The UK will remain “exposed and unprepared” for a potentially catastrophic ransomware attack if it continues to adopt a head-in-the-sand approach to the looming threat, an influential parliamentary committee has warned.
Joint Committee on the National Security Strategy (JCNSS) chair, Margarett Beckett, made the comments as the committee published the government’s response to its year-long inquiry. That inquiry published its findings back in December 2023, warning the government is doing little to prepare for the high risk of a “catastrophic” ransomware attack.
In her comments yesterday, Beckett likened the government’s attitude to the lack of preparation and planning that ultimately led to a shambolic pandemic response – even though such an event was at the top of the UK’s national risk register for years.
“In this response to our ransomware report, it is ever clearer that government does not know the extent or costs of cyber-attacks across the country – though we’re the third most cyber-attacked country in the world – nor does it have any intention of commensurately upping the stakes or resources in response,” she argued.
“If the government insists on operating the ostrich strategy for national cyber-security – based on legislation made before the internet arrived, centered on a department that seems to have difficulty mustering much interest in the issue, and in stark contrast to the cyber-attackers who are so fantastically well co-ordinated and resourced – where is the pro-active national security response to protect the UK supposed to come from?”
Read more on UK ransomware attacks: UK Logistics Firm Forced to Close After Ransomware Breach
Beckett raised several points:
- The government continues to insist the regulatory model is fit for purpose, but the regulators themselves say limitations in their capabilities and the regulations are preventing them from making full use of their powers
- 42% of operators of essential services have said they don’t have the skills and capacity to deliver their obligations under the Security of Network & Information Systems Regulations (NIS Regulations)
- The government claims that a mere 21% resource uplift for the National Crime Agency (NCA) is commensurate with the resource needed to tackle cybercrime
- The government needs to make a new offer of support for local authorities, in tandem with the National Cyber Security Centre (NCSC), and work more closely with insurers and the private sector
- The government doesn’t acknowledge how unaffordable the insurance market is for cyber-attack victims such as local authorities and small companies and doesn’t agree that public intervention is necessary
- The government is aware of how unprepared and unsupported local authorities are for a ransomware attack but is planning to do nothing to help them build capability and skills
One bright spot is that an upcoming Competition and Markets Authority review will integrate the JCNSS report’s recommendations, with possible “urgent legislation” on the way.
JCNSS Sticks to its Task
In the meantime, the committee said it will continue to monitor whether government assertions made in rejecting its key recommendations are borne out in evidence or not. These include that its National Cyber Strategy will reduce the volume and size of cyber-attack insurance claims, meaning the government doesn’t need to intervene in the insurance market.
My1Login CEO, Mike Newman, said the government’s response to the JCNSS report is alarming.
“If the findings in the report are correct, it sounds like the UK is highly vulnerable to a devastating ransomware attack. No one can say for sure what this will look like, but with automation now being used to facilitate electrical, water and gas supplies into peoples’ homes, there is a high chance important utilities would be the target,” he added.
“Nation state attacks are becoming more frequent, so the chances of an adversary targeting the UK to cause societal damage are highly likely. The government must work to improve its defenses, before it’s too late.”