A 72-page report produced by the Joint Committee on the National Security Strategy has criticised the UK’s ability to cope with ransomware attacks and has revealed that “large swathes of UK critical national infrastructure (CNI) remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems” , and that cash-strapped sectors such as health and local government along with supply chains are also particularly vulnerable and have been described by the NCA as the ‘soft underbelly’ of CNI.

The report was published in December last year and casts a grim light on the state of UK Critical National Infrastructure when it comes to the subject of Ransomware attacks.

The report states that “as a result of these vulnerabilities, a coordinated and targeted attack has the potential to take down large parts of UK CNI and public services, causing severe damage to the economy and to everyday life in the UK“.

The report also singles out the Home Office for criticism, saying that “The Home Office claims the lead on ransomware as a national security risk and policy issue, but the former Home Secretary [Suella Braverman] showed no interest in the topic. It has been suggested by some observers that clear political priority in the Home Office is given instead to other issues, such as illegal migration and small boats

Recommendations

The report doesn’t just slam the state of UK resilience, but recommends a number of actions to help the UK become a safer place. These recommendations include:

  • Scoping the feasibility of establishing a cross-sector regulator on CNI cyber resilience
  • Hold regular national exercises to prepare for the impact of a major national ransomware attack affecting multiple CNI sectors
  • Engaging CNI operators to stress-test their response and ensure a swift recovery
  • Funding the NCSC & the NCA to establish an enhanced and dedicated local authority resilience programme
  • Working with the insurance sector to establish a re-insurance scheme for major cyber-attacks
  • Establishing a central reporting mechanism for ransomware attacks

The report also looks at the wider Government activities including the National Cyber Strategy (NCS) and the Computer Misuse Act.

With regards to the National Cyber Strategy, the report states that whilst the strategy is ambitious, the Governments progress with it is currently poor and they suggest that the National Audit Office should review the implementation of the NCS and that the Government should establish a National Security Council sub-committee, to oversee progress against each of the Strategy’s five ‘pillars’ at least twice per year.

The report also urges the Government to update the Computer Misuse Act, which is now over 30 years old and is not fit for modern purposes.

UK CNI

National Infrastructure consists of those facilities, systems, sites, information, people, networks and
processes necessary for a country to function and upon which daily life depends. It also includes
some functions, sites and organisations which are not critical to the maintenance of essential
services, but which need protection due to the potential dangers they could pose to the public in the
event of an emergency (civil nuclear and chemicals sites, for example).

There are some parts of the National Infrastructure system that are judged to be critical to the
functioning of the country. This Critical National Infrastructure (CNI) includes buildings, networks and
other systems that are needed to keep the UK running and provide the essential services upon which
we rely (e.g. energy, finance, telecoms and water services). It also includes infrastructure which, if
disrupted, could have a significant impact on our national security, national defence, or the
functioning of the state. A significant proportion of our CNI is privately owned.

The UK defines 13 Industry sectors as part of Critical National Infrastructure: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water

Several sectors also have defined ‘sub-sectors’, For Example the Emergency Services – These are split into Police, Ambulance, Fire and Rescue Services, and His Majesty’s Coastguard.

UK MoD – worst for Cyber Security

In another damning report, it has been identified that the Ministry of Defence – A key part of UK CNI is the worst of all Whitehall departments when it comes to protecting systems, especially legacy ones.

In November last year, Matt Rodda, Labour MP for Reading East and shadow minister for AI and intellectual property, asked the Secretary of State for the Home Department about the number of red-rated systems across Whitehall departments.

As a response to this question, it was revealed that:

  • The MoD was the worst offender with 11 systems rated as red
  • The Department for Work and Pensions (DWP) has 6 red-rated systems
  • The Ministry of Justice has 5 red-rated systems
  • The Home office and Cabinet Office have 4 red-rated systems each
  • Defra, the Foreign Office, the Department for Business and Trade, and the Department for Education all have 1 red-rated system

A red rating is the highest-possible score given to equipment and systems that is exposed to critical levels of risk, including potential security breaches, as well as being operationally inefficient and unsuitable for day-to-day business needs.

Related Articles

FBI amass 7k LockBit encryption keys
General blogs

FBI amass 7k LockBit encryption keys

Mark
British Library ransomware attack to cost millions to fix
General blogs

British Library ransomware attack to cost millions to fix

Mark
Breached forum – update
General blogs

Breached forum – update

Mark
Mark of the Web – a look at how Windows protects from malicious downloads
General blogs

Mark of the Web – a look at how Windows protects from malicious downloads

Mark
THAT Crowdstrike incident – what happened?
General blogs

THAT Crowdstrike incident – what happened?

Mark