Jaguar Land Rover to M&S: our cyber policy blind spot

Suppose I told you that two bad things could happen to you. 

One is that when you were asleep or away, someone breaks into your house and takes photographs of your bank account details, your mortgage, and health records, leaving you extremely vulnerable to fraud and theft. The other is that someone assaults you, punching you repeatedly in the face and then breaks your legs, rendering you unable to work for months.

No sane person will wish either of these outcomes on themselves. They are also unlikely to view these options in the same way. Yet somehow in cyber we’ve come to adopt the all-embracing term of ‘cyber attack’ to encompass the digital equivalent of very different crimes – data breaches and service disruption. And that distortion has crept its way into global public policy too. 

So much for the hypotheticals. Here’s a far more serious, and very real, example. 

In 2021, a criminal gang from Russia targeted a public body in Ireland called the Health Services Executive (HSE) in a cyberattack. The HSE is responsible for providing primary care services across the country. 

From an early stage, it was clear this attack had caused a national level disaster. Appointments were cancelled and cancer diagnostic services were delayed. Maternity services were severely restricted. All radiology, including CT scans and radiotherapy, ground to a halt. The full extent of the consequences can probably never be accurately estimated. But by bringing the national healthcare system of a wealthy EU nation to a juddering halt, this can be considered one of the worst cyber attacks of all time. 

The purpose of the operation was to extort money. The hackers – who called themselves the Conti Group and who would go on to bring about the first ever state of emergency declaration by a national Government over a cyber attack in Costa Rica a few months later – demanded $20 million in cryptocurrency to unlock the network and restore services. 

In line with longstanding state policy, the Irish Government held firm against paying. So, after four days of a standoff, to put pressure on the government, the Conti group released a small amount of confidential personal medical data, threatening to release more if payment was not made. 

And here’s the extraordinary thing: at that point, and at that point only, the HSE was required to report itself to regulatory authorities for failure to uphold its legal obligations. When the organisation was entirely unable to fulfil its core function of allocating healthcare, it hadn’t breached the law. But when it lost a few bits of personal data, it was time for full-on regulatory enforcement. 

It is not an exaggeration to say that prior to the attack, those working on the cyber security of Ireland’s healthcare system were incentivised to prioritise the security of medical records over the ability to provide healthcare. As one person involved in the clean-up operation in Ireland put it: “the message, in effect, was: ‘we’re sorry that we’ve had to cancel your potentially life-saving operation, but your email is safe’”. 

Unsurprisingly, since this crisis, Irish law, along with much of wider EU law, has now changed to require critical service providers to take their continuity of service obligations much more seriously. But the pendulum has not swung far enough. 

Obligations, such as they exist, to prevent these types of disruptive cyber attacks, tend to apply only to whatever a country defines as critical infrastructure. Not only is deciding what is critical infrastructure difficult and often subjective, it sits alongside data protection rules that apply to all companies and organisations, whether they hold much sensitive data or not. And at the same time, disruptive attacks are on the increase. 

Consider events in Britain this year. There have been high profile disruptions at three iconic British brands – Marks and Spencer, the Coop, and, more recently, Jaguar Land Rover. All three companies are famous, but neither are regarded as critical infrastructure because the nation as a whole can cope without them for a while fairly easily (though some more remote areas of Scotland depend heavily on the Coop for food retail). M&S have said they lost some £300 million, mostly because of empty shelves and the inability to sell online. Elsewhere in the western world we’ve seen disruptions at Belgian breweries, American steelmakers, and French electronics firm over the past two years. 

These are serious economic disruptions with real life consequences for jobs, services and economic security. But for all of the companies involved, unless they face a situation like this, they will always be told to prioritise data security. To make matters worse, most of these companies will hold plenty of personal data, but not of the terribly sensitive sort. Banks hold sensitive citizen data. So do healthcare providers. By and large, the likes of brewers and carmakers don’t. 

A carmaker's customer records contain similar information to what used to be publicly available in what those of us of a certain age used to call the telephone directory, plus an email address. It is useful to criminals as a building block for later attempts at fraud. It matters. But it is not the keys to your financial kingdom. 

Laws that don’t distinguish between different types of datasets, and laws that prioritise data security over the ability to keep things running, make no sense. The disruptive threat is growing, not just from criminals but as a potential tool of nations too – the west has accused China of preparing these types of cyber attacks against critical infrastructure in the event of conflict. 

Data security matters. But more often than not, keeping going matters more. So maybe it’s time to look past our obsession with protecting data above all else and focus on keeping the switches on too.