The government left Redcar and Cleveland Borough Council to fight a massive ransomware attack alone for a week, with minimal support or correspondence, the council’s leader has said. Mary Lanigan told MPs yesterday that while police and cybercrime officers were on site within two days, help from Westminster was lacking. Recovering from the incident cost the small council £11.3m with just a third of that paid by central government, she said. A government spokesperson said the National Cyber Security Centre (NCSC) helped with co-ordination efforts throughout the incident.
In February 2020, cybercriminals unleashed a devastating ransomware attack on the North Yorkshire borough, which has a population of about 137,000 and had a fully integrated IT system that covered everything from social services to rates collection. The breadth of this system proved to be the local authority’s biggest downfall as the virus planted by an unnamed gang took hold.
It came in through a single email attachment and the virus had likely been in the system for two weeks before it made its move, according to Lanigan. Local IT staff spotted the start of an attack, powered down the entire system and called in the National Cyber Security Centre (NCSC).
“The virus had been in our system for more than two weeks and had been triggered on that Saturday morning,” said Lanigan, speaking at a hearing of Parliament’s defence select committee on Monday. “It was catastrophic. We lost everything. We lost our telephone systems, our IT, the whole thing was lost. Our partners, including Cleveland Police also pulled the plug on us.”
Council staff went ‘back to pen and paper’
She said staff were writing on pieces of paper, they had to turn to mobile phones as the council lines had all gone down and they had no access to email or other forms of digital communication.
While police and other cybercrime experts arrived and offered support within 48 hours of the incident, Lanigan told the select committee hearing on ransomware that she found the response from central government somewhat lacking and slow.
“We engaged with response teams and they were good but what we found at first was that even though we told central government we were under attack, we were left to our own devices for a week or so,” she said. “We had to call our own private security team in. Without that help from central government straight away, we were put on the back foot and it took longer to recover.”
When pressed on how the council finally got ministers to take notice, Lanigan said it was a combination of badgering them constantly and reports outlining the seriousness of the incident.
A Government spokesperson told Tech Monitor the NCSC worked with the council as soon as the incident occurred, sending a team to provide on-site advice and continued to help with co-ordination with wider government and law enforcement, remaining in regular contact throughout.
In total it cost £11.3m for Redcar and Cleveland Borough Council to recover from the attack, and despite promises from ministers that they would ensure the full costs were covered by government, just £3.6m of that came from central funds. Lanigan said that when they submitted the cost breakdown to officials in central government they challenged it and offered the lower amount.
Due in part to the cyberattack and the fact the council had used its reserves to fund the recovery Lanigan said she wasn’t in a position to challenge the government’s lower cost estimate, leaving a small council out of pocket by more than £7m.
“In addition to £3.6m in direct funding to help with the costs of this incident, the Government has offered the council an extra £1.2m in capital flexibility,” a government spokesperson said.
System integration
Before the incident, the council had been given a clean bill of health in terms of cybersecurity resilience by government officials. “We had followed all government guidelines and didn’t think we were at risk,” said Lanigan, who later added that she believes there needs to be better communication from central government on what resources are available and what should be done based on learnings from previous attacks, including not having all systems fully integrated.
The idea of more central resources was raised several times during the committee hearing, in part due to the cost to local councils and other public bodies of securing cyber insurance.
“Looking back and speaking to senior staff at the council the cost would have been astronomical for us to insure against these things,” said Lanigan, adding that the council decided not to pay the ransom demanded by the attackers. “One, I didn’t know if we’d be able to get the virus out of our system even if we did pay, as there wasn’t much left of it,” she said. “And two, if I paid up would they hit other local authorities? If this council paid the others might [have] as well, so we couldn’t do that.”
Sarah Stephens, managing director and international head of cyber at insurance company Marsh Speciality told the same committee hearing that organisations without cyber insurance often find it hard to get the support they need in the event of an attack.“It is clear that businesses and public sector entities struggle to marshal resources to investigate and recover from a ransomware incident,” she said. “It isn’t possible to do so with internal resources alone, and many leaders haven’t been through such an incident before. We do see that those entities with a cyber insurance policy can lean on that curated ecosystem of incident response providers and learn from them.”
Lanigan said government officials also encouraged the council to stay quiet and not go public with details of the ransomware attack, including its severity.
“In hindsight, it should be reported as people knew there had been an attack but not how serious it was, and not how serious it was that it wiped out our systems,” she said. “Local government needs to be open with residents. I know it was a criminal attack but if it happened to us again I’d question why government was telling us not to tell anybody as I don’t think that was helpful.”
Fighting ransomware: openness and transparency important
Also appearing at the hearing was John Ward, interim chief technology and transformation officer at the Health Service Executive (HSE) of Ireland, who shared the experience the HSE had in the wake of a major ransomware attack in May 2021 that took all of its IT systems offline.
He said by refusing the pay the ransom and by being completely open and transparent allowed the organisation to respond faster and helped in securing funding to combat the attack. It also led to the cybercriminals involved posting the decryption key online a week after the attack which helped in recovery as they were able to restore many of the encrypted documents.
“It was still a significant undertaking to decrypt the system. Despite having the key it took four months to recover up to 99%. Our priority one systems were recovered in weeks, but it took four months to get to 99% of systems up and running,” Ward told the hearing.
Lanigan said in light of her experience and learnings since the breach, she would go public from the start.
“As tight as the system we’ve got at the moment is, I can’t guarantee this isn’t going to happen again,” she said. “No local authority or business can. Perhaps if we had gone out and said ‘this has happened to us’ maybe we would have got a decryption key, maybe we would have got systems back faster. If it happened again we’d go public.”
Her overall experience was not a positive one in terms of dealing with government, having to rely heavily on private security companies the council hired themselves for both investigations and recovery processes.
“It wasn’t good financially, and it wasn’t good in terms of the secrecy of it,” she said. “Because it was the first time it happened to us, you take advice from central government and the security guys but from our point of view, it didn’t work out very well. Go public and get it out there.”
When asked by Tech Monitor the Home Office said it was funding £37m to tackle cyber security challenges that local authorities were facing, including cyber resilience to protect services and data from attack. This includes the £3.6m sent to Redcar and Cleveland as well as the extra £1.2m they were offered in capital flexibility.
The Home Office explained that the NCSC is equipped to deal with these types of attacks, engaging regularly and sharing threat information and guidance with councils. Its Active Cyber Defence programme also offers services to the public sector for free that build good resilience to reduce harm from attacks if they happen.