A parliamentary committee notes Britain’s vulnerability due to inadequate planning and insufficient investment
The UK government faces a significant threat of a “catastrophic ransomware attack” that could “halt the country” due to inadequate planning and insufficient investment, according to a critical report from the joint committee on the national security strategy. The report highlights the potential for a debilitating cyber-attack on the country’s critical national infrastructure (CNI) at any time. The National Cyber Security Centre (NCSC) defines CNI as crucial national assets vital for societal functioning, encompassing energy supply, water supply, transportation, health, and telecommunications.
Recent ransomware incidents targeting UK public services involve the NHS, where a cyber-attack exposed patient data last year. In 2020, Redcar and Cleveland council experienced a ransomware attack, resulting in nearly three weeks of system lockdown. A council member mentioned being informed that repairing the damage could cost between £11 million and £18 million.
The report highlighted the government’s insufficient investment in preventing large-scale cyber-attacks. It criticized the Home Office, responsible for ransomware as a policy issue, and former Home Secretary Suella Braverman for not prioritizing the matter. The committee noted Braverman’s lack of interest in ransomware, citing a political focus on issues like illegal migration and small boats. Additionally, the report emphasized the vulnerability of the UK’s critical national infrastructure (CNI) due to reliance on private third-party IT systems.
The report raised concerns that future ransomware attacks could jeopardize physical security or human life if cyber-attackers sabotage CNI operations. It also warned of potential interception of “cyber-physical systems,” such as hackers taking control of the steering and throttle of a shipping vessel, a feasibility demonstrated in laboratory experiments.
The NHS emerged as a notably susceptible target, with emphasis on the health service’s dependence on an extensive legacy infrastructure. This includes IT systems that are either unsupported or have reached the end of their lifecycle. The committee pointed out that the health service is hindered in carrying out even basic upgrades due to deteriorating IT services and inadequate investment.
Harjinder Singh Lallie, a cybersecurity expert and lecturer at the University of Warwick, highlighted the potential impact of a ransomware attack on the NHS, affecting appointments, patient medical records, and staff payment systems. He emphasized the broad range of consequences, any of which could severely disrupt the functioning of the NHS.
Lallie suggested that regularly upgrading operating systems and computer hardware every three to four years could reduce overall costs and minimize disruption.
The committee, referencing the National Cyber Security Centre (NCSC), stated that the majority of ransomware groups targeting the UK are located in and around Russia. These groups purportedly benefit from the tacit approval of the Russian State. Additionally, the committee identified ransomware groups in North Korea and Iran as posing threats to the UK.
Lallie remarked, “Our current issues with Russia stem from our support for Ukraine, making us a target.”
Margaret Beckett, chair of the joint committee, commented, “The UK holds the dubious distinction of being one of the most cyber-attacked nations globally. It is evident to the committee that the government’s investment in and response to this threat do not match the world-class standard, leaving us vulnerable to substantial costs and disruptive political interference.
In the probable occurrence of a large-scale, catastrophic ransomware attack, the failure to adequately address this challenge will rightly be viewed as an inexcusable strategic failure.
