Big Ben and Westminster Bridge in London showing UK government ransomware attack

UK Government Potentially Vulnerable to a Catastrophic Ransomware Attack on Critical Infrastructure

A parliamentary committee report warns that the UK government was at high risk of a catastrophic ransomware attack that could bring the country to a standstill.

Describing the possibility as a major national security threat, the Joint Committee on the National Security Strategy (JCNSS) report warned that the attack could significantly impact citizens and the economy.

It warned that the ransomware attack could severely disrupt core government services such as healthcare, posing “a threat to physical security or safety of human life.”

Critical National Infrastructure is Britain’s Achilles’ heel

The JCNSS report identified the Critical National Infrastructure (CNI) as the Achilles’ heel in the UK’s cyber resiliency. It highlighted “large swathes” of critical infrastructure systems running on outdated software, including “IT systems that are out of support or have reached the end of their lifecycle.”

Additionally, CNI systems depend on vulnerable and private-owned supply chains that a catastrophic ransomware attack could easily disrupt.

“Supply chains are also particularly vulnerable and have been described by the NCA (National Crime Agency) as the ‘soft underbelly’ of CNI. With different CNI operators sharing the same supplier, a single attack could also affect multiple sectors at once, with damaging and widespread consequences,” the report said.

In 2022, an apparent ransomware attack hit a private NHS software supplier, causing widespread disruptions and potentially leaking patient data.

The report urged the UK government to support local authorities and increase funding for the National Cyber Security Centre (NCSC) to establish a dedicated local authority cyber resilience program to secure the supply chains.

Additionally, the government should institute a re-insurance scheme, similar to Flood Re, to help victims recover from a catastrophic ransomware attack.

“Cyber insurance could provide a vital lifeline for ransomware victims, but there is a woeful lack of UK coverage. Premiums are unaffordable and have increased drastically in recent years,” noted the report.

Dr. Ilia Kolochenko, Chief Architect at ImmuniWeb, warned that ransomware could reach pandemic levels: “Good old ransomware may well attain the status of a global cyber pandemic in 2024,” He said. “The underlying infrastructure, spanning from exploits and data encryption malware to cryptocurrency laundering services, becomes readily available as a service on a pay-as-you-go scale.”

UK government risking a catastrophic ransomware attack

The report identified poor planning and the Home Office’s failure to prioritize ransomware as major weaknesses in defending against a catastrophic ransomware attack.

“There is a high risk that the government will face a catastrophic ransomware attack at any moment and that its planning will be found lacking,” the report said.

Despite the looming ransomware threat, the UK government prioritized “small boats,” leaving the ransomware threat “relentlessly deprioritized.”

“Clear political priority is given instead to other issues, such as illegal migration and small boats,” noted the report.

The report’s authors warned that the UK government’s failure to prioritize ransomware could lead to a hostage situation and political interference.

“If the UK is to avoid being held hostage to fortune and avoid electoral interference, it is vital that ransomware becomes a more pressing political priority and that further substantial resources be devoted to tackling this pernicious threat to the UK’s national security,” the report added.

Additionally, it reproached the UK government and law enforcement agencies for providing “next-to-no support” to ransomware attack victims.

Claiming that the Home Office under former Home Secretary Suella Braverman “showed no interest” in addressing the ransomware threat, the report demanded that the Cabinet Office, assisted by the NCA and the NCSC, take over the responsibility under the Deputy Prime Minister’s leadership.

According to Dame Margaret Beckett, JCNSS chair, a catastrophic ransomware attack would be an inexcusable strategic failure for the UK government.

The joint committee also requested the Foreign Office to institute legal action and impose more sanctions on Russia for its sustained cyber attacks and attempts to meddle in British politics.

“Worse, amid the unfolding geopolitical tensions and global uncertainty, law enforcement agencies and prosecutorial authorities have no more possibility to collaborate in complex cross-border investigations of organized cybercrime efficiently,” Kolochenko added.

The report made over two dozen recommendations, including setting up a central reporting center and enacting mandatory reporting rules.

The UK is the third most attacked country after the United States and Ukraine, usually by state-allied groups and financially motivated cyber gangs conveniently operating out of Russia – at “the tacit consent of the Russian State.”

“Ultimately, cyber gangs calmly operate from non-extraditable jurisdictions with impunity, enjoying steadily growing income paid by desperate victims,” noted Kolochenko.

In April 2023, the NCSC warned of an emerging threat from state-sponsored groups targeting critical national infrastructure, with some planning “destructive and disruptive attacks.”

The UK government welcomed the report but defended itself, claiming it was “well prepared to respond to cyber threats” and has taken robust action to harden the country’s cyber defenses, including investing £2.6 billion under the Cyber Security Strategy program.