New report highlights UK ransomware vulnerability

• 18 Dec 2023
• Kieran

• Article
• The organisational environment
• Policy and programme management
• 0

  Comment

A report by the UK Parliament's Joint Committee on the National Security Strategy (JCNSS)^[1] has demonstrated the vulnerabilities of the country to a ransomware attack.

Regarding national resilience to this threat, the report has highlighted how critical national infrastructure (CNI) remains vulnerable despite efforts by both the government and National Cyber Security Centre (NCSC) to boost cyber resilience. The need to update legacy infrastructure is one of the key concerns, as threat actors look to target older systems that were never designed to be incorporated into digital transformation plans and, as such, may use less secure software. This is a particular concern for the NHS, according to the report, since it operates vast amounts of legacy infrastructure but many hospital trusts have insufficient funds to invest in the upgrades required. 

The report also raises concerns about the supply chains of organizations representing CNI. The report highlights a particular concern regarding shared dependence on third-party providers, since if multiple areas of CNI share a supplier, a single attack could affect multiple sectors at once.

“The net result of these vulnerabilities is that, if too many CNI operators were to fall victim at once, the UK might struggle to respond,” states the report.

Improving regulator capabilities

Achieving cyber resilience is a complex task and requires investment in technical measures as well as alignment to policies and best practice. This is evidenced in the BCI Cyber Resilience Report 2023, where 60.7% of respondents were found to be complying with some form of industry regulation^[2]. Therefore, it is positive that the government imposed cyber resilience requirements on CNI operators through regulation in 2018 and is also planning to deliver new standards for CNIs by 2025. 

However, the JCNSS report has found ‘significant issues’ with the implementation of the current regulations, partly down to the capability of the relevant regulator. Therefore, the report has recommended exploring the feasibility of a cross-sector regulator to oversee the implementation of CNI cyber resilience regulation.

Taking the lead on ransomware

The BCI Horizon Scan 2023 Report^[3] showed that cyber-attacks were the main concern for organizations in the years ahead. Exploring ransomware in particular, the Horizon Scan Report showed that organizations are still struggling to approach this issue and are unsure how to engage with government bodies and unsure of which policies to follow.

Despite this, the report concludes that “there is a high risk that the government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking.”
In addition, the report notes a lack of leadership engagement with the topic from a practical perspective. The Home Office has responsibility for ransomware policy development but witnesses for the JCNSS report suggest that policy priorities lie elsewhere and ransomware initiatives, such as 2022’s ‘ransomware sprint’, appear to lack any ‘discernible policy outcomes’. 

As a result, recommendations have been made to move responsibility from the Home Office to the Cabinet Office “in order to ensure that it is treated as a cross-government national security priority.”

Citations

[1] https://publications.parliament.uk/pa/jt5804/jtselect/jtnatsec/194/summary.html
[2] https://www.thebci.org/resource/bci-cyber-resilience-report-2023.html
[3] https://www.thebci.org/resource/bci-horizon-scan-report-2023.html

More on

• Business Continuity
• Information technology and Cyber Security
• Business threats and horizon scanning

About the author

Kieran Matthews

Content Creator, The BCI