UK cybersecurity head: ‘We must ensure ransomware doesn’t yield returns’

25 Jun 2021

Lindy Cameron. Image: NCSC

The CEO of the UK’s National Cyber Security Centre praised Ireland’s health services executive for not giving in to ransomware demands.

Click here to view the full Infosec Week series.

Lindy Cameron, CEO of the UK’s National Cyber Security Centre (NCSC), warned of the “insidious” threat of ransomware during a virtual address delivered today (25 June).

Speaking at a virtual event organised by the Institute of International and European Affairs (IIEA), Cameron praised the decision by Ireland’s national health service not to pay the ransom demanded during a recent attack on its systems.

“Cybercriminals are out to make money – the more times a method is successful, the more times it will be used,” she warned.

Cameron explained that paying out for ransomware demands can backfire. There is no guarantee that cyberattackers will return an organisation’s data on payment, and those known by these criminals to be willing to pay may well be targeted again.

“It’s important that we do all we can to ensure this is not a criminal model that yields returns,” she said.

“The [Irish] Government’s strong action of refusing to pay will likely deter ransomware operators from further attacks on health sector organisations – in Ireland or elsewhere.”

‘Please anticipate that this will happen. Work on the assumption that this is going to become an issue not a risk, and prepare for it accordingly’
– LINDY CAMERON

Hailing from Derry, Cameron is the second-ever head of the NCSC, which was formed in 2016.

Since then, the organisation has dealt with more than 2,000 significant incidents and taken down more than 700,000 online scams.

In both her speech and in comments during a Q&A she stressed that organisations don’t have to reach a “critical mass” for cyberattacks against them to be taken seriously. “We worry about the security of hairdressers as much as we worry about the FTSE 100,” she said.

However, the seriousness of an attack on healthcare services stokes fear of further attacks on critical systems around the world.

“Ransomware almost certainly continues to represent the most likely disruptive threat to the health sector worldwide,” said Cameron.

“Although cybercriminals promised not to target the health sector during the Covid-19 pandemic, ransomware attacks have proliferated and are increasingly causing disruption to clinical services and patient care.”

This, Cameron said, means that these attackers are not just causing harm to businesses with comprehensive cyber-insurance, but to “ordinary citizens such as cancer patients whose radiotherapy appointments were postponed”.

In the case of the HSE cyberattack, Cameron believes the criminals handed over the encryption key within a few days of the attack “as a public relations move to lessen criticism”.

Tips for tackling ransomware

Whether your systems support national infrastructure or a small private business, Cameron’s advice is the same: “Resilience, resilience, resilience.”

According to Cameron, most attacks seen by the NCSC could have been at least made more difficult had its guidance been followed. This includes a 10-step process and a toolkit which is regularly updated (including introducing scenarios around remote working last year).

Core to all of this advice is making systems as difficult to penetrate for any would-be attackers, be they highly sophisticated cyber-gangs, state-sponsored attackers, or low-level criminals out to cause mischief.

In Cameron’s opinion, cyberattacks should not be seen as an unlikely risk but a likely occupational hazard. “Please anticipate that this will happen. Work on the assumption that this is going to become an issue not a risk, and prepare for it accordingly.”

Cameron also advocates that all at senior management and board level understand that cyberattacks are about more than just data protection.

“Too often this is seen as an issue around data, and actually most serious ransomware attacks are the ones that paralyse services, where effectively people are unable to operate systems that are often critical to their existence or their profitability.”

She also recommended that leaders ensure their own awareness of these issues. “Make sure you do not hive this off into the specialist space. This is something that needs to be properly on the board’s agenda,” she said.

Cameron also recommended that business leaders talk to those who have experienced a cyberattack in order to understand the emotional weight and pressure of this situation.

“That’s how criminals want you to feel. They want you to panic and pay the ransom at that point, so making sure that you know how that will feel and having prepared for is absolutely essential,” she advised.

Elaine Burke is the editor of Silicon Republic

editorial@siliconrepublic.com