Large swathes of UK critical national infrastructure (CNI) remain vulnerable to ransomware, particularly in sectors still relying on legacy IT, a committee of parliamentarians reports.
The Joint Committee on the National Security Strategy, of peers and MPs to consider the National Security Strategy, points to ‘particular concerns about cash-strapped sectors such as health and local government’ in a report about ransomware and UK national security, titled ‘A hostage to fortune‘.
It opens vividly with a February 2020 example of Redcar and Cleveland Borough Council that ‘suffered a “catastrophic” ransomware attack’ that left it without telephones, email or computers; not even records or documents. The council refused to pay the ransom; recovery took eight and a half months.
The report states that having ‘exploded’ in 2021, the ransomware threat is still as severe as it has ever been, and the UK is one of the most targeted countries. “A mature and complex ecosystem has evolved, involving an increasingly sophisticated threat actor; ransomware is also now marketed as a service, which can be purchased by the uninvolved e.g. criminal gangs, making it more widely available to those who wish to inflict harm for profit. Past attacks have shown that ransomware can cause severe disruption to the delivery of core Government services, including healthcare and child protection, as well as ongoing economic losses. The majority of ransomware attacks against the UK are from Russian-speaking perpetrators, and the Russian Government’s tacit (or even explicit) approval of this activity is consistent with the Kremlin’s disruptive, zero-sum-game approach to the West. This is not a straightforward state threat, however. For many Russian hackers, ransomware is simply an easy way to make large sums of money, with next-to-no chance of being caught or prosecuted. The Government and the National Cyber Security Centre (NCSC) have focused their counter-ransomware efforts predominantly on resilience.
“Supply chains are also particularly vulnerable and have been described by the NCA [National Crime Agency] as the ‘soft underbelly’ of CNI. As a result of these vulnerabilities, a coordinated and targeted attack has the potential to take down large parts of UK CNI and public services, causing severe damage to the economy and to everyday life in the UK. Given the poor implementation of existing cyber resilience regulations, the Government should scope the feasibility of establishing a cross-sector regulator on CNI cyber resilience. As part of the National Exercise Programme, it should also hold regular national exercises to prepare for the impact of a major national ransomware attack affecting multiple CNI sectors, engaging CNI operators to stress-test their response and ensure a swift recovery. In addition, the NCSC should be funded to establish an enhanced and dedicated local authority resilience programme, including intensive support for local exercising and on securing council supply chains.”
You can read the report on the UK Parliament website.
Comments
Deryck Mitchelson, Global CISO at Check Point Software Technologies said: “These warnings are nothing new and they reflect the situation we see in the UK, with one out of every 90 organisations impacted by a ransomware attack. Our critical national infrastructure is vulnerable and unprepared, and talking about who is or is not responsible does not move the needle on the issue.
“We are entering a critical period in the year as people take leave around the holidays. Unfortunately, it would come as no surprise to me if we once again see a major successful ransomware attack disrupt our public and critical services over the festive period, most of which would be easily preventable.”
Mark Jow, Technical Evangelist EMEA at the cloud and network security product company Gigamon spoke of a significant gap between where government cyber-resilience is now and where it needs to be. “Government CISOs are still contending with siloed systems, ranging from complex legacy platforms to new digital hybrid environments, struggling with scarce resources. These environments will remain the prime candidates for bad actors to exploit until these CISOs have the opportunity to get their house in order. The challenge is that digital transformation is essential to driving the cost efficiencies and quality of service improvements that the governments need to drive in public sector organisations. But at the same time, if security isn’t baked into projects from the start, this can unwittingly widen the public sector’s cyber-attack surface.”
Mike Newman, CEO of My1Login called it a damning report on the Government that highlights potentially devastating failings in the UK’s cyber defences.
“The report highlights that not enough is being done to protect our critical national infrastructure, which could result in criminals cutting off essential supplies or causing massive financial damage. Nation state attacks are becoming more frequent, so the chances of an adversary targeting the UK to cause societal damage are highly likely. The government must work to improve its defences.
“The report also discusses cybersecurity concerns around the NHS, which echo the findings of recent research by My1Login. Our team recently discovered that only a handful of NHS Trusts hold a dedicated cybersecurity budget and very few have security teams that are larger than one or two members of staff. The research also highlighted that most NHS staff only staff undertake less than two-hours security training annually, but given that most ransomware attacks are executed through phishing, this is an issue that must be remediated immediately.
“We don’t want another WannaCry on our hands again any time soon.”
Good old ransomware may well attain the status of a global cyber pandemic in 2024, says Dr Ilia Kolochenko, Chief Architect at ImmuniWeb. “The underlying infrastructure, spanning from exploits and data encryption malware to cryptocurrency laundering services, becomes readily available as a service on a pay-as-you-go scale. After compromising a website and making your victim click on the malicious page, even beginners can start getting payments in bitcoins if they are lucky enough. Of note, no AI is required herein.
“Worse, amid the unfolding geopolitical tensions and global uncertainty, law enforcement agencies and prosecutorial authorities have no more possibility to collaborate in complex cross-border investigations of organized cybercrime efficiently. Ultimately, cyber gangs calmly operate from non-extraditable jurisdictions with impunity, enjoying steadily growing income paid by desperate victims.
“Given that from an economic viewpoint ransomware is a scalable and highly profitable business, we will likely see its hydra-like proliferation around the globe next year. Extortion tactics are likewise poised to become more nefarious and lucrative, for instance, with double extortion (asking ransom from both the breached company and individual victims) as well as threats to report the data breach to authorities in case of non-payment.
“In addition to ransomware, next year we shall expect massive and unpredictable attacks of politically motivated hacktivists on innocent companies and organizations from specific countries or regions. Those attacks will likely be highly destructive, aiming at paralyzing operations of businesses having little to no connection with the political processes of their countries of incorporation. Worst, cyber infrastructure of hospitals, schools and even critical national infrastructure (CNI), such as water supply facilities, may suffer long-lasting and irreparable damage.”
Background
To quote from the UK strategic policing requirement, revised as of February 2023, sectors of the Critical National Infrastructure include: chemicals, civil nuclear communications, defence, emergency services, energy, finance, food, government, health, space, transport and water. A ‘national cyber event’ that covers cyber-attacks across the CNI is listed as one of seven ‘national threats’; the others are violence against women and girls, terrorism, serious and organised crime (SOC, which includes fraud and drug crime), child sexual abuse, public order and civil emergencies.
