UK faces high risk of "catastrophic" ransomware attack

Lack of planning and investment in cyber security risks bringing country to standstill

The Joint Committee on National Security Strategy (JCNSS) publishes report on the UKs readiness for a cyber-attack on critical national infrastructure. Spoiler alert - it's not great.

The Joint Committee on National Security Strategy (JCNSS) has today published its report on the UKs readiness for a cyber-attack on critical national infrastructure. The title of the report is "A hostage to fortune: ransomware and UK national security," which provides more than a hint as to the contents.

The report lays bare the lack of planning by the Home Office for significant ransomware attack - an attack of which the JCNSS considers the UK to be at high risk. The report warns that such an attack would likely cause "severe disruption" to the delivery of core government services, including healthcare and child protection, and has the potential to "bring the country to a standstill."

There have been numerous cybersecurity compromises in the public realm of late, including on several police forces and on St Helens council.

The National Cyber Security Centre (NCSC) describes critical national infrastructure (CNI) as national assets that are essential for the functioning of society, including energy supply, water supply, transportation, health and telecommunications. The report summary states the concerns of the committee about the more cash strapped aspects of CNI such as health and local government. These are run largely on legacy infrastructure and the awareness and enforcement of cybersecurity are typically poor. The report notes the vulnerability of supply chains and the poor implementation of existing cyber resilience regulations.

In a withering assessment of UK preparedness, JCNSS chair Dame Margaret Beckett said:

"The UK has the dubious distinction of being one of the world's most cyber-attacked nations.

"It is clear to the committee that the Government's investment in and response to this threat are not equally world-beating, leaving us exposed to catastrophic costs and destabilising political interference.

"In the likely event of a massive, catastrophic ransomware attack, the failure to rise to meet this challenge will rightly be seen as an inexcusable strategic failure.

"Our main legislative framework is irresponsibly outdated and Government missed another chance to rectify this in the latest King's Speech.

"The agencies tasked with detecting, responding to and recovering from ransomware attacks - and degrading further attack capabilities - are under-resourced and lacking key skills and capabilities.

"If the U.K. is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the U.K.'s national security."

Ransomware, and the risks it poses to CNI are the responsibility of the Home Office, but the report states that the former Home Secretary Suella Braverman showed no interest in this critical component of national security. The report recommends that in line with other aspects of cyber security, responsibility for tackling ransomware should be transferred to the Cabinet Office, in partnership with the NCSC and NCA, and overseen directly by the Deputy Prime Minister.