Supplementary written evidence submitted by Rt Hon Oliver Dowden MP,
Deputy Prime Minister
Thank you for inviting me, together with the Security Minister and Lindy Cameron, to give evidence to the committee as part of your inquiry looking at ransomware. The UK Government welcomes this inquiry into what the Government regards as a serious national security threat and one of the most significant cyber threats facing the UK.
Ransomware is a complex and evolving cyber threat that requires a broad and multi-faceted response from the UK Government, law enforcement and intelligence services, industry, civil society and international partners. Despite concerted efforts over a number of years, ransomware remains a problem that no government in the world can claim it has managed to solve.
Cyber threats have been a consistent priority for the Government since at least 2011. The National Cyber Strategy 2022 and its predecessors set out the UK’s aims as a cyber power in a more volatile and contested world.
Session Follow Up
During the session we discussed ongoing work in the Cabinet Office and across the UK Government to tackle ransomware and ensure the resilience of our critical public services and national infrastructure. I noted to the Committee that I would provide further information, as set out below:
Thank you for writing with your specific follow up questions. With thanks to the Home Office and NCSC, we have outlined our answers below.
The threat to the UK
1. The National Cyber Security Centre’s Annual Review 2023 quoted the UK’s cyber chief who said that the threat to the nation’s most critical infrastructure is ‘enduring and significant’. Can you state plainly if the cyber threat to the UK has therefore increased?
2. What empirical evidence has been used to come to this conclusion?
While the 2023 NCSC Annual Review cites an increase in ransomware incidents this year (evidenced by several different measures/sources), this does not necessarily mean the NCSC assesses there to be an increased threat from ransomware in the round; as explained in their Annual Review, there are several reasons why we may be seeing more incidents, including better detection, reporting, and tracking of incidents. Between September 2022 and August 2023, the NCSC received 297 reports of ransomware activity (‘tips’), triaged into 28 NCSC-managed incidents, 18 of which were categorised as C3 and above. The top five sectors reporting into the NCSC were academia (50), manufacturing (28), IT (22), finance (19) and engineering (18).
Detailed evidence of this has been provided in the NCSC’s Annual Review and in the referenced article on the NCSC website. The recently published joint NCSC / NCA white paper, ‘Ransomware, extortion and the cyber crime ecosystem’ also provides additional context.
3. Please set out who might be covered by the offer from the NCSC to provide assistance to high-risk individuals and will the NCSC receive additional funding to provide this assistance?
The NCSC has expanded its offer of support to those whose public profile would increase the risk of them being targeted by a nation state, as discussed in their 2023 Annual Review. This follows a rise in individuals’ personal accounts being targeted instead of corporate ones. This is not a mass campaign against the public but a persistent effort to target people with a public profile whom attackers consider might hold information of interest. Russia-based and Iran-based actors continue to conduct spear-phishing campaigns against politicians, journalists, activists, and other groups.
The NCSC have been working with the Defending Democracy Task Force, the Joint Election Security Preparedness Unit and the Electoral Commission to expand the offer of personal support to all candidates and Returning Officers ahead of the General Election and Mayor Elections. This includes a review of existing online guidance to create a new Defending Democracy collection of guidance (the first piece is on ‘High Risk Individuals’). The NCSC are also developing a “Day One” offer with the Government Security Group and Parliamentary Security Directorate (PSD) for new Ministers, Private Offices/SPADs and new Parliamentarians. They have also supported PSD as they have stood up their PCAS service (Personal Cyber Assistance Service) recently. The service provides hands on support for parliamentarians’ personal devices and personal accounts. The NCSC offer for high-risk individuals has been extended via the PCAS service, and lessons shared across the UK Parliament, Scottish Parliament, Welsh Assembly and Northern Irish Assembly.
The NCSC has also launched an Account Registration which enables high risk individuals to register key identifiers such as personal email address and social media accounts with the NCSC. The NCSC will not monitor these accounts but will use this information to notify individuals if the NCSC becomes aware that an account might be involved in a cyber incident. The NCSC will also inform individuals if there are additional services available from industry which might add extra protections to their accounts.
Both NCSC’s Account Registration service and Parliament’s PCAS were offered to all MPs in a joint letter from Mr Speaker and the Security Minister. A similar joint letter was sent to Peers co-signed by the Lord Speaker.
As the Committee will be aware, under the Justice and Security Act 2013 the Intelligence and Security Committee oversee the expenditure, administration, policy and operations of the Agencies, including NCSC.
Industrial Control System, (ICS) Cyber Lab project
4. Building upon the information shared during the evidence session on 15 November can you provide more information on the ICS Cyber Lab project, including but not limited to, the scope of the project and what impact this project will have on CNI operators?
The NCSC has shared all information in scope of this question during the oral evidence session.
Local Government preparedness
5. Have your expectations of cyber maturity changed and has the Government’s standard of ‘preparedness’ for Local Government changed, specifically since 2021? If it has, please set out the developments which have taken place from 2021 onwards.
Security expectations, in particular that citizens' data should be appropriately protected, have remained consistent across various iterations of government strategy. What has changed is the exact nature of the targets that we have set and the ways we measure performance against them.
From 2016 to 2021 the National Cyber Security Strategy considered the security of all government services, including local, laying the foundations for effective risk management.
In January 2022, the Government Security Group published the Government Cyber Security Strategy. This strategy sets the target for government’s most critical functions to be significantly hardened to cyber attack by 2025, with all government organisations, including local authorities, being resilient to known vulnerabilities and common attack methods by 2030, reflecting the high levels of exposure across the local government sector exemplified by the attacks on Redcar and Cleveland and Hackney Councils in 2020.
6. What percentage of local authorities currently meet the desired standard and how much resource is devoted to providing information and operational responses?
I am unable to provide an assessment of the vulnerabilities of local authorities at this classification. Annex A provides information at a higher classification, which is not for further dissemination or sharing publicly.
7. The NCSC’s Annual Review is largely silent on the issue of local preparedness and resilience despite the report showing that 73% of cyber-attack reports are coming from Local Government and local services. Please set out what the Government is doing to ensure that local authorities and services are well protected and able to recover quickly?
Under the Lead Government Department model, the cyber resilience of Local Authorities is the responsibility of the Department for Levelling Up, Housing and Communities.
Since 2020, DLUHC’s Cyber Support programme has provided grant funding of £19.9m, and access to expert technical support, to 192 local authorities. Additionally, DLUHC’s cyber security partner has delivered Cyber Clinics to a total of 584 representatives from 153 councils. Councils enrolled in cyber support have email security settings checked monthly, and 530 vulnerability scans have been conducted to date, helping local authorities better understand their risk profiles.
Local Government’s capacity to recover from cyber attack has greatly improved from 2020. When DLUHC started its cyber remediation work, secure offline backups of critical data was highlighted as a significant risk to the sector’s recovery capacity. Now 90% of councils have fully implemented offline backups of their critical data, and the remaining 10% have work in progress to achieve this by April. Additionally, DLUHC’s cyber remediation support encourages local authorities to develop and test incident response plans, utilising NCSC resources and the support of our technical partner.
Finally, DLUHC is rolling out the Cyber Assessment Framework (CAF) to local governments which will provide a clear and objective view of cyber resilience and enable DLUHC to target future interventions.
Insurance
8. According to what metrics does the Government judge the adequacy of the cyber insurance market? What financial provision has Government made to sustain critical sectors in the event of a major ransomware attempt against parts of our critical national infrastructure? And in what respects do you think the insurance market is providing adequately for ransomware attacks?
The Government meets regularly with insurers operating in the cyber insurance market to develop its understanding of the market, including its ongoing development and any challenges that are emerging. DCMS also carries out its annual Cyber Security Breaches survey that gathers information about which organisations hold cyber insurance policies, insurance claims, and what cover is being provided.
The Government recognises the important role that cyber insurance plays in helping to build resilience to cyber attacks and remains keen to work with industry to maximise commercial insurance coverage. For example, the Government worked with the Information Commissioner's Office and the Association of British Insurers to release anonymised cyber breach data to insurers to improve their modelling and help ensure premium prices are risk reflective. DSIT, NCSC, the Home Office and HMT are jointly focused on exploring ways the Government can help strengthen and grow the UK cyber insurance market.
Ransomware cover is available from the commercial market, though some challenges remain. The Government continues to work closely with the insurance market to monitor and understand challenges around the provision of cover for ransomware.
Reporting
9. How confident are you that ransomware victims report attacks to the NCSC and what is the Government doing to increase oversight and understanding of ransomware attacks across the UK, especially if some go unreported?
Under reporting is a recognised issue on our understanding of the scale of the ransomware affecting the UK. There is no mandatory requirement to report incidents to the authorities in the UK however victims of cyber-attacks including ransomware routinely seek assistance from the NCSC (297 reported in the past year) and report to the police via Action Fraud, as well as to the Information Commissioner’s Office (ICO) where the regulatory thresholds are met.
Most organisations should report into law enforcement rather than NCSC if they are undergoing a ransomware attack, and we have put in place a range of interventions to provide support to mitigate the impact, alongside improving confidence in the UK’s response. There is now a 24/7 reporting hotline as part of Action Fraud, with trained specialists for organisations to contact if they are undergoing a ransomware attack. Depending on the severity of the attack the relevant law enforcement or NCSC team will contact the victim within two hours to provide further support. The Enhanced Cyber Reporting Service has also been established within Action Fraud to provide more bespoke advice when reporting, and the Cyber Protect Network has police officers and staff across the country who can engage with victims to mitigate the impact and ensure they are aware of how to improve their cyber security position to avoid revictimisation.
The Government is working to improve data sharing across all relevant agencies to ensure fuller understanding of the threat and to provide a comprehensive evidence base for policy makers considering the available options to address the ransomware threat.
Computer Misuse Act 1990
10. When does the Government intended to legislate on the review findings and update the Computer Misuse Act?
The Home Office’s programme of work relating to the review of the Computer Misuse Act is still underway, and an update will be provided to Parliament in due course.
To inform the work, the Home Office has liaised closely with law enforcement, prosecutors, system owners, academic and cyber security professionals to further examine this issue. That phase of the review has now concluded and officials are in consultation with Ministers on possible future phases of the review.
In the interim, the Home Office has now published the response to the consultation of the review of the Computer Misuse Act. It is essential that the UK has the right legislative framework to allow us to tackle the harms posed to our citizens, businesses and government services online. The work on this consultation ensures the Government’s continued commitment to that legislative framework.
When publishing the consultation, the Home Office also responded to three wider issues which arose in the Call for Information which previously ran in 2021. These related to the levels of sentencing, statutory defences to the CMA offences, and whether the UK has sufficient legislation to cover extra-territorial threats.
11. Please explain in detail how the Criminal Justice Bill brought forward in the King’s Speech 2023 is a suitable alternative to updating the Computer Misuse Act 1990 and when does the Government aim for the Bill to receive royal assent?
In addition to the Home Office’s wider review of the CMA, as the Security Minister mentioned during his evidence to the Committee, the Criminal Justice Bill was introduced on 14 November and includes a power for law enforcement and other investigative agencies to apply to the court for the suspension of domain names and IP addresses being used in serious crime. Being able to suspend access can prevent harm to individuals and businesses in the UK, such as through fraud and unauthorised access to systems.
The UK currently utilises public / private partnerships where industry will voluntarily suspend criminal activity in most cases. This results in the UK cyber landscape being one of the safest in the world. However, outside of the UK, where most of the cyber crime takes place, such voluntary arrangements are less likely to exist. Many organisations ask for a court order before they will act. UK law enforcement agencies therefore need a formal process to request action by organisations.
This measure has been introduced alongside the Home Office’s wider programme to review the CMA and it is not intended to supersede that work.
30 November 2023