There is a high risk that the Government will face a catastrophic ransomware attack at any moment, according to a new report by the Joint Committee on National Security Strategy.
The report also said the Committee feared the Government’s planning for such an event “will be found lacking.”
“If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security,” noted the Committee.
The report said that large swathes of UK critical national infrastructure (CNI) remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems. It specifically pointed to “cash-strapped sectors such as health and local government.”
Supply chains are also particularly vulnerable and have been described by the National Crime Agency (NCA) as the ‘soft underbelly’ of CNI, it said.
As a result of these vulnerabilities, the Committee said a coordinated and targeted attack has the potential to take down large parts of UK CNI and public services, causing severe damage to the economy and to everyday life in the UK.
The Committee said that given the poor implementation of existing cyber resilience regulations, the Government should scope the feasibility of establishing a cross-sector regulator on CNI cyber resilience.
As part of the National Exercise Programme, it should also hold regular national exercises to prepare for the impact of a major national ransomware attack affecting multiple CNI sectors, engaging CNI operators to stress-test their response and ensure a swift recovery.
In addition, the National Cyber Security Centre (NCSC) should be funded to establish an enhanced and dedicated local authority resilience programme, including intensive support for local exercising and on securing council supply chains.
No interest, resources or support from Government
The report said the Home Office claims the lead on ransomware as a national security risk and policy issue, but the former Home Secretary “showed no interest in the topic. It has been suggested by some observers that clear political priority in the Home Office is given instead to other issues, such as illegal migration and small boats.
If you liked this content…
In line with many other aspects of cybersecurity, and to ensure that it is treated as a cross-government national security priority, responsibility for tackling ransomware should be transferred from the Home Office to the Cabinet Office, in partnership with the NCSC and NCA.
It should also be overseen directly by the Deputy Prime Minister.
Elsewhere, the Government has published an ambitious National Cyber Strategy (NCS), but the Committee said its progress reporting is currently poor.
It said the National Audit Office (NAO) should review the Government’s implementation of the NCS, and the Government should establish a National Security Council sub-committee, to oversee progress against each of the Strategy’s five ‘pillars’ at least twice per year. The Government must also bring forward legislation urgently to update the Computer Misuse Act, which is now over 30 years old.
Meanwhile, the report described the NCA as being “locked in an uphill struggle against the ransomware threat, with insufficient resources and capabilities to match the scale of this challenge.”
As such, the Government “should invest significantly more resources in the NCA’s response to ransomware, enabling it to pursue a more aggressive approach to infiltrating and disrupting ransomware operators. It should also address the pay parity between police and NCA officers and invest sufficiently in the skills needed to track and seize ransomware criminals’ cryptocurrency earnings.”
The report also noted that victims of ransomware attacks receive next-to-no support from law enforcement or Government agencies. Therefore, it said the NCSC and NCA should be funded to provide support to all public sector victims of ransomware, to the point of full recovery.
The Committee said there remains a woeful lack of coverage of cyber insurance.
“The Government should work with the insurance sector to establish a re-insurance scheme for major cyberattacks, to ensure the sustainability and accessibility of the market. It should also establish a central reporting mechanism for ransomware attacks, to ensure that it has a full understanding of the nature and scale of the threat, and how best to tackle it.”