In a scathing report released in December 2023, the Joint Committee on National Security Strategy (JCNSS) issued a stark warning that the United Kingdom is alarmingly unprepared for the looming threat of a catastrophic ransomware attack.

Highlighting the nation’s vulnerability to cyber threats, the committee has urged the government to take immediate and substantial action to mitigate the risk posed by ransomware attacks, which it says could bring the country to a standstill.

The report underscores the severe repercussions and potential for destabilisation in the face of a major ransomware assault. Drawing parallels with past incidents like the Russian DarkSide attack on a crucial US oil pipeline in 2021, which led to a state of emergency declaration by President Joe Biden, the committee stresses that the UK’s current level of readiness is inadequate and leaves the nation “hostage to fortune.”

The majority of ransomware attacks against the UK have been attributed to Russian-speaking perpetrators, constituting a significant menace primarily driven by criminal motives for profit rather than state-sponsored espionage or geopolitical sabotage. However, the report cautions that these attacks pose a severe risk to critical national infrastructure, public services like healthcare and child protection, and the economy at large.

Notable Incidents: Threats and Vulnerabilities

Citing examples of recent cyber assaults targeting esteemed institutions such as the British Library and King Edward Hospital, with even threats to leak medical records of the Royal Family, the report sheds light on the vulnerabilities in the country’s systems.

The case of the British Library, which was attacked by a group known as Rhysida, has been a real eye-opener. Fixing up their systems is estimated to cost a whopping £6m to £7m, way more than the £650,000 ransom asked. Moreover, the breach resulted in the exposure of personal data, such as HR records, subsequently surfacing for sale on the internet.

Notably, the report highlights the risks posed by nation-state actors like North Korea’s Lazarus Group, responsible for the 2017 Wannacry attack affecting over 200,000 computers in more than 150 countries.

Critical National Infrastructure at Risk

The report stated, “A major ransomware attack could have a devastating impact on UK citizens and the economy, and undoubtedly represents a major threat to UK national security. A sophisticated ransomware ecosystem has evolved, with criminals able to purchase advanced forms of malware and access points in order to conduct profitable and damaging attacks. This has made it much more widely available to those who wish to inflict harm for profit, and increased the scale of the threat.”

“Last year, Costa Rica was also forced to declare a state of emergency after a month of catastrophic ransomware attacks, affecting its systems for tax collection, customs and social security.”

The committee emphasises that UK critical national infrastructure remains particularly susceptible to ransomware attacks, exacerbated by reliance on outdated legacy IT systems. Despite the staggering potential impact of such assaults, victims often find themselves without adequate support from law enforcement or government agencies.

Urgent Overhaul and Recommendations

Dame Margaret Beckett, Chair of JCNSS, criticised the government’s inadequate response to the imminent threat, highlighting the outdated legislative framework and the lack of resources and capabilities within the responsible agencies. She warned that failure to address these vulnerabilities could result in catastrophic costs and political destabilisation, calling for ransomware to become a higher political priority and demanding increased resources for combating this threat to national security.

In light of these revelations, the committee has recommended a significant overhaul, including the transfer of responsibility for tackling ransomware to the Cabinet Office, bolstering international cooperation against perpetrators like Russia, and urgent reforms to UK regulatory frameworks and cyber insurance policies.