The Joint Committee on National Security Strategy (JCNSS) has warned that the UK is “A hostage to fortune: ransomware and UK national security.”
The report into the UK readiness for a cyber-attack on critical national infrastructure says the Home Office have no significant plans for a bad ransomware attack which the JCNSS considers the UK to be at high risk.
The report warns that such an attack would likely cause “severe disruption” to the delivery of core government services, including healthcare and child protection. It has the potential to “bring the country to a standstill.”
It points out that there have been numerous cybersecurity compromises in the public realm of late, including on several police forces and St Helens council.
The National Cyber Security Centre (NCSC) describes critical national infrastructure (CNI) as national assets essential for society’s functioning, including energy supply, water supply, transportation, health and telecommunications.
The report summary states the committee’s concerns about the more cash-strapped aspects of CNI, such as health and local government. These are run largely on legacy infrastructure, and the awareness and enforcement of cybersecurity are typically poor. The report notes the vulnerability of supply chains and the poor implementation of existing cyber resilience regulations.
JCNSS chair Dame Margaret Beckett said: “The UK has the dubious distinction of being one of the world’s most cyber-attacked nations. It is clear to the committee that the Government’s investment in and response to this threat are not equally world-beating, exposing us to catastrophic costs and destabilising political interference.
“In the likely event of a massive, catastrophic ransomware attack, the failure to rise to meet this challenge will rightly be seen as an inexcusable strategic failure. Our main legislative framework is irresponsibly outdated, and Government missed another chance to rectify this in the latest King’s Speech.
“The agencies tasked with detecting, responding to and recovering from ransomware attacks – and degrading further attack capabilities – are under-resourced and lacking key skills and capabilities.”
Ransomware and its risks to CNI are the responsibility of the Home Office. Still, the report states that former Home Secretary Suella Braverman showed no interest in this critical component of national security.
The report recommends that in line with other aspects of cyber security, responsibility for tackling ransomware should be transferred to the Cabinet Office, in partnership with the NCSC and NCA, and overseen directly by the Deputy Prime Minister.