The UK government has not been able to tackle the threat caused by ransomware. The Joint Committee on National Security Strategy (JCNSS) has warned that this failure leaves the country vulnerable to the threat of a “catastrophic” ransomware attack, warning that it might happen at any moment.
The JCNSS warning highlights the growing chances of a serious cyber-attack on the UK’s critical national infrastructure (CNI). The National Cyber Security Centre (NCSC) clarifies that CNI includes essential national resources including electricity, water, transportation, health, and telecommunications that are necessary for society’s functions.
The critical assessment from the Parliamentary select committee, which was made public on December 13, concluded that the UK government had not taken ransomware seriously. It claimed that those who have been attacked by ransomware are receiving “next-to-no support” from the government.
The analysis came to the following conclusion:
There is a high risk that the government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking. There will be no excuse for this approach when a major crisis occurs, and it will rightly be seen as a strategic failure.
The Committee highlighted the serious effects of the ransomware attack on the Costa Rican government in April 2022. This cyberattack stopped important aspects of the nation’s digital infrastructure for an extended period, creating widespread outages that lasted for months.
Attacks using ransomware that target critical commercial infrastructure and UK government institutions have become shockingly common in recent months. Several significant organisations have fallen victim to ransomware attacks since September 2023, including the British Library, Royal Mail, and Manchester Police.
Although there hasn’t been an organized attack on the Critical National Infrastructure (CNI) in the UK yet, the situation in Costa Rica provides a clear example. It underlines how quickly a country may become completely paralysed in the middle of a massive attack on its digital infrastructure.
Lack of ability of the UK Government in Handling Ransomware Risks
The report of the Parliamentary brings to light the government’s failure to prevent massive cyberattacks. It specifically criticizes the Home Office, which asserts its role in handling ransomware as a policy matter. Suella Braverman, the former home secretary, has faced criticism for not giving priority to the problem.
The committee remarked that Braverman showed minimal interest in dealing with the growing risk of ransomware. Notably, the UK government appears to place other problems, such as illegal migration and small boats, ahead of this important matter.
Furthermore, the committee pointed out a major vulnerability in the UK’s key National Infrastructure (CNI) – its dependency on private, third-party IT systems, which exposes it to increased cyberattack threats.
The National Cyber Security Centre (NCSC) and National Crime Agency (NCA) are two government entities that oversee cybersecurity, and they receive minimal funding. This is the main cause of the weak support. The NCA finds it difficult to recruit cyber professionals because it cannot provide the same attractive compensation and opportunities for professional growth as the private sector.
Recommendations
The JCNSS report recommends moving the Cabinet Office’s supervision of ransomware from the Home Office. With this action, the National Cyber Security Centre, the National Crime Agency, and the deputy prime minister would all work together in project management.
Since the UK’s present Computer Misuse Act (CMA) before the internet era, the report highlights the need for an updated regulatory system to tackle cybercrime.
It is important to increase funding for the National Cyber Security Centre (NCSC) and National Crime Agency (NCA). This support helps victims recover from attacks, negotiate with ransomware attackers, and take preventive steps to prevent such incidents in the future.
Jamie MacColl, a Research Fellow at the Royal United Services Institute (RUSI) who provided insights to the Committee, addressed the findings and highlighted the need of starting a broader public conversation about organised cybercrime and ransomware. MacColl calls for actively involving the general people in bringing these issues to the top of the political agenda.
Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.