In May 2021, president Joe Biden declared a national state of emergency after a ransomware attack by Russian DarkSide forced one of the United States’ largest and most vital oil lines to shut down for six days.
Today in the UK we are at high risk of a catastrophic cyber-attack at any moment. Ransomware is a type of malicious software — ‘malware’ — designed to damage and destroy computer systems, usually to facilitate extortion.
It can cause severe disruption to the delivery of core government services, including healthcare and child protection, as well as ongoing economic losses. Swathes of UK critical national infrastructure (CNI) – much of which is operated by the private sector — remain vulnerable to ransomware, especially where sectors still rely on legacy IT systems.
Victims have described going ‘back to a pre-computer era of the 1950s in mere minutes’ as they were locked out of digital systems and forced to resort to pen and paper. A coordinated and targeted attack has the real potential to bring the country to a standstill.
The majority of ransomware attacks against the UK are from Russian-speaking perpetrators, and the government is almost certain that Russian actors sought to interfere in the 2019 general elections. With new UK and US elections on the horizon, we can expect to see the integrity of our democratic systems tested again soon.
But as the Joint Committee on National Security Strategy that I chair reports today, the UK’s response to this national security threat is severely lacking. Our main legislative framework, the Computer Misuse Act, is irresponsibly outdated – it was introduced before the arrival of the internet – and government missed another chance to rectify this in the latest King’s Speech.
The agencies tasked with detecting, responding to, and recovering from ransomware attacks – and degrading further attack capabilities – are under-resourced and lacking key skills and capabilities: a situation likened in evidence to having an international airport without yet having X-ray equipment, sniffer dogs or financial intelligence capability.
The result is that the UK’s civil and criminal asset recovery statistics make for ‘horrific reading’. Actors like the North Korean Lazarus Group – responsible for 2017’s Wannacry attack that affected over 200,000 computers in more than 150 countries including UK’s NHS, US FedEx, Deutsche Bahn, Honda, Nissan and LATAM Airlines – remain a persistent threat, their capabilities un-eroded by our current level of response.
Most victims — including important elements of the public sector, local authorities struggling under deep budget cuts, schools and colleges – currently receive next-to-no support from law enforcement or government agencies. This is in stark contrast to victim support for comparable thefts or ransom demands in the offline world. There is a woeful lack of UK coverage for cyber insurance and premiums are unaffordable: the sector needs intervention to establish a re-insurance scheme for major cyber-attacks, akin to Flood Re.
The official position is that UK victims should report attacks and should not pay ransoms — but paying is the only viable option for many to keep their businesses afloat and prevent damaging data leaks, and the reputational risk discourages most from systematic reporting. This means we are also lacking the information about these attacks that would enable us to respond more effectively.
If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to this pernicious threat to the UK’s national security. Despite the clear and present danger, the Home Office has appeared disinterested, focused instead on illegal migration and small boats.
Responsibility for tackling ransomware should be shifted to the Cabinet Office, overseen directly by the deputy prime minister, in concert with a National Cyber Security Centre (NCSC) and NCA. The NCSC and NCA should be resourced to provide negotiation, recovery and remediation capabilities to all public sector victims of ransomware to the point of full recovery. They need resourcing to fight back, to erode malign actors’ capabilities: we cannot only tackle this threat defensively.
The UK has the dubious distinction of being one of the world’s most cyber-attacked nations. It is clear to the committee that the government’s investment in and response to this threat are not equally world-beating, exposing us to catastrophic costs and destabilising political interference. In the likely event of a massive, catastrophic ransomware attack, the failure to rise to meet this challenge will rightly be seen as an inexcusable strategic failure.
Politics.co.uk is the UK’s leading digital-only political website, providing comprehensive coverage of UK politics. Subscribe to our daily newsletter here.
