News reaction: UK Parliament committee adopts NCC recommendations on ransomware

Earlier this month, the UK Parliament Joint National Security Strategy Committee shared its final report following an inquiry into the UK’s approach to tackling ransomware - ‘A hostage to fortune: ransomware and UK national security’.

The Committee launched its inquiry in October last year to consider the threat posed by ransomware and what can be done about it. In November 2022, NCC Group’s then CTO Ollie Whitehouse was invited as an ‘expert witness’ to give evidence to the Committee.

The report highlights the evolving risk landscape, urging Government to make ransomware “a more pressing political priority” and calling for further resources to be “devoted to tackling this pernicious threat to the UK’s national security.”

Here, UK Government Affairs Lead, Verona Johnstone-Hulse takes us through the key findings.

We are delighted that the Committee has reflected many of NCC Group’s insights into the ransomware threat landscape and adopted several of our recommendations within the report.

The report reflects an important contribution to the debate about how we tackle this evolving threat, shining a light on why the UK Government must continue to invest in the UK’s efforts to tackle cybercrime.

Specifically, it calls on Government to:

• Explore establishing a cross-sector regulator on critical national infrastructure (CNI) cyber resilience to oversee the implementation of the NIS regulations.
• Hold regular national exercises to prepare for the impact of a major national ransomware attack affecting multiple CNI sectors, engaging CNI operators to stress-test their response and ensure a swift recovery.
• Establish an enhanced and dedicated local authority cyber resilience programme and provide negotiation, recovery, and remediation capabilities – through the National Cyber Security Centre (NCSC) and National Crime Agency (NCA) – to all public sector victims of ransomware, to the point of full recovery.
• Urgently bring forward legislation to reform the Computer Misuse Act.
• Explore, with the cyber incident response industry, the possibility of establishing a ‘pro bono’ industry-led scheme for charities and small businesses who have been victims of cyberattacks.
• Work with the insurance sector to establish a re-insurance scheme for major cyber-attacks.
• Urgently establish a central reporting mechanism for ransomware attacks, and consider whether to require all UK organisations to report an attack within three months.
• Produce more detailed guidance—accessible to a non-technical audience—on how best to avoid the payment of ransoms.
• Invest significantly more resources in the NCA’s response to ransomware, including revisiting the funding available for NCA pay and progression.
• Deploy a full-spectrum response to the ransomware threat, with the Intelligence and Security Committee reviewing how this compares with the US agencies’ ‘full statecraft’ approach to ransomware.

What’s next?

The UK Government is now required to digest and respond to each of the Committee’s recommendations setting out how it is implementing the recommendation, or explaining why it is not.

NCC Group is passionate about sharing our insights from operating at the ‘front line’ of cyber security with policymakers, so that they can make informed decisions about national cyber policy. We look forward to continuing to engage with the UK Government, and policymakers globally, to support a more secure and resilient digital future for all.