There is a high risk of a genuinely catastrophic ransomware attack occurring against a critical national infrastructure (CNI) target in the UK at any moment, with the lack of planning for such an incident at Westminster meaning that the entire country is essentially being held “hostage to fortune”, the Joint Committee on the National Security Strategy has warned.
In the report A hostage to fortune: ransomware and UK national security, which has been over 12 months in the making, the committee, which spans both houses of Parliament, warned that despite solid work from the government and the National Cyber Security Centre (NCSC) on cyber resilience, “large swathes” of the UK’s CNI remained highly vulnerable, with many operations relying on legacy IT systems, particularly in healthcare and local government. The report also found that supply chains were particularly vulnerable, describing them as the “soft underbelly” of CNI.
As a result of this, a coordinated and targeted ransomware attack could take down large parts of the UK’s public services infrastructure, causing severe damage to the economy and to everyday life for millions of people.
It cited a number of recent attacks that have demonstrated the ongoing vulnerability of Britain’s public services, including the infamous LockBit hit on Royal Mail in January and February of 2023, which left services paralysed for weeks; attacks on local authorities such as Redcar and Cleveland Borough Council in early 2020, the London Borough of Hackney later that same year; and the 2022 incident at medical software supplier Advanced Software, which wrought havoc across the NHS.
“There is a high risk that the government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking. If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security,” the report said.
“In 2020, this committee examined the government’s preparations for the Covid-19 pandemic, considering what it could teach us about how to prepare for a known risk with a high potential impact. We found that the government had not prepared adequately for a pandemic, despite knowing that there was an increasing chance of such a scenario occurring.
“The government is at risk of making the same mistake again: it knows that the possibility of a major ransomware attack is high, yet it is failing to invest sufficiently to prevent catastrophic costs later on. There will be no excuse for this approach when a major crisis occurs, and it will rightly be seen as a strategic failure.”
The committee has particularly harsh words for the Home Office – which leads on ransomware as a national security risk and policy issue – saying that former home secretary Suella Braverman had “showed no interest” in the topic, preferring instead to prioritise issues such as illegal migration and small boats. It called for responsibility for ransomware to be transferred to the Cabinet Office, working with the NCSC and the National Crime Agency (NCA), and ultimately overseen by the deputy prime minister, currently Oliver Dowden.
Jamie MacColl, cyber security research fellow at the Royal United Services Institute (RUSI), a thinktank, who contributed extensively to the committee’s evidence-gathering exercise, commented: “The inquiry report is one of the clearest articulations to date of the challenges posed by ransomware. Although it is rightly critical of the UK government’s record on ransomware, it is important to remember that other national governments have also struggled to find ways to meaningfully shift the cost-benefit calculus of Russian ransomware groups, who continue to wreak havoc.”
‘It was catastrophic’
Describing the impact of a critical ransomware incident during an oral evidence session held by the committee in January 2023, councillor Mary Lanigan, leader of Redcar and Cleveland Council, said: “The ransomware attack hit us on a Saturday morning, and it was only because one of my IT staff had gone on to the system [and] thought, ‘This doesn’t look right’, and pulled the plug that we found out what was going on…It was triggered on that Saturday when he pulled the plug, and it was catastrophic, because we lost everything; we lost our telephone systems, our IT, the whole lot.
“Not only that, but our partnerships, including Cleveland Police, pulled the plug on us because we had all this going on. GCHQ came up and helped us. It took us months and months to get that right. My staff from children’s services were writing on pieces of paper – things that had not been done for decades. My IT staff, who were working alongside GCHQ, stayed in the building; we put beds in for them to see how quickly we could move things forward,” she said.
“It still took us months to do that, and the cost to the local authority was massive, not just with the overtime but with bringing in expertise and trying to put new telephone systems in. I contacted central government and we spoke to the minister. He said, ‘Whatever it is, we’ll meet the cost’. Unfortunately, that does not always work as you go down the line; they want to know how much this was and how much that was. We lost about £7m. Redcar and Cleveland Borough Council was not insured for this,” said Lanigan.
Recommendations for government
The report lays out several recommendations for both the government and the NCSC, including the possible establishment of a new regulatory body on CNI cyber resilience, which it said may be necessary given the “poor implementation of existing cyber resilience regulations”.
It also calls for regular national exercises and stress-tests on CNI operators, and extra funding for the NCSC to establish a dedicated cyber programme for local authorities, and to properly support public sector victims who find their operations disrupted.
There may also be scope for a government backed re-insurance scheme for major cyber attacks, and there is definitely a need to invest more resources in the NCA, which it described as facing an “uphill struggle”, enabling it to take a more aggressive approach towards disrupting ransomware operators.
The committee additionally called for the National Audit Office (NAO) to review the ongoing implementation of the National Cyber Strategy (NCS), describing progress reporting on this as “currently poor” and for the government to establish a National Security Council sub-committee to measure progress against the five pillars of the NCS, and finally, threw its weight behind ongoing calls to reform the Computer Misuse Act, which is over 30 years out of date.