Before we get to the meat of this article, let us begin by noting this moment of remarkable arrogance from the Health Minister:
“The Health Minister said it’s “distasteful” that legal firms are already planning on suing the State on behalf of patients whose data has been breached.
“I think it has been a little distasteful,” he said. “I have seen some legal firms already advertising, potentially licking their lips, at the thoughts of being able to sue the State.
“If there are cases to be taken, then people have a right to take those cases but certainly I find it – when we are in the middle of trying to get urgent healthcare services back up and running for sick patients – I certainly find it very distasteful that any law firm would be putting stuff up on their websites to that end.”
Is it really “distasteful”?
The state, after all, is the entity which passed laws about data protection, which it expects every private entity to uphold. For the past month, we have had the spectacle of Government politicians (perfectly fairly) raising queries about the security of voter data held by Sinn Fein. The state funds a data protection commission, with wide powers, to ensure the privacy of people’s data.
Indeed, for some years now, Government policy has actively encouraged people who are victims of a data breach to take legal action.
Why is it “distasteful”, suddenly?
To be fair to Donnelly, he was not calling those who might sue “distasteful”. He was explicitly referring to those law firms who are already advertising for clients – much like those law firms who run adverts beginning “have you suffered an injury that was not your fault?”.
But that, Minister, is perfectly legal. And if these law firms are not going to inform people that they have a right to sue, then who will? Because the Government is hardly going to tell them, is it?
Ultimately, members of the public trusted the HSE with their personal information, and the HSE has failed them. What is more, the failures are clear and obvious: The Government left the position of head of its own cybersecurity agency vacant for a year. The Government had repeated warnings, from experts, that its cybersecurity measures were insufficient. People whose data has been leaked onto the internet have been as much a victim, arguably, of Government negligence as they have been of criminal hackers.
Anyway, that is not why you clicked, is it?
You came to read a dopey argument for paying the ransom, and we cannot disappoint you, so here it is: What, exactly, is the resistance to paying the ransom about? Well, last night, the state announced that it had acquired a “decryption key”, from sources unknown, and we were informed (emphasis added) that “no ransom was paid by the Irish State“. Odd phrasing, no? They could just have said “no ransom was paid”, if that was all they wished to communicate.
Presumably, the number one concern about having the state pay a ransom is that paying the ransom would incentivise future attacks. Pay them for HSE data this week, and they will be back hacking social welfare data next week.
The problem with that analysis, of course, is that they will be back anyway. The data itself is potentially valuable, after all, in the wrong hands. Maybe not as valuable as the ransom, but valuable. If it is not this specific group of hackers, it will be another group. This is the era we live in now: For the foreseeable future, Governments and Corporations alike will have to contend with the perennial risk of a devastating ransomware attack.
Second, the hackers have no incentive to reveal, in public, that they were paid a ransom. What are they going to do, put out a press release? That would be bad for business, because it would disincentivise any future victims from paying a ransom, knowing that the fact that they did so would become public, and would hurt their prestige.
Third, and most importantly, time is of the essence, here. Ireland, frankly, cannot afford weeks and weeks of chaos in the health service. The costs of that chaos, in the medium to long term, could vastly outweigh the costs of the ransom. There is a strong argument for just paying it, and then investing heavily in both cybersecurity, and an international criminal investigation. Maybe give them the €20m, and then put another €20m up as a reward for anyone who turns them in to the authorities.
The biggest problem, when it comes to paying a ransom, is probably an accounting one. If the Government could have secretly paid the ransom, they probably would have done so already. The difficulty is that they cannot pay it, and conceal the matter from the public accounts committee. And, since paying the ransom would hurt their prestige, and probably cost them lots of votes, they are a bit stuck. Which brings us back, of course, to the statement above: “No ransom was paid by the Irish State”. Would it be surprising to anybody if some security consultants were paid a fee of, say, €22m for their assistance in resolving the hack?
Anyway, regardless, the price of this failure is going to be lots of lawsuits from angry people, and a massive investment to get the system back online. Imagine how much cheaper it would have been just to take cybersecurity seriously in the first place.