Share this article on:
The joint committee on the national security strategy finds rising risks and a lack of government preparedness.
A UK government committee has released its findings on the state of UK cyber preparedness and found that the country could be dragged to a halt by just one successful ransomware attack.
The joint committee on the national security strategy’s A hostage to Fortune: Ransomware and UK National Security report paints a grim picture, particularly when it comes to the state of the United Kingdom’s critical national infrastructure. Despite efforts by the National Cyber Security Centre to shore up the security of infrastructure operators, risks remain.
“Nevertheless, UK CNI remains vulnerable to a catastrophic ransomware attack, particularly in sectors in which investment in upgrading legacy infrastructure has been inadequate,” the report said. “Supply chains are also particularly vulnerable and have been described by the NCA as the ‘soft underbelly’ of CNI.”
The report uses a 2020 ransomware incident that affected the local council of Redcar and Cleveland Borough as an example of the impact of such an attack. The incident saw all of the council’s records destroyed and reduced daily operations to running on pen and paper.
“You can imagine the devastation,” Councillor Mary Lanigan told the committee. “I had staff running about with pieces of paper. We brought in another telephone system that we could use, but that took time. It was catastrophic, for the council and for the residents we serve across the board.”
The report notes that the changing and evolving nature of ransomware threats is of particular concern. Ransomware-as-a-service is somewhat democratising the crime, allowing individuals or groups without the technical know-how to hire the services of those that do, while ransomware software itself is growing in sophistication. The criminal groups themselves are changing, too, as they use multiple platforms to spread information and recruit new hackers.
Expert witnesses told the committee that the future would likely see new evolutions, including the increased targeting of critical infrastructure and “cyber physical systems” such as steering control systems on shipping vessels.
The report also addresses what makes the UK such an attractive target for hackers.
“There is a very simple reason: the English language,” the UK’s Minister for Security, Tom Tugendhat, told the committee. “Then there is a more prosaic reason, which is our open-banking systems. The combination of the two means that the UK is particularly targeted by those who are able to communicate with us and who can see that they can quickly move any ransoms taken into different banking systems and outside the jurisdiction of the United Kingdom.”
As to the nature of the threat actors, nation-backed hackers are also a point of concern, with China, North Korea, and Iran singled out as particular threats, while Russia’s blurring of the lines between criminal hacking groups and state intelligence agencies is also worrying.
The report lays the blame for the UK’s lack of readiness firmly at the feet of the Home Office and calls out former Home secretary Suella Braverman as having little interest in the problem.
“The Home Office claims the lead on ransomware as a national security risk and policy issue, but the then Home secretary, Suella Braverman MP, showed no interest in it,” the report said.
“According to some observers, clear political priority is given instead to other issues, such as illegal migration and small boats. We recognise the significance of illegal migration as a policy challenge, but there is a risk that ransomware is relentlessly deprioritised.”
The report recommends that responsibility for ransomware attacks be shifted from the Home Office to the Cabinet Office, with the NCSC and NCA working as partners.
“It should also be overseen directly by the Deputy Prime Minister, as part of a holistic approach to cyber security and resilience,” it said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.