IT Essentials: Be Prepared

More than a motto? Not right now

UK ransomware resilience strategy

Image:
UK ransomware resilience strategy

Our critical infrastructure is unprepared for ransomware... and so are most of us

‘Be Prepared' is, depending on your age and frame of reference, the motto of the global Scouting movement or a song delivered, rather splendidly, by Scar in The Lion King, shortly before he pushes his brother off a cliff into a herd of stampeding wildebeest.

It's a motto that we could all live by, but one that those with responsibility for protecting critical national infrastructure (CNI) assets like energy and water supplies and healthcare services really should take to heart.

You may or may not be surprised (it depends on how far your expectations of functioning government have fallen) that a recent report by the Joint Committee on National Security Strategy (JCNSS) has concluded that we are wholly unprepared for a ransomware attack on our critical infrastructure that is likely to occur in the none too distant future. The outcome for citizens of the UK could be "catastrophic."

In this scenario, we are, collectively the pride, Scar is a hostile nation state, the wildebeest are cybercriminals for hire, the hyenas are the self-styled "five families" of Conservative MPs, and the CNI of the UK is Mufasa. The Home Office is too busy looking out for small boats to notice how precariously close to the edge Mufasa is.

Simba will not be returning to save the pride.

Make no mistake, this cross-party report, entitled "A hostage to fortune: ransomware and UK national security" was every bit as damning as the title suggests. Not only is an attack on our infrastructure likely, the agencies tasked with detection, response and recovery from ransomware attacks are under resourced and lack the necessary capability.

If we were operating in the post-cold war, things-can-only-get-better nineties and early noughties, the Hakuna Matata playbook of national security would be, if not entirely forgivable, at least slightly understandable. But the threats are illustrated in the starkest possible terms daily. Barely a week has passed since the government publicly accused Russian intelligence services of cyber espionage focused on UK politics and democratic processes. Throughout this year we've seen various police forces, schools, councils, the MOD, parts of the NHS and the Electoral Commission all compromised - either by external actors or, incredibly, themselves.

Accountability for the security of NCI is difficult, given the complex patchwork of public and private ownership underpinning it. The scale of the challenge is vividly illustrated by the ailing national rail network. It's slowly dying, but nobody knows who is responsible or how to stem the decline. It almost seems as though the complexity of ownership was designed to create maximum confusion.

The National Cyber Security Centre (NCSC) has been reporting annually for seven years now on UK cyber resilience, and has created lots of frameworks, programmes and schemes, such as the Cyber Essentials Scheme, for organisations of all types to follow. These are positive and helpful programmes, but CNI organisations are failing to implement them, and the government is failing to enforce even minimal cybersecurity standards in the public realm.

The JCNSS report draws attention to the fact that CNI is a Home Office responsibility, but recommends that responsibility be transferred to the Cabinet Office, with the buck stopping on the desk of the Deputy Prime Minister - presently Oliver Dowden. It makes sense, given that the Deputy Prime Minister is lead Minister for Resilience.

Dowden announced earlier this month the development of a UK Resilience Academy, which will provide a range of learning and training opportunities for "the whole of society." This amounts to more guidelines which companies, agencies and other organisations will continue to ignore, and a website for citizens. I'll save you the trouble of reading: Make sure you have two weeks of food and water in, plenty of batteries and a wind-up radio. Try not to be old, ill, pregnant or vulnerable. Dowden closed his statement with the following words:

"The world may be more dangerous than ever… but we will be better prepared than ever."

If only.