JCNSS: Government’s “ostrich strategy” in response to large and imminent national cyber-threat does not reassure

Today, the Joint Committee on the National Security Strategy publishes the Government’s Response to its year-long inquiry into ransomware. Commenting on the Government’s Response, the Chair of the JCNSS expresses the Committee’s ongoing, deep concerns that Government short-termism and lack of preparation and planning are leaving the UK wide open to a severely damaging ransomware attack - with consequences that vary from ongoing damage to the economy and productivity to the real possibility of a national emergency.

Dame Margaret Beckett MP, Chair of the Committee, said: “Perhaps it is not surprising that Government is not focused on preparing for the acknowledged, extremely high risk of a destructive and ruinously costly cyber-attack on the UK. Despite its place at the top of the UK’s national risk register for years, our national response to the pandemic when it inevitably hit could fairly be categorised as shambolic. 

“In this response to our ransomware report, it is ever clearer that Government does not know the extent or costs of cyberattacks across the country - though we’re the third most cyber-attacked country in the world – nor does it have any intention of commensurately upping the stakes or resources in response. 

“If the Government insists on operating the ostrich strategy for national cyber-security - based on legislation made before the internet arrived, centered on a Department that seems to have difficulty mustering much interest in the issue, and in stark contrast to the cyber-attackers who are so fantastically well co-ordinated and resourced - where is the pro-active national security response to protect the UK supposed to come from? 

“The UK is and will remain exposed and unprepared if it continues this approach to tackling ransomware. This response from the Government is not the assurance the Committee sought or that the country needs, and all the responsible and coordinating Departments would benefit from going away and reconsidering how the UK is to defend against this most pernicious threat.”

Following this Government response, the Committee intends to continue to monitor and follow up on issues raised in its report, especially in the areas where well-founded recommendations to enhance critical elements of national security have been rejected out of hand. It will also encourage the successor Committee appointed after the upcoming General Election to continue to follow up and monitor progress against this report’s recommendations. In particular:

• The Government continues to insist that all is well in the regulatory model while the regulators charged with implementing it say limitations in their capabilities and in the regulations themselves are preventing some of them from making full use of the powers they do have. 42% of operators of essential services have said they don’t have the skills and capacity to deliver their obligations under the NIS Regulations. After a painfully delayed consultation the UK still continues to rely on an act of Parliament created before the advent of the internet itself as its main legislative tool against cybercrime.

• Government must come forward with a new offer, particularly to local authorities - in conjunction with the NCSC; through pro-bono schemes with the private sector; through better resourcing for the National Crime Agency and sharing its expertise on ransom negotiations; through work with the insurance sector to make the massive costs of response, recovery and remediation of cyber-attacks more feasible for the ever-expanding groups of victims.

• The Government does not acknowledge how unaffordable the insurance market can be for some cyber-attack victims - local authorities and small companies are among the notable examples – and the Government does not agree that public intervention in this market is necessary, It instead suggests that the roll out of the National Cyber Strategy should begin to reduce claims and therefore lower premiums: despite the Committee’s report highlighting both the rapid recent growth of costly cyber-attacks and the Government’s lack of understanding of the frequency and type of attacks that are actually occurring or how often or what amounts of ransoms are being paid.

• The Committee will continue to monitor whether government work does lead to the better reporting of cyber and ransomware attacks that might begin to fill these gaps in Government knowledge and improve its strategic responses.

• The Committee has heard worrying evidence of exactly how unprepared and unsupported UK local authorities are in facing cyber-attacks that could cripple or temporarily cease essential local services - and that the Government is fully cognisant of this. But there is nothing in the response to address or assuage those concerns, there is no offer to counter the lack of resourcing and skills at local level; no offer of enhanced help for the responsible authorities or the populations that would be affected.  

• It is welcome that the Competition and Markets Authority review will integrate the report recommendations: the Committee expects to see the outcomes of this reflected in forthcoming urgent legislation.

• The Committee will seek to assess whether the assertions made by Government in rejecting key recommendations - that the National Cyber Strategy will reduce the number and size of cyber-attack insurance claims, obviating the need for Government intervention in that insurance market; that the fragmented approach to regulation and enforcement across Government is effective; that the proposed 21% resource uplift for the NCA is commensurate with the resource needed to tackle cybercrime - are borne out in evidence, and continue to press for the recommended interventions to be implemented where it is not.

Notes:

• For full inquiry information, including the original report, all oral and written evidence and correspondence received and the Government’s response, please see here Inquiry: Ransomware
• Since the report was published, we have received further correspondence on the issue of cyber-security insurance: you can find that here under "other publications"