RAN0012
Written evidence submitted by NCC Group
Introduction
Following the oral evidence provided by our Global CTO Ollie Whitehouse in November 2022, NCC Group welcomes the opportunity to respond to the Joint Committee on the National Security Strategy’s written call for evidence and to offer our expertise as a UK headquartered, globally-operating cyber security and software resilience business.
NCC Group’s mission is to make the world safer and more secure. We are trusted by more than 14,000 customers worldwide to help protect their operations from ever-changing cyber threats. We support organisations to identify and assess their security risks, and work with them to remediate and manage vulnerabilities to improve their overall resilience, provide real-time detection and response, and have helped build some of the largest and most well-known bug bounty and vulnerability disclosure programs in the tech industry. Our Threat Intelligence capability provides our customers with regular insights into the current threat landscape and the latest victims of ransomware attacks, using software solutions to gather data on ransomware data leaks on the dark web in real time.
To ensure we match the rapidly evolving and complex technological environment, we continually invest in research and development as an intrinsic part of our business model. We have many years’ experience researching ransomware, including the tactics, techniques and procedures (known as “TTPs”) deployed by threat actors such as cybercriminals and nation states, the impact on victims, and the steps that can be taken, and tools that can be deployed, to improve an organisations’ resilience against attacks. As well as publishing a Monthly Threat Pulse[1] and Annual Threat Monitor[2], recent highlights include:
Through our work and our research, we see the real-world impact ransomware has on its victims and wider supply chain. The ransomware ecosystem is becoming increasingly complex, commoditised, and is penetrating all parts of the UK and global economies. While the UK is a leader on cyber resilience in many regards, there is still much more to be done to protect organisations at scale, and to appropriately safeguard (overseas) suppliers and assure the integrity of the (overseas) supply chains that UK critical infrastructure depends on. It is vital that the Government uses all its levers to prioritise and tackle ransomware, in partnership, and driven by a culture of information sharing and open dialogue, with the private sector. NCC Group is therefore delighted that the Committee is taking the time to review this important issue, and we are keen to continue supporting the inquiry by sharing our expertise and insights from operating at the ‘coalface’ of cyber security.
Principally, we advocate for a national response to ransomware that:
Below we explore these points in more detail, responding directly to the inquiry’s terms of reference. Unless otherwise stated, the data referenced in this response has been sourced from NCC Group’s Threat Intelligence Team, which gathers data on ransomware ‘leak sites’ on the dark web in real time to provide regular insights into the most recent ransomware victims. By recording this data and classifying the victims by sector[7], we can highlight the sectors that have been targeted and how current ransomware threats compare to previous years and months. Of course, this does not represent the full picture of the ransomware landscape – no single pane of glass that collates all ransomware-related data points currently exists. However, we do believe it serves to provide a good overview of the current landscape and we hope it will assist the Committee in understanding key trends and developments.
The extent and nature of the ransomware threat (including sources), modes of extortion, and how the threat could evolve in future
At a high-level, our insights show that the UK is the most targeted country outside of the US, with the number of known UK-based ransomware victims in the first 10 months of 2022 already outstripping the total number in 2021[8]. However, it is worth noting that while we are set to see a year-on-year increase in the number of UK victims, the global picture shows a slight decline in the total number of ransomware attacks globally, following a 92.7% rise from 2020 to 2021. This may suggest a levelling off following last year’s surge. That said, ransomware remains an ever-present threat that has evolved significantly, becoming increasingly sophisticated and underpinned by complex business models. In particular, we have observed the following developments:
As we see the development of the ransomware ecosystem, there are also other actors often involved in ransomware attacks, including data managers, accountants and negotiators. All this adds up to an increasingly complex system with tasks and functionality split across several actors in several geographies. It means that the ransomware attack vector has been opened up to a wider range of criminal actors where previously it was restricted to those with the requisite technical expertise. We also see criminal groups acting more and more like legitimate enterprises, implementing recruitment programmes and establishing HR functions (for example) with coordination around annual leave (as shown through the ContiLeaks[10]).
Levels and sources of vulnerability of UK organisations to ransomware, including operators of critical national infrastructure
The extent to which organisations are resilient to ransomware will depend on a complex mix of incentives, governance, operational hygiene, and skills. Nevertheless, the below graph provides an overview of the number of ransomware victims across key sectors of the economy in 2021, based on our analysis, and should provide the Committee with a sense of the most-targeted sectors in the UK. Of note, the industrials sector was the most targeted sector by quite some margin, with consumer cyclicals a notable second. Our analysis for the year to date suggests that we will see similar trends in 2022.
We have also observed the following trends and developments through our work and research:
The UK victim experience, including sources of support for prevention, detection and recovery, public-private partnerships, the role of the media, access to and availability of insurance cover, and regulatory requirements placed on ransomware victims
The experience of victims varies significantly depending on who they are. A FTSE100 operator of critical national infrastructure, who is subject to incident reporting requirements and has access to the resources necessary to enact an effective response to an incident, will have a very different experience to a small business. Indeed, the impact of an incident on smaller organisations like SMEs and charities may be disproportionately large and an existential threat, with cyber hygiene across these organisations remaining poor. While we have not yet observed a notable movement toward small organisations being a key target of ransomware attackers, there remains a question as to how small organisations can and should be protected against rising cyberattacks.
Insurance can provide support, increasing resilience while transferring risk. However, this will depend on the type and scope of the policy taken out and whether the organisation in question has been the victim of a cyberattack in the past. Indeed, we have observed rising costs and a tightening of cyber insurance policies over recent months, with some providers no longer covering state-sponsored attacks[12]. In reality, attribution is rarely straightforward, and it can be difficult to ascertain whether a threat actor is linked to a nation state. Therefore, the impact of this policy change could see insurance pay outs shrink significantly. More broadly, cyber security risk remains a very difficult thing to insure. In our experience, there remains a notable gap in the data required for insurers to assess the scale of the threat to organisations and thus the risk involved. As we explore in more detail below, we believe that there is a role for Government to play in helping bridge this information gap, by collating, assessing and distributing more data on the state of UK-wide cyber resilience.
As the Committee point to, public-private partnerships are a critical part of the UK’s “whole of society” approach to tackling cybercrime and enhancing cyber resilience. In particular, the UK’s cyber industry is working closely with law enforcement, the public sector, academia and other private firms to ensure the UK remains confident, capable and resilient in this fast-moving digital world. Vulnerability researchers, for example, identify security vulnerabilities in products, software and services, and work with manufacturers and vendors to fix them before they can be exploited by malicious actors, such as initial access brokers, for nefarious purposes. Meanwhile, threat intelligence researchers detect cyberattacks and gain insight into attackers and victims. Researchers then work with and pass on this important information to law enforcement and intelligence agencies, enabling them to defend the UK against rising cybercrime and geo-political threat actors. However, the current legal framework, specifically the Computer Misuse Act 1990, is holding back a large proportion of cyber security researchers from doing all they can to protect the UK. This is because the Act, which was written over 30 years ago, blanketly prohibits all forms of unauthorised access to computer material, irrespective of intent or motive. NCC Group has long been a strong advocate for reform of the Act, which we believe, if done correctly, will greatly strengthen researchers’ ability to fight the scourge of ransomware and other cybercrime, supporting national cyber resilience, driving growth and helping to cement the UK as a global cyber power. The Home Office carried out a review of the Act last year, and we are expecting a response imminently. In the meantime, we would be grateful for anything the Committee could do to make the case for a 21st century Act that reflects modern cyber security practices.
The effectiveness of the response to ransomware by Government, law enforcement agencies and other UK state actors, including key operational challenges and ministerial oversight
The UK Government is, in many regards, world-leading in its approach to tackling ransomware. The UK’s National Cyber Security Centre (NCSC), for example, is, in our experience, the envy of the world, providing free cyber security tools and services and excellent technical advice for businesses and organisations looking to improve their cyber resilience. Recognising that cyber skills are in great demand, NCSC also works extremely well with the private sector to deliver a genuinely whole-of-society response. Meanwhile, the National Cyber Crime Unit (NCCU) provides national leadership and coordination of response to significant cyberattacks, while the Government is also developing the UK’s offensive response with the National Cyber Force.
That said, there is some work to be done to ensure that victims and the cyber ecosystem understand who and at what level they should reach out to when seeking different forms of support. We believe that a clear overview of the roles and responsibilities that local, regional, national and supranational actors play in the UK’s response to ransomware, across the prevent, protect, detect, disrupt and deter functions[13], would help in this regard. Further, with access to skills and resources a core challenge for actors within the cyber ecosystem, clarity of responsibility and a push to more closely collaborate across entities would be beneficial. For example, while the Local Cyber Crime Units (LCCUs) embedded in England and Wales’s 43 police forces play an incredibly important role supporting victims at a local level, we must be realistic that many do not have the skills nor resources needed to provide a full-scale service. We therefore believe that the NCCU should be bolstered and used as a central resource hub which LCCUs can more easily access when dealing with local cybercrime such as ransomware attacks.
Reforms that might enhance the UK’s resilience to ransomware, reduce the economic and societal damage that it causes, and/or support the law enforcement response
Unfortunately, there is no silver bullet solution. Ransomware is a complex, ever-evolving problem that requires a complex, ever-evolving response. We do, nevertheless, believe that there are a number of measures that should be prioritised as part of the nation’s response.
A foundational building block will be a reliable, extensive dataset on the cyber threats facing the UK (and our allies). While data on cyber incidents does exist, and we do not need more data to tell us that ransomware is a pervasive threat, there is currently no centrally coordinated effort to bring these metrics together to build a full picture of the cyber threat landscape. A fuller centralised data set would allow the Government to prioritise threats, allocate resources to policy efforts, and measure the success of those efforts. As US National Cyber Director Chris Inglis recently commented[14] when speaking about similar considerations in the US, “to properly address risk, we have to first understand it, we have to understand where it's concentrated, where it cascades, what causes it, and more importantly to then discover how to address it.” We therefore propose establishing an Office for National Cyber Statistics that anonymises, collates and disseminates incident data from existing sources (for example, Action Fraud incident response data, public sector threat information which – in future – is set to be automated and enhanced right across Government, and incidents reported by critical national infrastructure under the NIS regulations) and new sources (for example, working with the cyber threat intelligence and incident response community to more systematically share incident response information).
In support of this initiative, the Government should consider how it can use ‘carrots’, as well as ‘sticks’ to encourage greater incident reporting. In our experience, organisations are often reticent to report incidents through fear of the reputational and regulatory repercussions. This culture of fear needs to change to one where organisations are encouraged and actively rewarded for their transparency. Only then can we gain a full picture of the threat landscape.
Through our work, we see how frequently attackers exploit poor security practices to gain a foot in the door that results in a ransomware attack. There are, however, a number of low effort, high reward ‘secure by design’ steps that can, and should, be taken by organisations that would hamper much of the initial access activity we see. If, for example, NCSC’s Cyber Essentials[15] were adopted across the economy, this would greatly increase resilience to ransomware and other attacks. This could be akin to the UK’s health and safety regulations, ensuring all businesses do the low effort, high reward basics to create a higher level of protection for everyone. To that end, we welcome the UK Government’s exploration[16] of the steps that could be taken by providers of online services and accounts to better protect users, including SMEs, from cybercrimes committed by actors with a relatively low level of technical sophistication. There is also a question as to whether proportional ransomware insurance cover should be mandated (for example, like car or buildings insurance). As we have set out above, there are challenges with the cyber insurance market that will need be worked through before such a measure could be explored. Nevertheless, we do believe that insurance will form part of the future solution and enable some degree of protection to be rolled out at-scale.
In higher-risk sectors, where the impact of a ransomware attack would be greater (for example, for critical national infrastructure), we believe there is a need for more widespread adoption of realistic, intelligence-driven cyber security assurance testing. The value of such testing has been clearly demonstrated by the CBEST scheme[17] led by the Bank of England for the financial sector, and adopted by the telecoms, civil nuclear and government sectors. The schemes allow the participants, regulators, NCSC and the Government to understand the cyber risks and resilience issues and respond to the needs of the sector. They are intelligence-led, so the ethical attack teams replicate the tactics, techniques and procedures of known threat actors. Organisations learn what and how attacks could have an impact; assess their ability to detect and respond; and measure the return of their investment and training in improving their cyber resilience. Meanwhile, regulators gain important insight as to the actual real-world resilience and risk to their sector, which could be fed back – on an anonymised basis – to the centrally coordinated Office for National Cyber Statistics we proposed above, to help build a (more authoritative) nationwide picture of the threat.
Further, we believe the Government should prioritise assuring the integrity of the UK’s critical supply chains, ensuring that if key suppliers, particularly where they are based outside the UK, (for example, major cloud providers) were to be the victims of a ransomware attack then the impact across the economy would be minimised. To that end, we support the UK Government’s plans to expand NIS regulations for digital service providers[18]. We also advocate ‘Resilience by Design’, a two-fold approach to mitigating the associated risks that includes:
Use of regulatory levers aside, there is much more that could be done to improve understanding of cyber security concepts across organisations of all sizes and at all levels of seniority, so that decision-makers can make informed decisions about their cyber resilience proportionate to the risks they face. We need a step change to demystify cyber and embed awareness and incentives into everyday conversations, to make it an integral part of our national psyche. At the heart of this should be the concept of ‘pervasive cyber literacy’ - a basic level of cyber competence across all levels of society, age groups and professions to allow everyone to use technology securely. This could involve:
As well as establishing a base-level of digital and cyber literacy across society, we also need to train and attract a skilled cyber workforce who can defend the UK online. However, there remains a significant skills shortage, and much more needs to be done to encourage talent into the profession, particularly those from diverse and underrepresented backgrounds. This should include:
The scope for international cooperation to combat the global ransomware threat more effectively, including on crypto-currency regulation
When it comes to tackling ransomware and other cybercrime, no country is an island. As set out above, the criminal landscape is complex, involves many actors and the complicit involvement of nation states, with cyberattacks very rarely originating from the UK alone. In addition, even if the UK was impervious to ransomware, overseas suppliers – many of whom are critical to the functioning of the UK economy and critical national infrastructure – may not be. Close international cooperation is therefore critical and should be front and centre of UK policymakers’ minds when developing the UK’s approach to ransomware. Specifically, we recommend that the Government:
Lessons that could be learned from other countries’ approaches and responses to ransomware
The UK is comparatively mature in its approach to ransomware and cyber resilience. Nevertheless, the UK could draw on the US Federal Government’s full statecraft approach to ransomware, using all statecraft tools at our and our partners’ disposals to disincentivise nation state threat actors at scale.
15 December 2022
[1] See latest version here: NCC Group Monthly Threat Pulse – October 2022 | NCC Group Newsroom
[2] Annual Threat Monitor 2021 (nccgroup.com)
[3] Conti's blockchain plans: an ominous prospect | NCC Group Newsroom
[4] “We wait, because we know you” Inside the Ransomware negotiation economics | NCC Group Newsroom
[5] Deception Engineering: exploring the use of Windows Service Canaries against ransomware – NCC Group Research
[6] Understanding the Impact of Ransomware on Patient Outcomes – Do We Know Enough? – NCC Group Research
[7] We categorise organisations based on The Refinitiv Business Classification: TRBC Sector Classification | Refinitiv
[8] We recorded 189 UK-based ransomware victims in 2021. We have recorded 204 UK-based ransomware victims in 2022, up to 31/10/2021.
[9] A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person. phishing - Glossary | CSRC (nist.gov)
[10] Conti's blockchain plans: an ominous prospect | NCC Group Newsroom
[11] Predatory Sparrow: Did hackers start this steel factory fire in Iran? - BBC News
[12] For example: Market bulletin (lloyds.com)
[13] National Cyber Strategy 2022 (HTML) - GOV.UK (www.gov.uk)
[14] National cyber director backs new Bureau of Cyber Statistics - FCW
[15] About Cyber Essentials - NCSC.GOV.UK
[16] Call for information: Unauthorised access to online accounts and personal data - GOV.UK (www.gov.uk)
[17] CBEST Threat Intelligence-Led Assessments | Bank of England
[18]Proposal for legislation to improve the UK’s cyber resilience - GOV.UK (www.gov.uk)
[20] In SS2/21, the UK PRA encourages firms to explore appropriate and viable resiliency options including contractual and escrow arrangements: SS2/21 'Outsourcing and third party risk management' (bankofengland.co.uk)