UK Parliament launches inquiry into national security strategy around ransomware
An inquiry into whether the United Kingdom’s national security strategy is effectively addressing the threats posed by ransomware held its first evidence session on Monday.
The introductory session aimed to establish “the scale and nature of the threat,” according to Margaret Beckett MP, the chair of the Joint Committee on the National Security Strategy (JCNSS).
It took place while the joint committee — a term that describes committees made up of members from both the House of Commons and the House of Lords — continues to accept submissions of written evidence.
Later hearings are expected to include witnesses involved in different aspects of the country’s response to these attacks, from victims to law enforcement agencies, some of whom will be summoned by the committee and some of whom will be selected based on the written evidence.
What is the scale of the threat?
“There appears to be a general consensus that this threat has gotten worse in recent years, but I think it’s generally acknowledged that there may not be reliable figures on what the scale of the problem is,” said Beckett.
Testimony from the three witnesses — Ollie Whitehouse, the chief technology officer of cybersecurity company NCC Group; Jayan Perera, the principal for cyber incident response at consultancy Control Risks; and Sadie Creese, Professor of Cyber Security at the University of Oxford — offered several key points:
- That there is a lack of visibility into the true “scale” of ransomware attacks targeting organizations in the United Kingdom;
- That despite not knowing the real volume of incidents, other data sources confirm it is a pervasive problem and threat;
- That the visibility offered by so-called “leak sites” fails to show other cyber extortion activities which work by threatening different misuses of stolen data;
- That, pushing against simple obligations around the mandatory reporting of incidents, organizations will only engage with government and law enforcement if doing so returns a clear benefit;
- And that defending against ransomware should be understood within the still-developing scientific approach of the field of cybersecurity.
What did it hear?
The inquiry follows two national security strategy reviews recently published by the British government: the Integrated Review of Security, Defence, Development and Foreign Policy in 2021 which fleetingly identified ransomware as one of the most “pernicious forms of cybercrime”; and this year’s National Cyber Strategy which described ransomware as “the most significant cyber threat facing the UK” and “potentially as harmful as state-sponsored espionage.”
Whitehouse opened the hearing by citing data published earlier this month by the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) which revealed that 2021 had been a record year for ransomware attacks and payments in the United States.
He noted that the jump to 1,489 reported incidents, up from 487 in 2020, was roughly a 300% increase year-on-year, although NCC Group’s analysis of listings on ransomware extortion sites showed a 7-10% decrease in the number of victims during 2022.
Perera observed that the Russian invasion of Ukraine appeared to have impacted the ransomware-as-a-service (RaaS) ecosystem. Later testimony identified the apparent geopolitical dynamics that disrupted the Conti group when the rival patriotism of its Russian and Ukrainian members led to a leak of chat logs.
Creese repeatedly stressed the economics of the criminal underworld, identifying for instance how supply-chain attacks offered attackers an economy of scale by obtaining multiple victims through one investment.
She also noted how despite the disruption to the Conti group — which was behind attacks targeting the government of Costa Rica — the individuals behind that group were likely still active under different identities, indicating the kind of fluidity that the criminal ecosystem supported.
‘No light at the end of the tunnel’
Baroness Crawley, a member of the House of Lords, raised The Record's report about ransomware incidents being responsible for the majority of the British government's recent Cabinet Office Briefing Rooms (COBR) meetings.
The report explained how, despite months of work, a ransomware “sprint” led by the Home Office which concluded a year ago, had still not delivered any tangible government actions to tackle the threat.
Officials dealing directly with the ransomware issue told The Record they saw no light at the end of the tunnel, even of the prospect of any improvements which could help the U.K. clamp down on the problem.
Perera and Whitehouse both defended the speed with which the government was acting. Creese said: "I'd encourage us to use the concern around ransomware to actually move forwards on cyber resilience more generally, because ransomware is going to incorporate lots of other kinds of cyber threats.”
Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.