across the country to help.

"If I said to someone 'I need to send you to East Lancs' now, nobody said 'no'. If I said 'I need to send you to Exeter', they went.

"For me, being able to hang off that team, to be able to see what they did, it was a seminal moment in my career, as it was really humbling and they deserve all the credit for what they did in that time," he said.

However, in both the case of the NHS WannaCry incident and the attack against Parliament, things don't just go back to normal as soon as the offensive action ceased: there's work to do after that issue to ensure essential systems are up and running as soon as possible.

"Another thing we learnt really well on the Monday was what is it that we need for our business to run. A lot of the time, you're not going to have all of your services up and running after an attack, but you need to prioritise Parliament: Parliament has to sit, the committees have to run, democracy has to carry on working," said Henderson. "The incident doesn't finish when your attack finishes."


In aftermath of the WannaCry attack, the NHS has taken the time to reflect on what happened and ensure all the plans and procedure are in place to ensure systems can cope with something similar in future - and that lessons have been learned from things that went wrong, such as failing to properly test the responses to such an event.

"We had good, robust planning, we had good internal plans to support us, but it had not been fully tested, it hadn't been through the rigorous amount of testing that we would've liked. There were mistakes in communication and we could've done things better," said Taylor.

"It's all about making sure you have that plan and testing that plan very early, because the thing we've done since that is test and test and test again, so if it does happen, hopefully we'll be in a much better position."

And for Taylor, it's only a matter of time before the NHS needs to face another large cyber incident.

"What WannaCry was, was a shot across our bows," he said. "But it was not the be all and end all incident for health care - that day will come, something new will happen, there will be another WannaCry. It will be different to what it was in May last year."

The National Cyber Security Centre (NCSC) played a role in the immediate and long-term reactions to both events, with the cyber arm of GCHQ previously describing WannaCry as its toughest challenge of the year. The NCSC was also at hand in Manchester to provide advice to organisations on what they can do if they find themselves to be victims of a cyberattack, particularly a sustained incident.

"It's about process, knowing what you'd do organisationally, who's available, who your SMEs are, that whole plan. Do you have a plan you can take off the shelf? That's really important," said Paul Chichester, Director of Operations at NCSC.

"Expect a breach, put an effort into testing it and exercising it. Be prepared is the key message: that will put you in a much, much greater place to help work with us when dealing with these," he said.


Editorial standards