UK Downplays Ransomware Threat at Its Peril, Says CommitteeParliamentary Committee Says UK Must Be More Aggressive
A U.K. parliamentary committee investigating ransomware threats recommended a more aggressive stance against threat actors and said the government should consider making incident reporting mandatory and provide government support for public sector victims "to the point of full recovery."
The Joint Committee on the National Security Strategy in a report published in the first minutes of Wednesday also recommended creating a government backstop for cyber insurance and making the deputy prime minister responsible for efforts to improve the country's resistance to cyber extortion. The committee warned that a coordinated attack could cause "severe damage" to public services. The Home Office, committee members wrote, appears to show little or no interest in the issue.
"There is a high risk that the government will face a catastrophic ransomware attack at any moment and that its planning will be found lacking," the committee wrote. "It is vital that ransomware becomes a more pressing political priority."
In an investigation spanning more than a year, the committee heard from multiple stakeholders, including the director general of the U.K's National Crime Agency, cybersecurity and insurance executives, and a former acting U.S. deputy attorney general (see: UK Companies Fear Reporting Cyber Incidents, Parliament Told).
The committee goes against the position of the National Crime Agency by recommending that the government consider requiring all ransomware victims to notify authorities within three months of an incident. Graeme Biggar, head of the NCA, told the committee that he doesn't know of other crimes in which victims must report an incident - but the committee wrote that with ransomware, not enough incentives exist for victims to come forward, "making it difficult to understand fully the nature and scale of the threat, and how best to tackle it." Only between 2% and 10% of cybercrimes come to the attention of law enforcement, the committee said.
With or without a reporting mandate, the government should establish a central reporting mechanism, it added.
The committee also recommended funding more resources for the NCA and the National Cyber Security Center so they can support public sector victims to the point of full recovery. The NCSC should also investigate whether it could establish an industry-led effort that provides free ransomware recovery assistance to charities and small businesses.
The NCA comes in for additional criticism in the report, in which members report that only 5% of the agency's workforce constitutes the National Cyber Crime Unit. The agency should receive more funding to take the ransomware fight to threat actors in ways such as through infiltration and disruption, the committee wrote. It quoted a statement submitted by think tank Royal United Services Institute that "the government cannot simply build a big wall around the U.K. through resilience-building measures alone."
Making ransomware a larger political priority should involve transferring responsibility for tackling anti-ransomware efforts form the Home Office into the Cabinet Office, where it should be directly overseen by the deputy prime minister, the committee said. The Home Office, where responsibility currently resides, does not prioritize the issue, and a 2022 government ransomware "sprint" led by the Home Office "resulted in no discernible policy outcomes."
In the Cabinet Office, the issue could be treated as a cross-government national security priority, the report states.
Boosting the UK Cyber Insurance Market
The report characterizes U.K. cyber insurance as being "in an extremely poor state," in which insurers are raising premiums and, for those who can afford it, demand outstrips capacity. An association of local authorities in England and Wales told the committee that the high price of cyber insurance leads many council leaders to instead spend their limited funds on resilience.
Committee members said that due to the "woeful lack of U.K. coverage" and unaffordable premiums, the government should work with the insurance sector on establishing a public sector reinsurance plan similar to flood insurance.
The recommendation faces an uphill battle, at least in the Conservative government of Prime Minister Rishi Sunak. Deputy Prime Minister Oliver Dowden told the committee "its principal position is that it does not intervene to assume liability for risks where the market could feasibly perform this function."