UK.gov's “ostrich” approach to cybersecurity leaves country “exposed and unprepared”
Departments need to go away and rethink how to protect country from ransomware
The UK government is taking an “ostrich strategy" to ransomware and cyberthreats leaving the nation without a proactive national security response, a furious committee of parliamentarians has claimed.
The Joint Committee on National Security Strategy savaged the governments’ approach to cybercrime in its report “A Hostage to Fortune: Ransomware and UK National Security Strategy” in December, noting that while the UK was the third most targeted country in the world, the country remained woefully unprepared.
The UK’s critical national infrastructure remained vulnerable to ransomware, “particularly in sectors still relying on legacy IT systems”, it said. Likewise, authorities were relaying on legacy law in the shape of the Computer Misuse Act.
Meanwhile, most victims received “next to no support” from either law enforcement or government agencies. Amongst other things, the committee called for the government to consider a national regulator for CNI network and information systems, and for responsibility for tacking ransomware to be shifted from the Home Office to the Cabinet Office.
In its response, published today, the government rejected calls for a single regulator. It said pricing for insurance was an issue for insurers, but it expected to see reduced claims and premiums as the national cyber strategy continues. It added that the upcoming Criminal Justice Bill included measures to allow UK law enforcement to suspend domain names and IP addresses used for serious crime. And the Home Office will continue to take the lead on ransomware.
Dame Margaret Beckett, chair of the Joint Committee on National Security Strategy, tore into the government’s response, writing: “It is ever clearer that Government does not know the extent or costs of cyberattacks across the country - though we’re the third most cyber-attacked country in the world – nor does it have any intention of commensurately upping the stakes or resources in response.”
The government was, she wrote, intent on “operating the ostrich strategy for national cyber-security - based on legislation made before the internet arrived, centred on a Department [the Home Office] that seems to have difficulty mustering much interest in the issue, and in stark contrast to the cyber-attackers who are so fantastically well co-ordinated and resourced."
This all will leave the UK “exposed and unprepared” when it comes to ransomware, and “all the responsible and coordinating Departments would benefit from going away and reconsidering how the UK is to defend against this most pernicious threat.”
Beckett’ noted that 42 percent of operators of essential services recognised they didn’t have the skills and capacity to meet their NIS Regulations obligations. She highlighted how exposed local authorities are and said the government had yet to acknowledge this. Victims would benefit from help from the NCSC, pro-bono collaborations with the private sector, and better resourcing for the NCA. She also said the NCA would share its expertise on ransom negotiations.
She blasted the government for failing to acknowledge that the cyber insurance market was simply unaffordable for many and for failing to intervene in the market. Rather, the government was claiming the National Cyber Strategy would reduce claims and lower premiums – despite the government having little understanding of the level of attacks or ransoms paid.
For all its fury, it’s debatable how much effect the committee will have in an election year. As the original report noted, previous home secretaries have shown scant interest in cybersecurity, preparing to focus on illegal immigration and small boats. That doesn’t seem likely to change, at leasy under this government.
Beckett herself will step down as an MP at the next election, 50 years after she first took up a seat in the house.