Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency (CISA), has warned the UK government that they could be the victim of a 9/11-style cyber-attack unless they face up to the “magnitude of the threat” posed by ransomware.
In agreement with this, Steve Barclay, the UK government Minister responsible for cybersecurity, claims that “the greatest cyber threat to the UK – one now deemed severe enough to pose a national security threat – is from ransomware attacks.”
With this looming threat of large ransomware attacks targeting the UK government, preparing an adequate defensive strategy will be key in ensuring the UK can survive such an attack.
Failure to imagine what these threats could look like and how to properly prepare could be fatal over the next decade. There are certain steps and measures that the government can take to both understand and implement the most appropriate and effective measures.
Understanding the threat
Firstly, understanding the magnitude of the threat will inform the steps and decisions made to defend the government. Ransomware has evolved exponentially in recent years and continues to do so with a significant rise in double extortion, an increase in ransom demands, phishing, and an increase in Ransomware-as-a-Service.
Learning about how ransomware evolves and mapping out potential plans of attacks will start to build up a wide picture of the real threats posed to the UK government.
However, one of the big problems lies with vulnerability scanners not being about to detect all the vulnerabilities exploited by ransomware. Not having an awareness of vulnerabilities, particularly those found in legacy applications, accompanied by having a lack of understanding of the severity of such attacks, could place the UK government at significant risk.
Currently, the new National Cyber Strategy is the UK government’s answer to defending against cyber and ransomware attacks. The UK government claims that they are continuously adapting, innovating, and investing to protect its interests in cyberspace.
Pledging to spend £22 billion on research and development to place technology at the heart of the plans for national security, the creation of the National Cyber Force last year represents a significant step-up in offensive cyber capability. But with the US CISA commenting that the UK government must realize the magnitude of the threat they face, are they taking all the right precautions?
Taking a holistic security strategy
Ransomware defenses must be holistic across all government sectors to have an effective impact. This means that there is a collection of best practices, policies and processes that combine secure backup and disaster recovery with actionable plans for lines of defense.
An effective holistic strategy should include:
- Multi-layered defenses – introducing multi-layered defenses that use modern technology to leverage machine learning through analysis of behavior is key. This allows for real-time detection and prevention tools and accompanied by multi-factor authentication and zero-trust design, vulnerabilities should be reduced.
- Immutable backups – with ransomware operators starting to target backup files, not only is data encrypted in an attack, but backups are rendered useless, too. Data Protection as a service (DPaaS) provides protection to backups through being stored in the cloud in a separate company network. This also minimizes downtime and disruptions during or after a crisis.
- Knowledge of landscape – carrying out regular security awareness training programs for IT teams provides them with the current knowledge that can help create forceful security strategy plans.
For the UK government, one of the main benefits of taking such an approach is the amount of area this should cover. We’ve seen the devastating effects that ransomware can have on the public sector when the WannaCry attack in 2017 affected 80 hospital trusts and 595 GP practices across England. With such a complex organization, ensuring each sector has the same cybersecurity measures in place will build a strong line of defense for the UK government from all angles, giving the best chance of covering vulnerabilities.
Change in societal mindset
Another method that the UK government needs to adopt is the promotion of societal awareness of such attacks. Currently, there is no law in the UK that dictates that businesses must report ransomware attacks. James Barclay comments that “law enforcement teams believe that most attacks go unreported: perhaps through embarrassment or a reluctance to admit that money has indeed changed hands.”
Turning to the CISA’s example may prove useful to the National Cyber Security Centre in adopting legislation to gain a better understanding of current ransomware threats. In March 2022, a bipartisan provision was passed by the US Senate as part of the $1.5 trillion FY 2022 funding bill which requires critical infrastructure operators and owners to report ransomware attacks to CISA within 24 hours of making the ransomware payment.
Implementing such a mindset through legislation or education would help the UK government to build up greater visibility to then create effective defenses.
The next steps
Ransomware isn’t going away and will continue to evolve and grow into a more dangerous prospect. With the percentage of nation-states passing legislation to regulate ransomware payments, fines, and negotiations expected to rise to 30% by the end of 2025, compared with less than 1% in 2021, this is clearly the beginnings of awareness surrounding the devastating impact ransomware can have.
However, there is still a long way to go and the process of implementing defenses needs to be under constant surveillance for updates. Ensuring a holistic approach is taken alongside legislation and a growing awareness surrounding ransomware will help the UK government combat these challenges and properly defend the UK.