UK unprepared for large-scale ransomware attack, report warns

The Joint Committee on the National Security Strategy says the UK is “unprepared” for a large-scale ransomware attack with “large swathes” of the critical national infrastructure (CNI) vulnerable.

It warns emergency services, healthcare systems, transportation networks, and even general elections, remain exposed to a “catastrophic ransomware attack” due to a reliance on legacy technology systems.

“The NCA is locked in an uphill struggle against the ransomware threat, with insufficient resources and capabilities to match the scale of this challenge,” the report says.

“The Government should invest significantly more resources in the NCA’s response to ransomware, enabling it to pursue a more aggressive approach to infiltrating and disrupting ransomware operators.

“It should also address the pay parity between police and NCA officers, and invest sufficiently in the skills needed to track and seize ransomware criminals’ cryptocurrency earnings.”

The joint committee says responsibility for tackling ransomware should be transferred from the Home Office to the Cabinet Office, in partnership with the National Cyber Security Centre (NCSC) and the NCA.

It should also be overseen directly by the Deputy Prime Minister.

The joint committee warns mass data loss from an attack can be “irreversible”, even when the ransom is paid.

Due to its potential ability to bring the UK to a standstill, ransomware has been identified by UK authorities as the number one cyber threat to the nation.

“Having ‘exploded’ in 2021, the ransomware threat is still as severe as it has ever been, and the UK is one of the most targeted countries in the world,” the report says.

“A mature and complex ecosystem has evolved, involving an increasingly sophisticated threat actor; ransomware is also now marketed as a service, which can be purchased by the uninvolved, eg, criminal gangs, making it more widely available to those who wish to inflict harm for profit.

“Past attacks have shown that ransomware can cause severe disruption to the delivery of core government services, including healthcare and child protection, as well as ongoing economic losses.”

The majority of ransomware attacks against the UK are from Russian-speaking perpetrators.

However, the report notes this is not a “straightforward State threat”, and for many Russian hackers, ransomware is simply an easy way to make large sums of money, with next-to-no chance of being caught or prosecuted.

Earlier this month, following a NCA investigation, the UK sanctioned two members of group linked to Russia’s FSB for their involvement in the preparation of spear-phishing campaigns and associated activity that resulted in unauthorised access and exfiltration of sensitive data, which was intended to undermine UK organisations and more broadly, the Government.

“The Government and the NCSC have focused their counter-ransomware efforts predominantly on resilience,” the report says. “Nevertheless, large swathes of UK CNI remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems, and we have particular concerns about cash-strapped sectors such as health and local government.

“Supply chains are also particularly vulnerable and have been described by the NCA as the ‘soft underbelly’ of CNI.

“As a result of these vulnerabilities, a coordinated and targeted attack has the potential to take down large parts of UK CNI and public services, causing severe damage to the economy and to everyday life in the UK.”

Given the “poor implementation” of existing cyber resilience regulations, the report recommends the Government should scope the feasibility of establishing a cross-sector regulator on CNI cyber resilience.

As part of the National Exercise Programme, it should also hold regular national exercises to prepare for the impact of a major national ransomware attack affecting multiple CNI sectors, engaging CNI operators to stress-test their response and ensure a swift recovery.

In addition, the NCSC should be funded to establish an enhanced and dedicated local authority resilience programme, including intensive support for local exercising and on securing council supply chains, the report adds.

“The impact of a ransomware attack on its victims is significant, with many organisations taking months to recover,” says the report.

“Despite this, most victims currently receive next-to-no support from law enforcement or Government agencies.

“The NCSC and NCA should be funded to provide support to all public sector victims of ransomware, to the point of full recovery.”

The report says there remains a “woeful lack of coverage” on  cyber insurance, which can be a vital source of support.

It wants the Government to work with the insurance sector to establish a re-insurance scheme for major cyber-attacks, to ensure the sustainability and accessibility of the market.

It should also establish a central reporting mechanism for ransomware attacks, to ensure that it has a full understanding of the nature and scale of the threat, and how best to tackle it.

“The Government has published an ambitious National Cyber Strategy (NCS), but its progress reporting is currently poor,” the report notes. “The National Audit Office should review the Government’s implementation of the NCS, and the Government should establish a National Security Council sub-committee, to oversee progress against each of the strategy’s five ‘pillars’ at least twice a year.

“The Government must also bring forward legislation urgently to update the Computer Misuse Act, which is now over 30 years old.”

The report – A hostage to fortune: ransomware and UK national security – concludes: “There is a high risk that the Government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking.

“If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security.

Oz Alashe MBE, chief executive officer at cyber security specialists Cybsafe, commented: “Today’s report by the Joint Committee on National Security Strategy highlights the significant risks stemming from ransomware attacks against our nation’s critical infrastructure.

“Healthcare systems, transportation networks, emergency services, and even general elections remain exposed due to reliance on legacy tech systems not designed for the modern threat environment.

“As cyber threats grow more sophisticated, complacency can snowball into reputational and financial damage, not to mention potential harm to the public.

“While the Government has invested £2.6 billion and implemented minimum standards through the NCSC’s Cyber Essentials programme, more can be done. By engaging in tackling common risky behaviours like recognising phishing attempts, following protocol with hardware, and promoting a culture of speaking up about suspicious activity, people can become a crucial line of defence against ransomware.

“Pair this with approachable, non-punitive reporting channels, and national agencies can address vulnerabilities before hackers exploit them.”