UK Government using an “ostrich strategy” against ransomware, says National Security Committee

In December 2023, the UK’s Joint Committee on the National Security Strategy (JCNSS) published a report entitled ‘A hostage to fortune: ransomware and UK national security’. It gave the UK Government two months to respond to criticism that responsibility for ransomware strategy should be moved from the Home Office where “clear political priority” was “given instead to other issues, such as illegal migration and small boats”.

Instead, the report said, ransomware strategy should switch to the Cabinet Office, in partnership with the National Cyber Security Centre (NCSC) and National Crime Agency (NCA).

The UK Government has now responded – and it’s fair to say that the JCNSS is not impressed. In its published response, Dame Margaret Beckett MP, the chair of the JCNSS committee, accused the Government of operating an “ostrich strategy” and not knowing “the extent or costs of cyberattacks across the country”.

UK Government response to the JCNSS

That Government response runs to some 6,000 words, and its rebuttal to the JCNSS recommendations is clear throughout.

Take, for example, the transfer of responsibility for ransomware strategy away from the Home Office.

“The Home Office leads the cross-government ransomware work under the Threat Pillar of the National Cyber Strategy which is overseen by the Deputy Prime Minister, and works very closely with the MoD and FCDO and the wider community, including law enforcement and the UK intelligence agencies, who also play a significant role in the response to ransomware,” the response states.

It concludes: “There are currently no plans to change this arrangement, and the Home Office remains the lead Department for overall crime.”

JCNSS response to the UK Government

Safe to say that the JCNSS is not swayed by the UK Government’s arguments.

Beckett states: “If the Government insists on operating the ostrich strategy for national cyber-security based on legislation made before the internet arrived, centered on a Department that seems to have difficulty mustering much interest in the issue, and in stark contrast to the cyber-attackers who are so fantastically well co-ordinated and resourced, where is the pro-active national security response to protect the UK supposed to come from?”

A good question. So what do the experts think?

“This was a damning report on the Government, and the response to its findings raise further alarms,” says Mike Newman, CEO of My1Login. “If the findings in the report are correct, it sounds like the UK is highly vulnerable to a devastating ransomware attack.”

Newman warns that an attack targeting utilities, for example, would be a cyber-wake-up-call. “While some public sector and government organisations are leading the way in prioritising their defences against cybercriminals, there is still a long way to go. Burying heads in response to the threat is not the answer.”

Related: UK law enforcement agency issues warning about AI-aided ransomware

Payment of ransoms

The Government response to the JCNSS report also addresses concerns over payment of ransoms. It states that both the NCSC and the NCA will “continue to support the Home Office in developing proposals to achieve a reduction in ransom payments”.

However, this stops short of the recommendations of some leading cybersecurity experts, including Ciaran Martin, the founding CEO of the NCSC and current professor of practice at the Blavatnik School of Government, University of Oxford, to ban ransomware payments by law.

Writing in The Times, Martin compared ransomware actors to the “heyday of al-Qaeda, Islamic State and their murderous thugs” when ransom payments to terrorists were banned by the UK and US. “This hard-headed approach stands in contrast to the apparently sanguine attitude of British policymakers to the computer thugs hanging out in Russia. Their business is not kidnapping humans, but computer networks and data.”

However, that this is a complex problem cannot be denied and a ransomware ban could be painful to more than just the ransomware gangs.

“Being stuck between a rock and a hard place is no position any company wants to be in but if the law is directing only one way, then companies can easily fold and the potential of livelihoods lost can make this a damming and forced decision,” warns Jake Moore, a Global Cybersecurity Advisor at ESET. “Although the long-term effects of banning ransom payments may sound idyllic, the path needed to navigate all companies to this ideal is going to be challenging, if not impossible.”

You might also be interested

• How iFixit helps manufacturers make laptops repairable again
• AWS, IBM, and HPE all announce investments in Saudi Arabia
• Omri Gazitt, CEO of Aserto: “Authorisation is going to be the next multi-billion dollar segment at the intersection of developer, infrastructure and security”