Report: UK faces high risk of catastrophic ransomware attack

A parliamentary committee notes Britain’s vulnerability due to inadequate planning and insufficient investment

The UK government faces a heightened risk of a “catastrophic ransomware attack,” capable of “bringing the country to a standstill” due to inadequate planning and insufficient investment, as warned by a parliamentary committee. In a critical report, the joint committee on the national security strategy emphasized the potential for a debilitating cyber-attack on the country’s critical national infrastructure (CNI) at any moment. The National Cyber Security Centre (NCSC) defines CNI as vital national assets encompassing energy supply, water supply, transportation, health, and telecommunications.

Recent ransomware incidents affecting UK public services include a cyber-attack on the NHS last year, resulting in the compromise of patient data. In 2020, Redcar and Cleveland council experienced a ransomware attack, leading to a nearly three-week lockout from its systems. One councillor disclosed that the estimated cost for repairs ranged between £11 million and £18 million.

The report highlighted the government’s insufficient investment in averting extensive cyber-attacks and censured the Home Office, responsible for ransomware policy, and former Home Secretary Suella Braverman for neglecting to prioritize the issue.

The committee criticized Braverman for displaying no interest in ransomware, emphasizing that clear political priority was allocated to other concerns, such as illegal migration and small boats. Additionally, the committee observed that the UK’s critical national infrastructure (CNI) relies on private, third-party IT systems, rendering it susceptible to cyber-attacks.

The report cautioned that future ransomware attacks could present a “threat to the physical security or safety of human life” if cyber attackers succeed in disrupting critical national infrastructure (CNI) operations. Additionally, the report raised concerns about the potential interception of “cyber-physical systems,” highlighting the possibility of hackers taking control of the steering and throttle of a shipping vessel—an attainable feat demonstrated in laboratory experiments.

The NHS was singled out as a particularly susceptible target due to its extensive reliance on a “vast estate of legacy infrastructure,” encompassing “IT systems that are out of support or have reached the end of their lifecycle.” The committee underscored that the health service faces challenges in implementing even “simple upgrades” due to deteriorating IT services and a lack of investment.

Harjinder Singh Lallie, a cybersecurity reader at the University of Warwick, expressed that a ransomware attack on the NHS could have repercussions on appointments, patient medical records, and staff payment systems. “It could honestly be such a wide range of things. Any one of those could bring the NHS to its knees,” he remarked.

Lallie suggested that if operating systems and computer hardware underwent upgrades approximately every three to four years, the overall costs and disruptions would be minimized.

According to the committee, citing the National Cyber Security Centre (NCSC), most ransomware groups targeting the UK are “based in and around Russia” and enjoy “the tacit consent of the Russian State.” Additionally, ransomware groups in North Korea and Iran were identified as posing a threat to the UK.

Lallie commented on the current issue with Russia, stating, “The problem we have with Russia right now is because we’ve thrown our weight behind Ukraine, we’ve become a target.”

Margaret Beckett, chair of the joint committee, remarked, “The UK, unfortunately, holds the status of being among the most targeted nations in the world for cyber attacks. It is evident to the committee that the government’s investment in and response to this threat do not match global standards, exposing us to potential catastrophic costs and destabilizing political interference.

“In the likely scenario of a massive, catastrophic ransomware attack, the failure to effectively confront this challenge will rightly be viewed as an inexcusable strategic failure.”

A government spokesperson responded, stating, “The UK is well-prepared to address cyber threats and has taken decisive action to enhance our cyber defenses, investing £2.6bn under our cybersecurity strategy and implementing the first-ever government-backed minimum standards for cybersecurity through the NCSC’s cyber essentials scheme.”