This is a House of Commons Committee report, with recommendations to government. The Government has two months to respond.
Ransomware is a form of malware designed to damage and destroy computers and computer systems, usually to facilitate extortion. It is also increasingly linked to data theft, and to threats to publish sensitive information online. Mass data loss from an attack can be irreversible, even when the ransom is paid. Due to its potential ability to bring the UK to a standstill, ransomware has been identified by UK authorities as the number one cyber threat to the nation.
Having ‘exploded’ in 2021, the ransomware threat is still as severe as it has ever been, and the UK is one of the most targeted countries in the world. A mature and complex ecosystem has evolved, involving an increasingly sophisticated threat actor; ransomware is also now marketed as a service, which can be purchased by the uninvolved e.g. criminal gangs, making it more widely available to those who wish to inflict harm for profit. Past attacks have shown that ransomware can cause severe disruption to the delivery of core Government services, including healthcare and child protection, as well as ongoing economic losses.
The majority of ransomware attacks against the UK are from Russian-speaking perpetrators, and the Russian Government’s tacit (or even explicit) approval of this activity is consistent with the Kremlin’s disruptive, zero-sum-game approach to the West. This is not a straightforward state threat, however. For many Russian hackers, ransomware is simply an easy way to make large sums of money, with next-to-no chance of being caught or prosecuted.
The Government and the National Cyber Security Centre (NCSC) have focused their counter-ransomware efforts predominantly on resilience. Nevertheless, large swathes of UK critical national infrastructure (CNI) remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems, and we have particular concerns about cash-strapped sectors such as health and local government. Supply chains are also particularly vulnerable and have been described by the NCA as the ‘soft underbelly’ of CNI.
As a result of these vulnerabilities, a coordinated and targeted attack has the potential to take down large parts of UK CNI and public services, causing severe damage to the economy and to everyday life in the UK. Given the poor implementation of existing cyber resilience regulations, the Government should scope the feasibility of establishing a cross-sector regulator on CNI cyber resilience. As part of the National Exercise Programme, it should also hold regular national exercises to prepare for the impact of a major national ransomware attack affecting multiple CNI sectors, engaging CNI operators to stress-test their response and ensure a swift recovery. In addition, the NCSC should be funded to establish an enhanced and dedicated local authority resilience programme, including intensive support for local exercising and on securing council supply chains.
The impact of a ransomware attack on its victims is significant, with many organisations taking months to recover. Despite this, most victims currently receive next-to-no support from law enforcement or Government agencies. The NCSC and National Crime Agency (NCA) should be funded to provide support to all public sector victims of ransomware, to the point of full recovery. Cyber insurance can also be a vital source of support, but there remains a woeful lack of coverage. The Government should work with the insurance sector to establish a re-insurance scheme for major cyber-attacks, to ensure the sustainability and accessibility of the market. It should also establish a central reporting mechanism for ransomware attacks, to ensure that it has a full understanding of the nature and scale of the threat, and how best to tackle it.
The Home Office claims the lead on ransomware as a national security risk and policy issue, but the former Home Secretary showed no interest in the topic. It has been suggested by some observers that clear political priority in the Home Office is given instead to other issues, such as illegal migration and small boats. In line with many other aspects of cyber security, and to ensure that it is treated as a cross-government national security priority, responsibility for tackling ransomware should be transferred from the Home Office to the Cabinet Office, in partnership with the NCSC and NCA. It should also be overseen directly by the Deputy Prime Minister.
The Government has published an ambitious National Cyber Strategy (NCS), but its progress reporting is currently poor. The National Audit Office (NAO) should review the Government’s implementation of the NCS, and the Government should establish a National Security Council sub-committee, to oversee progress against each of the Strategy’s five ‘pillars’ at least twice per year. The Government must also bring forward legislation urgently to update the Computer Misuse Act, which is now over 30 years old.
The National Crime Agency is locked in an uphill struggle against the ransomware threat, with insufficient resources and capabilities to match the scale of this challenge. The Government should invest significantly more resources in the NCA’s response to ransomware, enabling it to pursue a more aggressive approach to infiltrating and disrupting ransomware operators. It should also address the pay parity between police and NCA officers, and invest sufficiently in the skills needed to track and seize ransomware criminals’ cryptocurrency earnings.
There is a high risk that the Government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking. If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security.