Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Reports
Risk & Compliance
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape

UK government at high risk of catastrophic ransomware attack, Joint Committee report warns

December 13, 2023
There is a high risk that the Government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking. If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority.

A report released Wednesday by the U.K. Joint Committee on the National Security Strategy by the authority of the House of Commons and the House of Lords identified that there exists a high risk that the government will face a ‘catastrophic ransomware attack at any moment and that its planning will be found lacking.’ The majority of ransomware attacks against the U.K. are from Russian-speaking perpetrators, and the Russian Government’s tacit (or even explicit) approval of this activity is consistent with the Kremlin’s disruptive, zero-sum-game approach to the West. 

Titled ‘A hostage to fortune: ransomware and U.K. national security,’ the Joint Committee report identified that the government and the National Cyber Security Centre (NCSC) have focused their counter-ransomware efforts predominantly on resilience. “Nevertheless, large swathes of U.K. critical national infrastructure (CNI) remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems, and we have particular concerns about cash-strapped sectors such as health and local government,” it added. 

The report said that “if the U.K. is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the U.K.’s national security.”

It also recognized that supply chains are particularly vulnerable and have been described by the National Crime Agency (NCA) as the ‘soft underbelly’ of CNI. “As a result of these vulnerabilities, a coordinated and targeted attack has the potential to take down large parts of U.K. CNI and public services, causing severe damage to the economy and to everyday life in the U.K..” 

The Joint Committee that examined the government’s preparations for the COVID-19 pandemic in 2020 is the same committee that considered the lessons learned from preparing for a known risk with a high potential impact. In their findings, they discovered that the government had not adequately prepared for a pandemic, despite being aware of the increasing likelihood of such a scenario occurring.

Recognizing that the government is at risk of making the same mistake again, the Committee report said that it knows that the possibility of a major ransomware attack is high, yet it is failing to invest sufficiently to prevent catastrophic costs later on. “There will be no excuse for this approach when a major crisis occurs, and it will rightly be seen as a strategic failure. If the U.K. is to avoid being held hostage to fortune and avoid electoral interference it is vital that ransomware becomes a more pressing political priority, and that further substantial resource be devoted to tackling this pernicious threat to the U.K.’s national security,” it added. 

Given the poor implementation of existing cyber resilience regulations, the government should scope the feasibility of establishing a cross-sector regulator on CNI cyber resilience. 

The Home Office claims the lead on ransomware as a national security risk and policy issue. Still, the former Home Secretary showed no interest in the topic, according to the Joint Committee report. “It has been suggested by some observers that clear political priority in the Home Office is given instead to other issues, such as illegal migration and small boats. In line with many other aspects of cyber security, and to ensure that it is treated as a cross-government national security priority, responsibility for tackling ransomware should be transferred from the Home Office to the Cabinet Office, in partnership with the NCSC and NCA. It should also be overseen directly by the Deputy Prime Minister,” it added.

“As part of the National Exercise Programme, it should also hold regular national exercises to prepare for the impact of a major national ransomware attack affecting multiple CNI sectors, engaging CNI operators to stress-test their response and ensure a swift recovery,” according to the Joint Committee report. “In addition, the NCSC should be funded to establish an enhanced and dedicated local authority resilience programme, including intensive support for local exercising and on securing council supply chains.”

Furthermore, the report pointed out that the impact of a ransomware attack on its victims is significant, with many organizations taking months to recover. “Despite this, most victims currently receive next-to-no support from law enforcement or Government agencies. The NCSC and National Crime Agency (NCA) should be funded to provide support to all public sector victims of ransomware, to the point of full recovery. Cyber insurance can also be a vital source of support, but there remains a woeful lack of coverage.” 

It also added that the government should work with the insurance sector to establish a re-insurance scheme for major cyber-attacks, to ensure the sustainability and accessibility of the market. It should also establish a central reporting mechanism for ransomware attacks, to ensure that it has a full understanding of the nature and scale of the threat, and how best to tackle it.

The government has published an ambitious National Cyber Strategy (NCS), but its progress reporting could be better. The National Audit Office (NAO) should review the Government’s implementation of the NCS, and the Government should establish a National Security Council sub-committee, to oversee progress against each of the Strategy’s five ‘pillars’ at least twice per year. 

Also, the NCA is locked in an uphill struggle against the ransomware threat, with insufficient resources and capabilities to match the scale of this challenge. The government should invest significantly more resources in the NCA’s response to ransomware, enabling it to pursue a more aggressive approach to infiltrating and disrupting ransomware operators. It should also address the pay parity between police and NCA officers, and invest sufficiently in the skills needed to track and seize ransomware criminals’ cryptocurrency earnings.

The Joint Committee report calls for significant efforts to enhance the U.K.’s cyber resilience, with particular attention paid to major operators of CNI. It also said that the government must scope the feasibility of establishing a cross-sector regulator on CNI cyber resilience to oversee the implementation of the NIS regulations and to make recommendations for investment and legislative reform, and it ‘should report back to us on the outcome of this scoping work by March 2024.’

As part of the National Exercise Programme, the government should hold regular national exercises to prepare for the impact of a major national ransomware attack affecting multiple CNI sectors, engaging CNI operators to stress-test their response and ensure a swift recovery. It should also ensure that the insights from these exercises are fed back to lead government departments and regulators so that they enhance preparations for future potential attacks. The NCSC should be funded to establish an enhanced and dedicated local authority cyber resilience program, including intensive support for local exercising and securing council supply chains.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights