UK at high risk of catastrophic cyberattack

• House of Commons Committee declares UK at “high risk of catastrophic cyberattack.”
• Fractured legacy technology infrastructure and an evolving cyberthreat pinpointed as urgent issues.
• The issue will be dwarfed by the UK’s economic woes at the next election.

“Poor planning and a lack of investment.” According to the more acid-tongued political observers in the UK, that’s a judgment that could be applied to any number of areas of any current government. But there’s a difference between the judgment of media observers and the pronouncements of the UK’s Joint Committee on the National Security Strategy.

The Committee, comprised of members of both the UK’s elected chamber (House of Commons) and its appointed chamber (House of Lords), has drawn attention to a paucity of both government funding and strategic planning for the cyber-safety of the nation, saying the country’s critical national infrastructure is “at high risk of a catastrophic cyberattack.”

Few in the House of Commons dare to use the word “catastrophic” without proof to back up the term. Doing so tends to be thought frivolous, and can end the career of any Chicken Little Member of Parliament (MP) who cries that the sky is falling in when it turns out not to be. It should be stated, however, that Committee pronouncements are commonly accepted to be a conduit through which more partisan language and thought might flow. The two chambers of the UK Parliament are traditionally more reticent.

The proof behind the Committee’s assertion is set out in its report. It acknowledges three significant factors that make the UK’s critical national infrastructure especially vulnerable, leaving a fourth unspoken but the province of observer gossip.

Vulnerability #1: fractured legacy technological layers.

Technology in the UK’s critical national infrastructure (CNI) is not only dependent on legacy equipment, but on layers of legacy equipment, some of which are not interoperable across departments, geographical sites or timeframes. That’s down to a lack of consistent funding and determination over time, meaning a large problem has been poorly addressed with piecemeal solutions.

The report explains that:

“• In the context of ‘ever-increasing digitalization of the UK’s CNI operations,’ many CNI operators are still operating outdated legacy systems. According to Thales, it is ‘not uncommon’ to find aging systems within CNI organizations with a long operational life, which are ‘not routinely updated, monitored or assessed.’ The increase in hybrid and remote working also brings additional risks.

• Legacy operational technology (OT) poses a particular challenge: digital transformation is resulting in these assets, which were ‘never designed with smart functionality in mind,’ being ‘overlayed with IT and hyperconnectivity.’ OT systems are ‘much more likely to include components that are 20-30 years old and/or use older software that is less secure and no longer supported”.

Thales is seeing ‘increased [threat actor] activity across all of the critical national infrastructure sectors,’ with a move towards attacks on certain types of OT. Reliance on digital systems also means that attacks against operators’ wider IT systems can force companies to shut down their OT—as in the case of the US Colonial Pipeline attack, in which the affected systems were responsible for corporate functions such as billing and accounting.’”

It is worth noting, however, that Thales is a long-standing government contractor tasked with both physical and cyber defense provision, so it will certainly have monetary skin in this game.

As will surprise no one, the UK’s National Health Service (NHS) – a single nationwide healthcare provider for everything from antibiotics to brain surgery and ER-based trauma – was a source of particular despondency when it came to legacy technology vulnerability.

“• The NHS remains particularly vulnerable: healthcare is a ‘large and growing target across Europe,’ and the NHS operates a ‘vast estate of legacy infrastructure,’ including ‘IT systems that are out of support or have reached the end of their lifecycle.’ This puts it in a ‘particularly difficult position to protect itself from cyberattacks,’ despite the fact that many critical medical devices and equipment are now connected to the internet. Many hospitals lack the capacity to undertake even ‘simple upgrades’ as a result of crumbling IT services and a lack of investment.’”

Vulnerability #2: the evolving nature of the threat.

While ransomware has been a significant threat to UK critical infrastructure for some time, the Committee’s report dwelled at length on the evolving nature of the cyberthreats the UK faces – especially as the evolution is happening faster than the technology underpinning critical infrastructure has can be refreshed in practical terms.

“Witnesses were almost unified on the changing nature of the threat, describing the evolution of a mature and complex ecosystem with a ‘cell-like architecture, akin to other forms of serious organised crime.’ Key developments include:

• The growth in ransomware-as-a-service (RaaS), in which an efficient division of labour has evolved. Typically, ‘initial access brokers’ will achieve the initial hack and sell the access onto ‘affiliates;’ ransomware operators will also sell a malware source code to affiliates (and might also negotiate with victims); and affiliates will then pay a service fee to ransomware operators for every collected ransom. These ‘groups’ of actors are connected in quite loose ways, making attribution of responsibility for attacks more difficult. This efficiency of specialization has increased the tempo of ransomware operations. It has also lowered the cost barrier to entry into ransomware, because less sophisticated criminal groups (affiliates) can purchase the required technology to conduct more advanced attacks. One witness described the typical threat actor now as ‘quicker, more agile and brazen.’
• Innovations in marketing, recruitment and communication: RaaS operatives are known to offer their services on a monthly subscription basis with optional extras, and have actively recruited affiliates. Groups operate on closed chatrooms to communicate with one another, and some even act like legitimate enterprises, establishing HR functions to coordinate their annual leave.
• A shift towards larger, higher-value targets (sometimes described as ‘big game hunting’), with threat actors developing more ‘sophisticated weaponry’ and achieving much larger ransom payouts.
• An increase in double or triple extortion methods, in which ransom demands are linked to threats to publish sensitive data online; in these cases, the data may be “exfiltrated” (removed) rather than encrypted. Organizations are thus held to ransom on the grounds of confidentiality (release of sensitive data), and not just availability (access to files). In triple extortion, the victim’s customers or suppliers may be threatened with the release of sensitive data if they do not pay a further ransom; a “premium subscription” might also be on sale—to the victim and others—in exchange for exclusive rights over the data.”

Vulnerability #3: geopolitics

The report, authored by members of both the House of Commons and the House of Lords, from across the political spectrum – cites external geopolitics as a factor in the UK’s particular vulnerability.

“The National Cyber Security Centre’s (NCSC’s) 2022 Annual Review noted that most of the ransomware groups targeting the UK are ‘based in and around Russia,’ benefiting from ‘the tacit consent of the Russian State’;

• The NCSC’s Annual Review 2023 raised the same concerns but placed emphasis on the development of ‘a new place of cyber-adversary’ who are often ‘sympathetic to Russia’s further invasion of Ukraine and are ideologically, rather than financially, motivated.’
• In its written evidence to this inquiry, the Government stated with near certainty that ‘the deployment of the highest impact malware (including ransomware) affecting the UK remains concentrated mostly in Russia;’ and
• DXC Technology, a US IT company, told us that, of the ten most prolific and dangerous ransomware strains identified by the NCSC’s Ransomware Threat Assessment Model, eight are ‘likely based in Russia.’

According to RUSI, some of these groups are experienced in this evolving field of offending: in many cases, the same Russian actors were conducting ‘malware and botnet operations’ against UK financial institutions from 2010 onwards, and have subsequently ‘pivoted their business model’ towards ransomware operations. The lines between state activity and criminal groups are also blurred.

Prior to Putin’s full-scale 2022 invasion of Ukraine, it harbored an element of the ransomware threat: Jamie MacColl from RUSI commented that the ransomware ecosystem contained ‘multiple nationalities from former Soviet Union countries, including Ukraine.’ The NCA told us that it had worked with the Ukrainian Government in the past to investigate and arrest some of those offenders, but that the Ukrainian attackers had subsequently either gone to Russia or had ‘turned to attacking Russia,’ rather than the West. The impact of the war on cyberthreat levels overall appears mixed: a reported wave of cyberattacks against Ukraine encountered strong defences, and some downward global trends have been attributed to the war distracting Russian aggressors away from conducting ransomware attacks. It has also caused splits within ransomware groups, with members coming out for and against the Russian Government. This splintering may have made such groups even harder to disrupt.”

The unspoken vulnerability.

While the report runs to a handful of pages on specific actions that should be taken to address the parlous state of the UK’s cybersecurity in critical national infrastructure, the unspoken vulnerability remains visible in the condemnation the report withholds for those two central weaknesses – a lack of funding, and a lack of planning.

To deliver on either of those things, a government has to be willing and able to focus on the widespread cyberthreat on the nation’s critical national infrastructure in the long term.

The UK has had what is technically one government since 2010. During that time however, it has had no fewer than five Prime Ministers, all from the Conservative party. All but the first (David Cameron) have campaigned, won, and governed with a single central political goal – making a success out of the 2016 Brexit vote, which divorced the UK from the rest of the EU.

Until recently, delivering a successful post-Brexit reality has been the main concern of both the Home Office and the Foreign and Commonwealth Office, leaving little in the coffers for any fundamental revamp of cybersecurity across the UK’s critical national infrastructure.

Add the hugely negative economic impact of Brexit (a sudden lack of equal access to the UK’s closest economies, labor, and law) and you have a situation that has taken up the vast amount of government time, focus, and money.

It has also been a period of extraordinary upheaval – one of the Prime Ministers (Liz Truss) lasted just 44 days, having managed to cost the UK economy £30 bn single-handedly in little more than a day.

Obviously, there was the Covid pandemic, and the economic time-bomb of several extended national furloughs. A Parliamentary enquiry was ongoing, even as the Committee’s findings were hitting House of Commons printers, over the extent to which the Covid response by the UK government was mishandled.

Prime Minister Boris Johnson was forced to resign after it was discovered he had knowingly lied to both the House of Commons and the nation. Inflation soared, creating a cost of living crisis and forcing whole groups of workers to strike for decent wages – including several groups in the NHS.

The report warns amelioration could cost the country “tens of billions.” The UK needs a government that’s stable and focused on solving the cyberthreat problem long term, rather than delivering piecemeal solutions to parts of the infrastructure.

The cyberthreat question may have snuck up on the government over time – but the UK government has also never been stable enough in 13 years to tackle it effectively.

In the next 12 months, there will be a general election in the UK. The cybersecurity of the country’s critical national infrastructure is unlikely to be a front-line campaign issue in a country with underfunded schools, hospitals, and infrastructure, and an ailing economy where the gulf between rich and poor is the widest in the world (save the US).

It is to be hoped though that reports like that of the Joint Committee can at least make CNI cybersecurity a tangential priority of whichever party forms the next working majority in the House of Commons, and the country’s next government.

NB – this was five years ago, after the WannaCry attack. Nothing appears to have improved since then.