How big a threat is ransomware to the UK's national security?

In May 2021, a ransomware attack by the Russian hacker group DarkSide forced the shutdown of one of America's largest and most vital oil lines for six days. As a result, US President Joe Biden declared a state of emergency in 17 US states.

Ransomware is a form of malware that is:

• designed to damage and destroy computers and computer systems, usually to facilitate extortion
• increasingly linked to data theft and threats to publish sensitive information online

The UK is one of the most targeted countries in the world. We opened an inquiry into ransomware on 31 October 2022 and have now published our findings. Our report, 'A hostage to fortune: ransomware and UK national security', found that there is a high risk that the country could face a catastrophic ransomware attack at any moment, and that Government planning is found lacking.

If the UK is to avoid being held hostage to fortune, it is vital that:

• ransomware becomes a more pressing political priority
• more resources are devoted to tackling this threat to national security

Vultures, not hawks

The majority of ransomware attacks against the UK are from Russian-speaking perpetrators. The Russian Government’s tacit (or even explicit) approval is consistent with the Kremlin’s disruptive, zero-sum-game approach to the West.

But this is not a straightforward state threat. For many Russian hackers, ransomware is simply an easy way to make large sums of money, with next to no chance of being caught or prosecuted. 

The UK Government is "almost certain" that Russians sought to interfere in the 2019 general election. Meanwhile, the National Cyber Security Centre (NCSC) Review in 2023 found that, with UK and US elections on the horizon, “we can expect to see the integrity of our systems tested again”.

We are now requesting a private briefing from the NCSC on preparation for the election expected next year, and how this support will be provided and delivered.

Significant state-based threats have also emerged from North Korea. The country was responsible for the 2017 Wannacry attack that affected over 200,000 computers in more than 150 countries. Victims included the UK's National Health Service (NHS), as well as:

• US FedEx
• Deutsche Bahn
• Honda
• Nissan
• LATAM Airlines

Despite the number of attacks carried out by the North Korean Lazarus Group, their capabilities have not been eroded by current responses and they remain a persistent threat.

China is now considered the single most significant cyber security actor in relation to UK interests and Iran is described as an “aggressive cyber actor” though with few of the capabilities of Russia.

The British Library experienced a major ransomware attack in November 2023. In the days before we published our report, London's King Edward Hospital was attacked with threats to leak medical records for members of the Royal Family. There were reports that Sellafield, "Europe’s most hazardous nuclear site", had been hacked into by cyber groups closely linked to Russia and China. 

Swathes of UK critical national infrastructure (CNI)—much of which is operated by the private sector—remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems.  Senior National Crime Agency (NCA) officials noted that there is a “soft underbelly” to every organisation that uses a third-party software provider.

 Ransomware can cause:

• severe disruption to the delivery of core Government services, including healthcare and child protection
• ongoing economic losses, and a coordinated and targeted attack has the potential to “bring the country to a standstill”

Victims have found themselves locked out of digital systems. Most victims currently receive next to no support from law enforcement or Government agencies.

The support gaps apply across important elements of the public sector, including:

• local authorities struggling under deep budget cuts
• schools and colleges

This stands in stark contrast to victim support for comparable thefts or ransom demands in the offline world. NCSC and NCA should be funded to provide negotiation, recovery and remediation capabilities to all public sector victims of ransomware, to the point of full recovery.

Cyber insurance could provide a vital lifeline for ransomware victims but there is a woeful lack of UK coverage. Premiums are unaffordable and have increased drastically in recent years.  We recommend that the Government works with the insurance sector to establish a re-insurance scheme for major cyber-attacks, based on the Flood Re model.

 The reputational risk means many victims do not report ransomware attacks, which severely constrains the development of effective responses. The official position is that UK victims should not pay ransoms, but it is the only viable option for many to keep their businesses afloat and prevent damaging data leaks. 

We therefore recommend that the Government urgently establish a central reporting mechanism and explore whether all UK organisations should be obliged to report an attack within three months.

Cyber hygiene

Implementing basic cyber hygiene practices can also mitigate the risk of ransomware, and help shield members of the public from malware. 

The Government’s Cyber Essentials Scheme seeks to improve baseline security among UK businesses and other organisations. However, a Government survey found that only half of surveyed medium-sized businesses and 59% of large businesses had heard of the NCSC’s Cyber Essentials standard in 2022, let alone implement it.

To find out more about increasing your cyber security, follow these links:  

1. 10 Steps to Cyber Security | NCSC.GOV.UK
2.  3 steps to prevent and recover from ransomware | Microsoft Security Blog

UK regulatory frameworks are insufficient and outdated:

• the main legislative framework on cybercrime, the Computer Misuse Act, was introduced before the arrival of the internet
• legislation to reform it was missing from the King’s Speech

But even with improvements, the responsible agencies lack both resources and capability to respond adequately.

The Home Office claims the lead on ransomware as a national security risk and policy issue but we found during our inquiry that former Home Secretary Suella Braverman showed no interest in the issue, with clear political priority given to other issues such as illegal migration and small boats instead.

We are calling for:

• responsibility for tackling ransomware to be transferred to the Cabinet Office, in partnership with the NCSC and NCA and overseen directly by the Deputy Prime Minister
• the Foreign, Commonwealth and Development Office to investigate the possibilities for legal sanctions and international cooperation against Russia, whose approach could constitute another violation of international law

The Government must now respond to our report.

Our report A hostage to fortune: ransomware and UK national security was published on 13 December 2023.

Detailed information from our inquiry can be found on our Committee website.

If you’re interested in our work, you can find out more on the House of Commons Joint Committee on National Security Strategy website. You can also follow our work on X.

The Joint Committee on the National Security Strategy scrutinises the structures for Government decision-making on national security, particularly the role of the National Security Council and the National Security Adviser.