Ransomware attacks are the most likely cause of a future catastrophic cyber attack on the UK – and could even cause harm or death, the former head of the National Cyber Security Centre (NCSC) has said.
Speaking for the first time since leaving his role at the agency’s first chief executive, Ciaran Martin said ransomware was a “huge problem right now”.
Giving his first speech since leaving the NCSC in August to the defence and security think tank Royal United Services Institute (RUSI), Mr Martin said he fears the public could become collateral damage in a ransomware attack, highlighting cyber attacks on hospitals which could impact patient care.
“Right up until my final hours at the NCSC last month, I remained of the view that the most likely cause of a major incident was a ransomware attack on an important service for the attacker,” he said.
“The choice of the service would be incidental, they were just after the money, but from the point of view of national harm that incidental choice of victim could be important.
“And again, to my last hours at the NCSC, what most kept me awake at night was the prospect of physical harm inadvertently resulting from ransomware.”
Ransomware attacks involve cybercriminals gaining access to a network and blocking access to data by encrypting it, then demanding a ransom in order to return it.
The malware has been at the heart of one of the most notorious cases to hit the UK – the WannaCry attack in May 2017 – which impacted parts of the NHS.
On Thursday, the NCSC issued a new alert to the education sector, warning schools, colleges and universities to boost their security after it had seen an increase in ransomware attacks on institutions as the new academic year begins.
Mr Martin said that his time as chief executive of the NCSC had showed him that “criminal ransomware used recklessly by amoral criminals is one of the biggest, but least discussed scourges, of the modern internet”.
The warning comes in the wake of reports in Germany that a woman died while being transferred between two hospitals because her original destination was unable to treat her as it had been hit by a cyber attack.
A police investigation is now under way.
“It (ransomware) is the most likely way someone is going to suffer serious disadvantage, get hurt, or even get killed – which may sadly have just happened for the first time,” Mr Martin said.
“The bad news is that causing disruption, pain and economic harm through cyber attack and even putting small numbers of people indirectly at risk as we’ve seen with ransomware remains too easy for my liking.
“The better news is that killing large numbers of people by cyber attack deliberately remains thankfully quite hard. The capabilities to do it are in the hands of only a very small number of nation-states and it is currently not in the interest of any of them any more than it is to fire live rounds at their adversaries.”
He added that although in his time as NCSC chief executive he never had to declare a “category one” cyber attack – the most severe type of national incident – it did not mean they may not in the future.
“Just because cyber catastrophes haven’t happened yet doesn’t mean they won’t in the future, either by existing or new technologies like AI,” he said.
Mr Martin called for better understanding of cybersecurity so that businesses and individuals could help better protect themselves and others.
Referencing the dystopian aftermath of cyber attacks often seen in TV and film, he said: “If the popular perception of cyber attack is food shortages, empty cash machines and riots on the streets, the average person and the average organisational leader will assume he or she can do nothing about it and it is a problem entirely for the state or maybe just the board of large business: that is not true.
“If, however, the cyber risk is accurately understood, everyone knows that patchy the boxes on a network and doing security updates on a personal phone is a very valuable thing that everyone can do.”