A hostage to fortune: ransomware and UK national security
13 December 2023
JCNSS: High risk of catastrophic ransomware attack at any moment, with UK Government planning lacking and held “hostage to fortune”
- Read the full report (HTML)
- Read the full report (PDF) [1.22MB]
- Read the report summary
- Read the report's conclusions and recommendations
- Find all publications related to this inquiry, including oral and written evidence
In May 2021 US President Joe Biden declared a national state of emergency after a ransomware attack by Russian DarkSide forced the shut down one of the country's largest and most vital oil lines for six days. Today, Parliament’s Joint Committee on National Security Strategy warns that the UK - one of the most targeted countries in the world - is unprepared for the “high risk” of a catastrophic ransomware attack “at any moment”. It says there will be “no excuse” for the current failure to invest sufficiently to prevent a major crisis.
The majority of ransomware attacks against the UK are from Russian-speaking perpetrators but this is not a straightforward state threat: ransomware is primarily a problem of criminality for profit, rather than espionage or geopolitical sabotage. For many Russian hackers ransomware is simply an easy way to make large sums of money with next-to-no chance of being caught or prosecuted; they have been described as “vultures not hawks.”
The UK Government "is almost certain that Russian actors sought to interfere in the 2019 general elections", with the National Cyber Security Centre (NCSC) Review in 2023 finding that, with UK and US elections on the horizon, “we can expect to see the integrity of our systems tested again”. The Committee is now requesting a private briefing from the NCSC on preparation for the election expected next year, and how this support will be provided and delivered.
Significant state-based threats have emerged from North Korea - responsible for the 2017 Wannacry attack that affected over 200,000 computers in more than 150 countries. Victims included the UK's NHS, US FedEx, Deutsche Bahn, Honda, Nissan and LATAM Airlines. Many including the NHS were not targeted specifically but were hit in opportunistic attacks due to software vulnerabilities. The British Library experienced a major ransomware attack in November 2023 and in the days before publication of this report London’s King Edward Hospital was attacked with threats to leak members of the Royal Family’s medical records, and there were reports that Sellafield the UK’s most hazardous nuclear site had been hacked into by cyber groups closely linked to Russia and China.
Despite the number of attacks carried out by the North Korean Lazarus Group, their capabilities have not been eroded by current responses and they remain a persistent threat. China is now considered the single most significant cyber security actor in relation to UK interests and Iran is described as an “aggressive cyber actor” though with few of the capabilities of Russia.
The report warns that swathes of UK critical national infrastructure (CNI) - much of which is operated by the private sector - remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems. Senior National Crime Agency (NCA) officials noted that there is a “soft underbelly” to every organisation that uses a third-party software provider.
Ransomware can cause severe disruption to the delivery of core Government services, including healthcare and child protection, as well as causing ongoing economic losses, and a coordinated and targeted attack has the potential to “bring the country to a standstill”. Victims have found themselves locked out of digital systems and forced to resort to pen and paper - described in evidence as going "back to a pre-computer era of the 1950s in mere minutes".
But most victims currently receive next-to-no support from law enforcement or Government agencies. The support gaps apply across important elements of the public sector, including local authorities struggling under deep budget cuts, schools and colleges, and stand in stark contrast to victim support for comparable thefts or ransom demands in the offline world. NCSC and NCA should be funded to provide negotiation, recovery and remediation capabilities to all public sector victims of ransomware, to the point of full recovery.
Cyber insurance could provide a vital lifeline for ransomware victims but there is a woeful lack of UK coverage. Premiums are unaffordable and have increased drastically in recent years. The Government should work with the insurance sector to establish a re-insurance scheme for major cyber-attacks, akin to Flood Re.
The reputational risk means many victims do not report attacks, which severely constrains the development of effective responses. The official position is that UK victims should not pay ransoms, but it is the only viable option for many to keep their businesses afloat and prevent damaging data leaks. JCNSS recommends Government should urgently establish a central reporting mechanism and explore whether all UK organisations should be obliged to report an attack within three months.
UK regulatory frameworks are insufficient and outdated - the main legislative framework on cybercrime, the Computer Misuse Act, was introduced before the arrival of the internet - and legislation to reform it was missing from the King’s Speech. But even with improvements, the responsible agencies lack both resources and capability to respond adequately: a situation likened in evidence to "having an international airport without yet having X-ray equipment, sniffer dogs or financial intelligence capability". As a result, the UK's civil recovery and criminal asset recovery statistics "make for horrific reading".
The Home Office claims the lead on ransomware as a national security risk and policy issue but the Committee is critical of its response, saying that former Home Secretary Suella Braverman “showed no interest in it”, with clear political priority given to other issues such as illegal migration and small boats instead. The JCNSS calls for responsibility for tackling ransomware to be transferred to the Cabinet Office, in partnership with the NCSC and NCA and overseen directly by the Deputy Prime Minister. It says the FCDO also should investigate the possibilities for legal sanctions and international cooperation against Russia, whose approach could constitute another violation of international law.
Chair's comment
Dame Margaret Beckett, Chair of JCNSS, said:
“The UK has the dubious distinction of being one of the world’s most cyber-attacked nations. It is clear to the Committee that the Government’s investment in and response to this threat are not equally world-beating, leaving us exposed to catastrophic costs and destabilising political interference. In the likely event of a massive, catastrophic ransomware attack, the failure to rise to meet this challenge will rightly be seen as an inexcusable strategic failure.
Our main legislative framework is irresponsibly outdated and Government missed another chance to rectify this in the latest King’s Speech. The agencies tasked with detecting, responding to and recovering from ransomware attacks - and degrading further attack capabilities - are under-resourced and lacking key skills and capabilities. If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security.”
Further information
- Inquiry: Ransomware
- Joint Committee on the National Security Strategy
- About Parliament: Select committees
- Visiting Parliament: Watch committees
Image: Pixabay