Cyberattack on Jaguar Land Rover threatens to hit British economic growth

The disruption caused by a cyberattack on Jaguar Land Rover (JLR) risks damaging Britain’s economic growth and highlights how the government’s hands-off approach to cybersecurity regulation is potentially leading to more serious incidents, according to experts. 

JLR is one of the British economy’s most significant manufacturers, accounting for roughly 4% of all goods exports last year. The company’s operations have been “severely disrupted” by the attack with many of its own workers instructed to remain home until at least Tuesday. Reports suggest thousands of additional staff at supply-chain businesses are also being temporarily laid off due to the shutdown. According to The Times, company insiders are concerned the disruption could last beyond September.

“This is more than a company outage — it’s an economic security incident,” said Lucas Kello, the director of the University of Oxford's Academic Centre of Excellence in Cyber Security Research. “If disruption drags on for weeks or months, it imperils the government’s central growth mission. How can Britain achieve ‘the highest sustained growth in the G7’ if its top exporting sector stalls?”

The disruption is the latest to hit a high-profile brand in the United Kingdom, and follows repeated delays in the British government introducing cybersecurity regulations that would require businesses to better protect themselves from attacks.

A government spokesperson explained the delays were purposeful attempts to avoid over-regulating, stating: “Constant government interference puts a stranglehold on businesses, which is why we are focused on only intervening when we absolutely have to. With the support and free advice we have already made available to businesses, they are on a stronger footing to safeguard themselves and deal with disruption."

Intel agencies warned the tech secretary

In recent years, British intelligence has repeatedly made public and private warnings that the threat posed by hackers to British enterprises and critical infrastructure is increasing. There are growing concerns that the government’s response to those warnings has been insufficient, and that politicians are failing to comprehend and address the issue.

Within hours of his appointment as the technology secretary last year, Peter Kyle said he was made “very, very aware that there was a cybersecurity challenge that our country faced that I simply wasn’t aware of before becoming secretary of state,” as he later told The Guardian.

Recorded Future News has learned that Kyle was taken to a secure location known as a SCIF (sensitive compartmented information facility) and given a classified briefing by the two most senior cyber officials in British intelligence, the head of GCHQ and the head of the National Cyber Security Centre. This has not previously been reported.

The briefing they delivered to him — which Recorded Future News understands included secret details about Chinese operations targeting British critical infrastructure — prompted him to take action by bringing forward the government’s new Cyber Security and Resilience Bill, he told The Guardian.

More than a year later, that bill has yet to be introduced to parliament, despite an original version being drafted and ready three years ago under the last government. A cabinet reshuffle this month saw Kyle appointed as Secretary of State for Business and Trade without having addressed the cybersecurity challenge he said he had been made aware of.

The government disputes that there have been delays in action, with a spokesperson highlighting its publication of a code of practice “to support boards and directors in governing cybersecurity risks.” Despite this, the lack of legislation appears to be driving frustration within Britain’s cybersecurity agency, with two senior officials from the NCSC calling for a “strategic policy agenda” earlier this year in a blog post explicitly setting out the need for more political attention on cybersecurity.

Kello told Recorded Future News that he believed “until parliament enacts the Cyber Security and Resilience Bill (CSRB) and regulators hardwire supply chain controls, attackers will continue to exploit gaps faster than defenders can close them.”

Jamie MacColl, a senior research fellow in cyber at the Royal United Services Institute (RUSI) think tank, told Recorded Future News that the CSRB “needs to be prioritized on the legislative agenda and I would be putting pressure on officials to make sure they’re selling the importance of it to MPs and trying to minimize too many amendments.”

MacColl added he would also like to see the government create “an actionable plan for what the UK is going to do to address failures in the technology market and how this is going to align with international partners, particularly the EU.

“The UK was an early leader on issues like secure-by-design but has now fallen behind. Getting out of the current cyber policy rut is going to require a Secretary of State who is genuinely motivated to do what is necessary to improve systemic cybersecurity challenges in the UK.”

Priority is preventing catastrophe 

Government officials who have spoken to Recorded Future News have said the current priority within Whitehall is addressing the harm posed by the most severe attacks — such as a catastrophic disruption of the national electricity transmission system.

“It is understandable — and pragmatic — for the government to focus the greatest concern on potential catastrophic or Category 1 events; particularly given the risks of threat-to-life and societal functions,” said Gareth Mott, also a senior research fellow at RUSI.

But he cautioned there could be a disconnect between the actual economic and social impact of cyber incidents below this catastrophic threshold and the way that the government was actually prepared to respond to them.

“Had armed assailants held the Solihull JLR production site to ransom, the UK state would presumably have taken a forceful hands-on approach to the resolution of perimeter and personnel security, the conduct of negotiations and the expedited prosecution of the assailants.

“With a below-threshold cyber breach, however, there is a tendency for government representatives to be ‘in the room’ as observers, rather than all-hands-on-deck,” said Mott.

Kello said “more severe cyberattacks than the shutdown of a leading national exporter are conceivable,” but that the incident hitting JLR “already exposes strategic economic risk. A country that can’t keep its factories running can’t keep its growth pledge.”

“Of course, the UK government cannot realistically resource the cybersecurity of the entire UK economy,” said Mott. “Additionally, large corporations may prefer a government hands-off approach. Nonetheless, the ability of criminal actors to remotely disrupt business operations highlights the pernicious role of the cybersecurity deficit as an Achilles Heel of the growth agenda.”

“There is a gulf between rhetoric and implementation,” said Kello. “We’ve had years of consultation on reforms many experts agree on, yet no statute. Crises should be catalysts. If this one isn’t used, we’ll simply be waiting for the next one.”