National Cyber Security Centre (NCSC) CEO Lindy Cameron has announced that the threat of ransomware has overtaken that of state-backed threat actors in the online security space. But while Cameron is correct to highlight this fast-growing threat, security experts say the government could do more to protect businesses from attacks.
During a speech on Monday evening to the Royal United Services Institute think tank, Cameron stated that “for the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary threat is not state actors but cybercriminals, and in particular the threat of ransomware”.
Why is ransomware more of a threat?
The number of ransomware attacks globally increased by 150% in 2020 and is set to grow further in 2021, reports the Harvard Business Review. The demands of criminals are also increasing fast. According to the US-backed ransomware taskforce, the money demanded by cybercriminals using Ransomware-as-a-Service (RaaS) went up by 300% in the past year. High-profile breaches in 2021 so far have included the Colonial Pipeline hack and the attack on the Irish health system.
“The sheer volume makes [ransomware] the most impactful threat we face,” said Cameron. “We need to focus on victims not just threat, and that small harms can amount to a cumulative risk of national significance.” The human impact of ransomware should also not be underestimated, she said. “It stops people and business from being able to live their day to day lives.”
Ransomware has become the biggest threat to countries like the UK because of how lucrative attacks have become for criminals, argues Jason Hill, head of research at Israeli security company CyberInt. "I think the shift to ransomware is going to be somewhat attributed to the success of these campaigns," he says. "So it seems that organised cybercrime and cybercriminals have perhaps stopped doing other types of attacks and are focusing their efforts [on ransomware]."
While other cybersecurity threats persist, they are being dwarfed by the rise of ransomware, Hill says. "There are other things still like banking Trojans and all that stuff," he says. "[But] it seems to be that ransomware is highly effective. The groups are making a lot of money. It seems only natural that as a collective, cybercriminals would focus their efforts on something which is working well."
Cameron used her speech to reveal her biggest worry is the "cumulative effect of a potential failure to manage cyber risk and the failure to take the threat of cyber criminality seriously." Indeed, attacks are increasing in sophistication as well as volume says Bharat Mistry, technical director for UK and Ireland at Trend Micro. "Criminals are not just using email, they are using multiple ways of getting in," he says. "So email could be one, exposing vulnerabilities could be another, buying credentials from underground sources could be another. Trying supply chains is another. And you can see that the bigger the victim or the more likelihood that a victim is going to pay up, the more the price."
What action is the UK government taking against ransomware?
Good cyber security hygiene is key to stopping ransomware attacks says Rajesh Muru, principal cybersecurity analyst at GlobalData, and the NCSC shares best practice on its website. Beyond this, the government introduced a minimum cybersecurity standard (MCSS), which it expects all public sector organisations to adhere to, in 2018, but Mistry says this could go further.
The US government's more exacting National Institute of Standards and Technology (NIST) standards could be used as the basis for new guidance to UK businesses on ransomware and wider cybersecurity issues, he argues. "[UK] companies do have to comply to a certain level, but that's only the bare minimum I would say," Mistry adds.
According to Mistry, the government could also be doing more to protect UK infrastructure from ransomware attacks. "I think for critical and national infrastructure, we need to kind of increase the baseline to be more than just basic [protection]," he says.
Muru explains: "On one hand, you've got enterprises like the financial services companies, the health care sector and the public sector that are trying to reduce operational costs by pushing their applications onto the cloud. On the other hand, the cloud providers are kind of taking the position where they will provide an element of security," he says. This is flawed, says Muru, as the onus is on the enterprise, not the infrastructure, to provide security. "[As a cloud user] you are ultimately responsible for the security layer, so that's creating a lot of challenges," he says.