The UK is chronically unprepared for ransomware attacks against critical national infrastructure (CNI) and could be “brought to a standstill” by a future incident, a new report has warned.
According to parliament’s Joint Committee on the National Security Strategy (JCNSS), the UK is one of the most targeted countries in the world, with attacks predominantly coming from Russian-linked threat actors.
The committee report bemoaned the current state of UK ransomware preparedness, warning that the country could face significant challenges in repulsing future attacks.
"Large swathes of UK critical national infrastructure (CNI) remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems, and we have particular concerns about cash-strapped sectors such as health and local government," the committee said.
"As a result of these vulnerabilities, a coordinated and targeted attack has the potential to take down large parts of UK CNI and public services, causing severe damage to the economy and to everyday life in the UK."
Existing cyber resilience regulations are poorly implemented, the committee said.
As such, it recommends the government should consider setting up a cross-sector regulator on CNI cyber resilience.
It also advised the establishment of regular national exercises to prepare for the impact of a major national ransomware attack affecting multiple CNI sectors. This would involve critical infrastructure organizations stress-testing their response and ability to recover.
Meanwhile, the National Cyber Security Centre (NCSC) should be given the resources to set up a dedicated local authority resilience program and should also, in collaboration with the National Crime Agency (NCA), be funded to provide support to all public sector victims of ransomware to the point of full recovery.
The NHS was cited as being particularly vulnerable, thanks to a 'vast estate' of legacy infrastructure and inadequate resources.
"Our team recently discovered that only a handful of NHS Trusts hold a dedicated cybersecurity budget and very few have security teams that are larger than one or two members of staff," comments Mike Newman, CEO of My1Login.
"The research also highlighted that most NHS staff only undertake less than two hours' security training annually, but given that most ransomware attacks are executed through phishing, this is an issue that must be remediated immediately."
UK ransomware response requires 'cross-government' approach
Calling for cyber security to be taken more seriously, the committee said it should be treated as a cross-government national security priority.
Learn about the most common VPN risks facing organizations today
DOWNLOAD NOW
Responsibility for tackling ransomware should be transferred from the Home Office to the Cabinet Office, in partnership with the NCSC and NCA, it said, and should also be overseen directly by the deputy prime minister.
"The Home Office claims the lead on ransomware as a national security risk and policy issue, but the former home secretary showed no interest in the topic," the committee said.
"If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security.”
