Government’s “ostrich strategy” on national cyber threat “doesn’t reassure”

Dame Margaret Beckett MP, chair of the Joint Committee, said: “Perhaps it’s not surprising that Government isn’t focused on preparing for the acknowledged and extremely high risk of a destructive and ruinously costly cyber attack on the UK. Despite its place at the top of the UK’s national risk register for years, our national response to the pandemic when it inevitably hit could fairly be categorised as shambolic.”

Beckett continued: “In this response to our ransomware report, it’s ever clearer that Government does not know the extent or costs of cyber attacks across the country – even though we’re the third most cyber-attacked country in the world – and neither does it have any intention of commensurately upping the stakes or resources in response.”

Further, Beckett asserted: “If the Government insists on operating the ostrich strategy for national cyber security based on legislation made before the Internet arrived, centred on a Government department that seems to have difficulty mustering much interest in the issue and in stark contrast to the cyber attackers who are so fantastically well co-ordinated and resourced, where is the proactive national security response to protect the UK supposed to come from?”

In conclusion, the Joint Committee’s chair noted: “The UK is and will remain exposed and unprepared if it continues this approach to tackling ransomware. This response from the Government is not the assurance the Committee sought or that the country needs. All of the responsible and co-ordinating Government departments would benefit from going away and reconsidering how the UK is to defend against this most pernicious threat.”

Continuation of monitoring

Following the Government’s response, the Joint Committee intends to continue to monitor and follow-up on issues raised in its report, especially so in the areas where well-founded recommendations to enhance critical elements of national security have been rejected out of hand.

It will also encourage the successor Committee appointed after the upcoming General Election to continue to follow-up and monitor progress against this report’s recommendations.

The Government continues to insist that all is well in the regulatory model, while the regulators charged with implementing it say limitations in their capabilities – and in the regulations themselves – are preventing some of them from making full use of the powers they do have at their disposal. 42% of the operators of essential services have said they don’t have the skills and capacity to deliver their obligations under the NIS Regulations.

In the wake of a “painfully delayed” consultation, the UK still continues to rely on an Act of Parliament created before the advent of the Internet itself as its main legislative tool for confronting cyber crime.

Government must come forward with a new offer – particularly for local authorities and in conjunction with the National Cyber Security Centre – through pro bono schemes with the private sector, better resourcing for the National Crime Agency and sharing its expertise on ransom negotiations and through work with the insurance sector to make the massive costs of response, recovery and remediation of cyber attacks more feasible for the ever-expanding groups of victims.

Insurance market

In the eyes of the Joint Committee, the Government doesn’t acknowledge how unaffordable the insurance market can be for some cyber attack victims – local authorities and small companies are among the notable examples – and also doesn’t agree that public intervention in this market is necessary.

Instead, Government suggests that the roll-out of the National Cyber Strategy should begin to reduce claims and, therefore, lower premiums. This is despite the Joint Committee’s report highlighting both the rapid recent growth of costly cyber attacks and the Government’s own lack of understanding of the frequency and type of attacks that are actually occurring (or how often or what amounts of ransoms are being paid).

The Joint Committee will continue to monitor whether Government work does lead to the better reporting of cyber and ransomware attacks that might begin to fill these gaps in Government knowledge and improve its strategic responses.

The Joint Committee has heard worrying evidence of exactly how unprepared and unsupported UK local authorities are in facing cyber attacks that could cripple or otherwise temporarily cease essential local services. There’s nothing in the Government’s response to address or assuage those concerns. There’s no offer to counter the lack of resourcing and skills at local level and, what’s more, no offer of enhanced help for the responsible authorities or the populations that would be affected.

Reflected in legislation

It’s welcome news, asserted the Joint Committee, that the Competition and Markets Authority’s review process will integrate the report’s recommendations: the Joint Committee expects to see the outcomes of this reflected in forthcoming urgent legislation.

The Joint Committee will seek to assess whether the assertions made by Government in rejecting key recommendations – ie that the National Cyber Strategy will reduce the number and size of cyber attack insurance claims (in turn obviating the need for Government intervention in that insurance market), that the fragmented approach to regulation and enforcement across Government is effective and also that the proposed 21% resource uplift for the National Crime Agency is commensurate with the resource needed to tackle cyber crime – are borne out in evidence and continue to press for the recommended interventions to be implemented where this is not the case.