A lack of ransomware planning and preparedness at the highest levels of British government is leaving many organizations operating critical UK national infrastructure dangerously exposed, according to a Parliamentary Committee report released on 13th December.
The official report, called, 'A hostage to fortune: ransomware and UK national security', has been carefully researched over the past 20 months, with input from a wide variety of cybersecurity professionals, senior law enforcement personnel and legal experts. It concludes that there is a high risk of a genuinely catastrophic ransomware attack occurring against a critical national infrastructure (CNI) target in the UK at any moment, with poor disaster response planning at the top levels of authority.
Over the past few years various CNI targets have been attacked with ransomware, including the notorious LockBit malware attack on Royal Mail in January and February of 2023, which left services paralysed for weeks; hacks on local authorities such as Redcar and Cleveland Borough Council in early 2020, outsourcing firm Capita in March 2023; and the 2022 incident at medical software supplier Advanced Software, which wrought havoc across the National Health Service. Fortunately no UK utilities have gone public about any successful attack, though they undoubtedly make juicy targets for cyber criminals. In August 2022 criminal group C1OP claimed to have hacked several of the UK's water utilities, though it seems they failed, or were unable to plant any malware before discovery. According to the Information Commissioner’s Office (ICO), the UK’s data protection agency, 706 ransomware incidents were reported last year, a small uptick on the 694 reported in 2021.
The report warned that despite solid work from the government and the National Cyber Security Centre (NCSC) on cyber resilience, “large swathes” of the UK’s CNI remained highly vulnerable, with many operations relying on legacy IT systems, particularly in healthcare and local government. The report also found that supply chains were particularly vulnerable, where breaches could gain compromising information on large numbers of companies.
As a result of this, a coordinated and targeted ransomware attack could take down large parts of the UK’s public services infrastructure, causing serious damage to the economy and to everyday life for millions of people.
The report lays out several recommendations for both the NCSC and the government, including the possible establishment of a new regulatory body on CNI cyber resilience, which it said may be necessary given the “poor implementation of existing cyber resilience regulations”.
It also calls for regular national exercises and stress-tests on CNI operators, and extra funding for the NCSC to establish a dedicated cyber programme for local authorities, and to properly support public sector victims who find their operations disrupted.
There may also be scope for a government backed re-insurance scheme for major cyber attacks, and there is definitely a need to invest more resources in the National Crime Agency, which it described as facing an “uphill struggle”, enabling it to take a more aggressive approach towards disrupting ransomware operators. There are personnel shortages in these specialist law enforcement units, as pay can be considerably higher in the private sector.
“There is a high risk that the government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking. If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security,” the report concluded. It seems there is a lot of work to be done to close these vulnerabilities in British infrastructure.