The first sign of the unfolding nightmare came by way of a text to his mobile phone. “I can’t get into the system,” the colleague’s message read. “Seems a bit strange”.
It was Christmas Eve and Terry A’Hearn was, like most people, preparing to wind down for the holiday period. He replied that he would chat to someone and carried on with his breakfast, as he normally would, before the fateful call came at around 10am. “It was our head of governance who said ‘it looks like we’ve had a cyber-attack’,” recalls A’Hearn, chief executive of the Scottish Environment Protection Agency (Sepa). “We had a quick chat about what that means, and what do we do next.”
He added: “But we pretty quickly got a handle that it was big. We’d been locked out.”
Sepa had been hit by a devastatng ransomware attack that meant its 1,200 staff could no longer gain access to their corporate network. That meant no emails, no access to files, and a curtailed ability to go about the agency’s core purpose: to protect the environment. When most people up and down the country were putting the final touches to a scaled-down Christmas, a tumultuous year for Sepa and its staff was about to get even worse. Fortunately, to some extent at least, the agency – which responds to emergency environmental events – had a built-in crisis mode.
A’Hearn, who has run environmental protection agencies in the UK and his native Australia, immediately convened an emergency management team meeting, to work out what to do next. He and his colleagues held three meetings that day, and on Christmas Day an incident manager and the IT team worked flat out to see what, if anything, could be done to salvage the network. Then, on Boxing Day, another emergency meeting was held as A’Hearn and his colleagues got into what would become a regular working pattern over the next couple of months.
I speak to A’Hearn two months after the cyber-attack and following his first somewhat cathartic experience of reflecting on the lessons learned at FutureScot’s Public Sector Cyber Resilience virtual conference. There are a lot of things he cannot say, understandably, as the ransomware attack is still under investigation by Police Scotland and the National Cyber Security Centre (NCSC), who became involved on the first day of the attack. But through our own inquiries – via global darknet threat intelligence analyst Kela, based in Israel – we established that the attack was carried out by a ransomware group calling itself Conti. That investigation, in turn, raised further questions – substantiated by the New York cyber firm Crowdstrike – that the ransomware “variant” may ultimately be controlled by a co-ordinated hacking entity called Wizard Spider, which has alleged links to Russian organised crime.
Understandably, A’Hearn is unable to corroborate any of that information, but falling victim to a global rise in such “big game hunting” cyber-attacks inevitably has had major repercussions for Scotland’s cyber defences as a whole. A’Hearn was complimented at the FutureScot conference for his “moral courage” in facing down the hackers, who not only downed the network but stole valuable data. Sepa chose not to pay the ransom – demanded in bitcoin – but was further punished for doing so. The agency was threatened with having its data published on the dark web, in a method known in hacking forums as the “double extort”.
But A’Hearn, informed by Police Scotland, NCSC and the Scottish Business Resilience Centre (SBRC) – who he credits for their expertise and support throughout – took a stance. “I think it was clear once we worked with other partners that the right thing to do was not to pay the ransom. That had some implications, but I just think the idea of using public money to pay the criminals a ransom is just not an easy thing to do,” he says. On 13 January, the hackers started to release Sepa data in stages and across seven days of activity a 1.2 gigabyte cache of more than 4,000 files was published. Throughout the gut-wrenching process, A’Hearn and the agency has been open and transparent at every step, publicly revealing that it had been a victim, when many might have wanted to deal with their anguish in private.
A’Hearn’s main concern has been for his staff, who were already struggling with the exigencies of home working and, in some cases, isolation. To help, he instituted weekly videoconferencing drop-in chats on an internal platform that still worked and set up a messaging service, both of which were welcomed. He also extended identity fraud protection to ex-staff, as well as offering antivirus software for any who needed it on their laptops. The workforce “really pulled together”, A’Hearn added, and he speaks in glowing terms for the professionalism of teams who figured out how to carry on vital work like flood monitoring.
“We’re pretty practised at saying, ‘Right what’s going on? What do we need to do?’ Getting our flood alerts and warnings is the most critical and immediate thing we do, as in the worst-case scenario that is life and death. We were able to do that in the first couple of days and it was great. The flooding guys said the weather forecasts are that it’s going to be dry for the next week; that gave us the week to prioritise underpinning the system, we were able to do the same thing in a week’s time.”
In successive days, the agency worked on recovering core services which range from issuing licences for septic tanks, to dealing with hazardous waste. Sepa has literally thousands of customers on its database, spanning 34 sectors of the economy. Much of the work has been done via third parties, such as industry trade associations, which have helped Sepa issue information to stakeholders. Whilst the situation is recoverable in those instances, there is a lot of data Sepa is resigned to losing. But A’Hearn is sanguine.
“We may have lost a lot of water quality monitoring data, but when we rock up to a river or a loch – when we get back out in the field – will the river or the loch notice that we don’t have its historical data?,” he says. “To do what we need to do next, how much do we need that historical data? In some cases it will be absolutely fundamental but in some cases won’t matter as much.”
Sepa has started to rebuild functionality, too, with Scottish Government laptops and temporary email addresses due to move back within Sepa’s own architecture – under a new Microsoft licence – soon. But the road is long, and “building back better” is going to take time, and a new security approach. On that front, Police Scotland has told Sepa that it was actually “well protected”, according to A’Hearn, which is perhaps a salutary warning to other organisations who will be feeling the need to increase their own vigilance in the wake of Sepa’s experience.
For A’Hearn, he is clear that he wants a leaner, more cohesive approach to IT. For an organisation such as Sepa, which is 25 years old in April, it has inevitably been built on a patchwork of systems developed sometimes incongruously over the years. “What I want as we redevelop our systems is that we have this overwhelming, powerful focus on what is the business need we’re trying to address. And then we build the simplest and smallest number of IT systems to support our business needs,” says A’Hearn.
He adds: “What we have done in the first two months has been essential, although we’ve only done a small proportion of what we need to do to recover. But I think we’ve done well enough, with lots of support from others, to put us in a position where it’s in our own hands now. We’ve got a very long road ahead of us, but I think we’re in a position where we can make a success of it.”
Why a digital-led approach to revision can bridge the gap between the classroom and at-home learning
Over the last year, the education sector has had to pivot to embrace technology and digital innovation in a way that we would have never imagined in a pre-pandemic world….
Online Scottish history resources are helping to lay the ghost of an ‘educational scandal’ to rest
As a history teacher at Leith Academy in Edinburgh, Jesanna Gooch has worked tirelessly to engage her students’ interest in Scottish history. She quickly realised utilising more contemporary mediums was…
Working as ‘one team’
I often read in tenders that organisations are “seeking a strategic partnership” – but unfortunately, once the contracts are signed, the relationship often reverts back to one of a supplier…
A year to prepare our young people to change the world
This month, Greta Thunberg: A Year to Change the World has been broadcast across our screens. Thunberg hardly needs an introduction however the 18-year-old, who has been leading the climate…
Making the grade: blended vs face-to-face learning?
As children and young people begin to return to school to engage again in face-to-face learning, the sighs of relief are many. From teachers, who can get back to something…
Building our economic recovery around life sciences
In just under a month, Scottish voters will go to the polls to elect the next Scottish government and regardless of who is returned to St Andrews House they will…
From bench to bedside
Edinburgh academics support digital health innovation from germ of idea to effective treatment The Covid-19 pandemic has forced the world to challenge traditional ways of working, innovate and accelerate transformation,…
Building Scotland’s reputation on the world stage for data and AI
The Data Lab is helping startups develop cutting-edge tech – fit for the pandemic. It’s been a difficult year for every aspect of our society, with the wider implications of…