The UK is at high risk of a “catastrophic” ransomware attack, with the government ill-prepared to deal with this threat, according to a new Parliamentary report.
The Joint Committee on the National Security Strategy found that “large swathes” of UK critical national infrastructure (CNI) are vulnerable to ransomware due to many of these services operating outdated IT systems, including legacy operational technology (OT).
The UK’s National Health Service (NHS) has a vast estate of legacy infrastructure, which puts it in a “particularly difficult position to protect itself from cyber-attacks,” the report noted.
The Committee cited the impact of the ransomware attack on the Government of Costa Rica in April 2022, which left large parts of the nation’s digital infrastructure paralyzed for months.
The UK has yet to experience such a coordinated attack across its CNI, however, the Costa Rican experience shows how rapidly a nation can be brought to its knees by such a widescale assault on its digital infrastructure.
Inadequate Government Response
The Committee added that following the explosion of ransomware attacks in 2021, the threat from this vector remains as severe as it has ever been. Most ransomware attacks against the UK are from Russian-speaking actors.
The UK government’s efforts in this area are currently inadequate, the report said, and its planning will be found lacking.
While the government has published an ambitious National Cyber Strategy, “its progress reporting is currently poor,” according to the Committee.
There is “next to no” state support for most victims of ransomware, and often a poor understanding of cyber among responding police forces. As a result, many victims are forced to turn to private cyber incident response firms, including local government authorities.
This is lack of support is largely due to insignificant funding for government agencies responsible for cybersecurity, particularly the National Cyber Security Centre (NCSC) and National Crime Agency (NCA). This includes the NCA facing significant difficulties recruiting cyber specialists, due to its inability to compete with the private sector regarding pay and career progression.
The report also said there is a risk that ransomware is “relentlessly deprioritized” at government level, with clear political priority given instead to other issues.
How Can the UK Government Improve?
The Joint Committee on the National Security Strategy set out a range of recommendations for the UK government to improve its response to the ransomware threat, including:
- Work with the insurance sector to establish a re-insurance scheme for major cyber-attacks to overcome a “woeful” lack of coverage
- Establish a National Cyber Strategy sub-committee, which should consider progress against each of the five pillars at least twice per year
- Responsibility for tackling ransomware should be transferred from the Home Office to Cabinet Office, in partnership with the NCSC and NSA
- Bring forward legislation to urgently update the Computer Misuse Act, which is now 30 years old
- Revisit the funding available for the NCA pay and progression, enabling it to offer salaries that can attract experts with specialist cyber skills
- Hold regular national exercises to prepare for a major national ransomware attack affecting multiple CNI sectors
- Provide funding to the NCSC to establish an enhanced and dedicated local authority cyber resilience program
- Fund the NCSC and NCA to allow them to provide negotiation, recovery and remediation capabilities to all public sector victims of ransomware
- Establish a central reporting mechanism for ransomware attacks, and consider whether to require all UK organizations to report an attack within three months
- The NCSC to produce more detailed guidance, accessible to a non-technical audience, on ow to best avoid the payment of ransoms after an attack
Industry Reaction
Commenting on the report, Royal United Services Institute (RUSI) Research Fellow Jamie MacColl, who provided oral and written evidence to the Committee, said it is time to talk more actively about ransomware and organized cybercrime with the public at large, to put it on the political agenda.
“Such conversations could include more candid detail about the government’s place and role in the fight against this threat, in both preventative and reactive terms,” he stated.
Gerasim Hovhannisyan, CEO & Co-Founder, EasyDMARC, said that government leadership must reassess cybersecurity policy as a matter of urgency before it’s too late.
“The threats are escalating, but strategic planning and security standards can help tackle vulnerabilities before a major attack strikes vital services. Given the potential consequences, there is no time to waste in making cyber resilience a political priority across the UK's critical infrastructure,” he outlined.
The report’s findings tie in with worrying findings made by My1Login about the NHS’s lack of cyber preparedness.
Mike Newman, CEO of My1Login, commented: “Our team recently discovered that only a handful of NHS Trusts hold a dedicated cybersecurity budget and very few have security teams that are larger than one or two members of staff. The research also highlighted that most NHS staff only staff undertake less than two-hours security training annually, but given that most ransomware attacks are executed through phishing, this is an issue that must be remediated immediately.”
He added: “We don’t want another WannaCry on our hands again any time soon.”