Damning report from parliamentary committee warns of high risk to UK from ‘catastrophic ransomware attacks’
Ransomware attacks could “bring the country to a standstill”, due to poor planning and a lack of investment, a parliamentary committee has warned.
The Joint Committee on the National Security Strategy (JCNSS) in a damming report warned that the UK Government’s failures to address the growing threat of ransomware pose a “high risk” of a catastrophic attack at any moment.
The report warned that “the majority of ransomware attacks against the UK are from Russian-speaking perpetrators, and the Russian Government’s tacit (or even explicit) approval of this activity is consistent with the Kremlin’s disruptive, zero-sum-game approach to the West.”
Last month the British Library confirmed staff data was compromised in a ransomware attack, and that data on staff appeared to have been stolen.
“The Government and the National Cyber Security Centre (NCSC) have focused their counter-ransomware efforts predominantly on resilience,” the report states. “Nevertheless, large swathes of UK critical national infrastructure (CNI) remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems, and we have particular concerns about cash-strapped sectors such as health and local government. Supply chains are also particularly vulnerable and have been described by the NCA as the ‘soft underbelly’ of CNI.”
The National Cyber Security Centre (NCSC) in November had warned of a heightened threat to critical IT infrastructure after an increase in cyber attacks by organisations sympathetic to Russia’s invasion of Ukraine.
The report singled out former home secretary Suella Braverman for failing to make ransomware a priority, despite her department claiming to lead the government’s efforts on the national security risk and policy matter.
“The Home Office claims the lead on ransomware as a national security risk and policy issue, but the former Home Secretary showed no interest in the topic,” the report states. “It has been suggested by some observers that clear political priority in the Home Office is given instead to other issues, such as illegal migration and small boats.”
The report noted that “the Government has published an ambitious National Cyber Strategy (NCS), but its progress reporting is currently poor.”
The Government was urged to urgently update the Computer Misuse Act, which is now over 30 years old.
“The National Crime Agency is locked in an uphill struggle against the ransomware threat, with insufficient resources and capabilities to match the scale of this challenge,” the report states.
“The Government should invest significantly more resources in the NCA’s response to ransomware, enabling it to pursue a more aggressive approach to infiltrating and disrupting ransomware operators. It should also address the pay parity between police and NCA officers, and invest sufficiently in the skills needed to track and seize ransomware criminals’ cryptocurrency earnings.”
“There is a high risk that the Government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking,” the report added. “If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security.”
The NHS was also identified as a particularly vulnerable target, citing the health service’s reliance on a “vast estate of legacy infrastructure”, including “IT systems that are out of support or have reached the end of their lifecycle”.
The committee noted that the health service lacks the capacity to undertake even “simple upgrades” as a result of crumbling IT services and a lack of investment.
The report urges the Government to bolster cyber defence, particularly for critical infrastructure. Organisations meanwhile should consider cyber insurance, law enforcement should consider providing more assistance and support, and measures taken to halt the current situation where victims are disincentivised to report ransomware attacks.
“The UK is well prepared to respond to cyber threats and has taken robust action to improve our cyber defences, investing £2.6bn under our cyber security strategy and rolling out the first ever government-backed minimum standards for cyber security through the NCSC’s cyber essentials scheme,” a government spokesperson was quoted by the Guardian as saying.
The publication of the parliamentary report was noted by Mike Newman, CEO of My1Login, who also worried about the nation-state attacks and the lack of cyber protection at the NHS.
“This is a damning report on the government that highlights potentially devastating failings in the UK’s cyber defences,” said Newman. “The report highlights that not enough is being done to protect our critical national infrastructure, which could result in criminals cutting off essential supplies or causing massive financial damage.”
“Nation state attacks are becoming more frequent, so the chances of an adversary targeting the UK to cause societal damage are highly likely,” said Newman. “The government must work to improve its defences.”
“The report also discusses cybersecurity concerns around the NHS, which echo the findings of recent research by My1Login,” Newman stated. “Our team recently discovered that only a handful of NHS Trusts hold a dedicated cybersecurity budget and very few have security teams that are larger than one or two members of staff.”
“The research also highlighted that most NHS staff only staff undertake less than 2-hours security training annually, but given that most ransomware attacks are executed through phishing, this is an issue that must be remediated immediately,” said Newman. “We don’t want another WannaCry on our hands again any time soon.”