Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), has warned the UK government that it could fall victim to a 9/11-style cyberattack unless it confronts the “scale of the threat” posed by ransomware.
Agreeing with this, Steve Barclay, the UK government minister responsible for cybersecurity, argues that “the greatest cyber threat to the UK – a threat now deemed serious enough to pose a threat to national security – comes from attacks by ransomware”.
With this looming threat of large-scale ransomware attacks targeting the UK government, preparing an adequate defensive strategy will be essential to ensure the UK can survive such an attack.
Failing to imagine what these threats might look like and how to properly prepare for them could be fatal in the next decade. There are certain steps and actions the government can take to understand and implement the most appropriate and effective measures.
Understand the threat
First, understanding the magnitude of the threat will inform actions and decisions taken to defend the government. Ransomware has evolved exponentially in recent years and continues to do so with a significant increase in double extortion, an increase in ransomware, phishing, and an increase in Ransomware-as-a-Service.
Knowing more about the evolution of ransomware and developing plans for potential attacks will begin to paint a big picture of the real threats to the UK government.
However, one of the big problems is that vulnerability scanners are not close to detecting all the vulnerabilities exploited by ransomware. Failure to be aware of vulnerabilities, particularly those found in legacy applications, coupled with a lack of understanding of the severity of these attacks, could put the UK government at significant risk.
Currently the new National cyber strategy is the UK government’s response to defend against cyberattacks and ransomware. The UK government says it is constantly adapting, innovating and investing to protect its interests in cyberspace.
Pledging to spend £22bn on research and development to put technology at the heart of national security plans, the creation of the National Cyber Force last year represents a significant step forward in offensive cyber capability. But with the comment from the US CISA that the UK government needs to realize the scale of the threat it faces, is it taking all the right precautions?
Adopt a comprehensive security strategy
Ransomware defenses must be holistic across government sectors to have an effective impact. This means there is a set of best practices, policies, and processes that combine secure backup and disaster recovery with action plans for lines of defense.
An effective holistic strategy should include:
- Multi-layer fenders – The introduction of multi-layered defenses that use modern technology to take advantage of machine learning through behavior analysis is essential. This enables real-time detection and prevention tools and, along with multi-factor authentication and a trustless design, vulnerabilities should be reduced.
- Immutable backups – with ransomware operators starting to target backup files, not only is data encrypted in an attack, but backups are also rendered useless. Data Protection as a Service (DPaaS) protects backups by storing them in the cloud on a separate corporate network. It also minimizes downtime and disruption during or after a crisis.
- Knowledge of the landscape – Conducting regular security awareness training programs for IT teams provides them with current knowledge that can help create effective security strategy plans.
For the UK government, one of the main advantages of such an approach is the area to be covered. We saw the devastating effects ransomware can have on the public sector when the WannaCry attack in 2017 affected 80 hospital trusts and 595 GP practices across England. With such a complex organisation, ensuring that each sector has the same cybersecurity measures in place will create a strong line of defense for the UK government from all angles, providing the best chance of covering vulnerabilities.
Change of societal mentality
Another method that the British government must adopt is to sensitize society to such attacks. Currently, there is no law in the UK requiring companies to report ransomware attacks. James Barclay comments that “law enforcement teams believe that most attacks go unreported: perhaps out of embarrassment or a reluctance to admit that the money has indeed changed hands”.
Looking to the example of CISA may prove helpful to the National Cyber Security Center in passing legislation to better understand current ransomware threats. In March 2022, a bipartisan provision was passed by the US Senate as part of the $1.5 trillion for fiscal year 2022 funding bill that requires operators and owners of critical infrastructure to report ransomware attacks to CISA within 24 hours of paying for the ransomware.
Implementing such a mindset through legislation or education would help the UK government gain greater visibility to then create effective defences.
The next steps
Ransomware is not going away and will continue to evolve and become a more dangerous prospect. With the percentage of nation states passing legislation to regulate ransomware payments, fines and negotiations expected to reach 30% at the end of 2025, compared to less than 1% in 2021it is clearly the beginning of an awareness of the devastating impact that ransomware can have.
However, there is still a long way to go and the process of implementing defenses should be under constant surveillance for updates. Ensuring that a holistic approach is taken alongside legislation and a growing awareness of ransomware will help the UK government combat these challenges and properly defend the UK.