High risk of “catastrophic” ransomware attack “at any moment” warns JCNSS

In May 2021, US President Joe Biden declared a national state of emergency after a ransomware attack by the Russian DarkSide group forced the shutting down one of the country’s largest and most vital oil lines for six days.

Now, Parliament’s Joint Committee on the National Security Strategy is warning that the UK – itself one of the most targeted countries in the world – is unprepared for the “high risk” of a “catastrophic” ransomware attack “at any moment”. The Committee feels there will be “no excuse” for the current failure to invest sufficiently in preventing a major crisis.

The majority of ransomware attacks perpetrated against the UK emanate from Russian-speaking perpetrators, but this is not a straightforward state threat. Ransomware is primarily a problem of criminality for profit, rather than espionage or geopolitical sabotage.

For many Russian hackers, ransomware is simply an easy way in which to make large sums of money with next-to-no chance of being caught or prosecuted. They’ve been described as “vultures, not hawks”.

The UK Government is almost certain that Russian actors sought to interfere in the 2019 General Election, with the National Cyber Security Centre (NCSC) Review conducted in 2023 finding that, with UK and US elections on the horizon, “we can expect to see the integrity of our systems tested again”.

The Parliamentary Committee is now requesting a private briefing from the NCSC on preparation for the General Election (which is expected next year) and how the necessary cyber support will be provided and delivered.

North Korea

Significant state-based threats have emerged from North Korea, which was responsible for the 2017 Wannacry attack that affected over 200,000 computers in upwards of 150 countries. Victims included the UK’s NHS, US FedEx, Deutsche Bahn, Honda, Nissan and LATAM Airlines. Many including the NHS were not targeted specifically, but were hit in opportunistic attacks due to software vulnerabilities.

The British Library experienced a major ransomware attack in November this year and, in the days before publication of the Committee’s 76-page report (entitled ‘A Hostage to Fortune: Ransomware and UK National Security’), London’s King Edward Hospital was attacked over threats to leak members of the Royal Family’s medical records. There were also reports that Sellafield, the UK’s most hazardous nuclear site, had been hacked by cyber groups closely linked to Russia and China.

Despite the number of attacks carried out by the North Korean Lazarus Group, their capabilities have not been eroded by current responses and they remain a persistent threat. China is now considered the single most significant cyber security actor in relation to UK interests, while Iran is described as an “aggressive cyber actor” (though with few of the capabilities of Russia).

The report warns that swathes of UK Critical National Infrastructure, much of which is operated by the private sector, remain vulnerable to ransomware, particularly so in those sectors still relying on legacy IT systems.

Senior National Crime Agency officials have noted there’s a “soft underbelly” to every organisation that uses a third party software provider.

Severe disruption

Ransomware can realise severe disruption to the delivery of core Government services, including healthcare and child protection, as well as causing ongoing economic losses. Any co-ordinated and targeted attack has the potential to “bring the country to a standstill”.

Victims of such attacks have found themselves locked out of digital systems and forced to resort to pen and paper. A process described in evidence as “going back to the pre-computer era of the 1950s in mere minutes”.

However, most victims currently receive next-to-no support from law enforcement or Government agencies. The support gaps apply across important elements of the public sector, including local authorities struggling under deep budget cuts, schools and colleges. They stand in “stark contrast” to victim support for comparable thefts or ransom demands in the offline world.

According to the Parliamentary Committee, the National Cyber Security Centre and the National Crime Agency should be funded to provide negotiation, recovery and remediation capabilities to all public sector victims of ransomware to the point of full recovery.

Cyber insurance could provide a vital lifeline for ransomware victims, but there’s said to be a “woeful” lack of UK coverage. Premiums are unaffordable and have increased drastically in recent years. That being so, the Committee suggest that the Government should work with the insurance sector to establish a re-insurance scheme for major cyber attacks that’s akin to Flood Re.

Reputational risk means that many victims do not report ransomware attacks, which severely constrains the development of effective responses. The official position is that UK victims should not pay ransoms, but it’s the only viable option for many to keep their businesses afloat and prevent damaging data leaks. The Joint Committee recommends Government should urgently establish a central reporting mechanism and explore whether all UK organisations should be obliged to report an attack within three months.

Outdated frameworks

UK regulatory frameworks are “insufficient and outdated”. The main legislative framework on cyber crime, namely the Computer Misuse Act, was introduced before the arrival of the Internet, while legislation aimed to reform it was missing from the King’s Speech.

Even with improvements, the responsible agencies lack both resources and capability to respond adequately: a situation likened in evidence to “having an international airport without yet having X-ray equipment, sniffer dogs or financial intelligence capability”. As a result, the UK’s civil recovery and criminal asset recovery statistics “make for horrific reading”.

The Home Office claims the lead on ransomware as a national security risk and policy issue, but the Committee is critical of its response, saying that former Home Secretary Suella Braverman “showed no interest in it”, with clear political priority instead being afforded to other issues such as illegal migration and small boats.

The Joint Committee is calling for the responsibility for tackling ransomware to be transferred to the Cabinet Office in partnership with the National Cyber Security Centre and the National Crime Agency and overseen directly by the Deputy Prime Minister. The Committee also suggests that the Foreign, Commonwealth and Development Office should investigate the possibilities for legal sanctions against – and international co-operation on – Russia, whose approach could constitute another violation of international law.

Dubious distinction

Dame Margaret Beckett, chair of the Joint Committee on the National Security Strategy, stated: “The UK has the dubious distinction of being one of the world’s most cyber-attacked nations. It’s clear to the Committee that the Government’s investment in and response to this threat are not equally world-beating, leaving us exposed to catastrophic costs and destabilising political interference. In the likely event of a massive and catastrophic ransomware attack, the failure in rising to meet this challenge will rightly be seen as an inexcusable and strategic one.”

Beckett continued: “Our main legislative framework is irresponsibly outdated, with Government missing another chance to rectify this in the latest King’s Speech. The agencies tasked with detecting, responding to and recovering from ransomware attacks – and also degrading further attack capabilities – are under-resourced and lacking key skills and capabilities. If the UK is to avoid being held hostage to fortune, it’s vital that ransomware becomes a more pressing political priority. More resources must be devoted to tackling this pernicious threat to the UK’s national security.”

*Read ‘A Hostage to Fortune: Ransomware and UK National Security’ in full online