The UK Parliament’s Joint Committee on the National Security Strategy (JCNSS) has published the results of an inquiry into ransomware threats.
The Committee’s report, ‘A hostage to fortune: ransomware and UK national security’, warns that the UK – one of the most targeted countries in the world – is unprepared for the high risk of a catastrophic ransomware attack ‘at any moment’. It says there will be no excuse for the current failure to invest sufficiently to prevent a major crisis.
The report says that the majority of ransomware attacks against the UK are from Russian-speaking perpetrators but this is not a straightforward state threat: ransomware is primarily a problem of criminality for profit, rather than espionage or geopolitical sabotage. For many Russian hackers ransomware is simply an easy way to make large sums of money with next-to-no chance of being caught or prosecuted.
Significant state-based threats have emerged from North Korea and China is now considered the single most significant cyber security actor in relation to UK interests.
The report warns that ‘swathes of UK critical national infrastructure (CNI) – much of which is operated by the private sector – remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems’. Senior National Crime Agency (NCA) officials noted that there is a ‘soft underbelly’ to every organization that uses a third-party software provider.
Cyber insurance could provide a vital lifeline for ransomware victims, says the report, but ‘there is a woeful lack of UK coverage’. Premiums are unaffordable and have increased drastically in recent years. The Government should work with the insurance sector to establish a re-insurance scheme for major cyber attacks, akin to Flood Re, the report recommends.
On ransoms the report says that the reputational risk means many victims do not report attacks, which severely constrains the development of effective responses. The official position is that UK victims should not pay ransoms, but it is the only viable option for many to keep their businesses afloat and prevent damaging data leaks. Government should ‘urgently establish a central reporting mechanism and explore whether all UK organizations should be obliged to report an attack within three months’.
The Home Office currently takes the lead on ransomware as a national security risk and policy issue but the report is critical of its response, saying that former Home Secretary Suella Braverman “showed no interest in it”, with clear political priority given to other issues such as illegal migration and small boats instead. The report calls for responsibility for tackling ransomware to be transferred to the Cabinet Office, in partnership with the NCSC and NCA and overseen directly by the Deputy Prime Minister.