The UK government has released new guidance on tackling ransomware, aimed at addressing weaknesses in supply chains that were the main source of some of the many entries. 204 “nationally significant” incidents handled by the National Cyber Security Center (NCSC). last year.
Developed jointly with the Singapore authorities as part of a joint commitment made last year. under the auspices of the Counter-Ransomware Initiative (CRI)The guide aims to help organizations identify problems in their supply chains before cybercriminals can exploit them, and outlines several practical steps to audit supplier security and protect against vulnerabilities. CRI is supported by more than 67 countries—but not the United States—and by organizations such as Interpol and the World Bank.
“Ransomware and cyber attacks pose a direct and urgent threat to our country’s security and economy,” said UK Security Secretary Dan Jarvis. “We are taking decisive action to counter this threat, but global coordination is essential.
“Cybersecurity should be a top priority for all businesses. It is critical to follow ransomware guidelines and take decisive action to protect against these devastating attacks.”
NCSC Director of National Resilience Jonathon Allison added: “A ransomware attack on one organization can seriously disrupt entire supply chains, affecting businesses and services in the UK and beyond. “We know that many of these incidents can be prevented by implementing basic cyber security measures such as UK Cyber Essentials certification.
“We urge organizations to follow the NCSC supply chain security guidance to protect themselves, their partners and the UK’s national cyber resilience.”
The manual itself is can be read in full here – outlines a multi-phase plan to improve supply chain resilience. These steps highlight factors such as the need to select suppliers who have implemented security measures commensurate with the risk levels of the activities in which they are involved; the need to communicate your organization's own security expectations to vendor partners; the need to include cybersecurity in the contracting process; the need for independent audits and testing of suppliers or the requirement for external accreditation from cybertech bodies; and the need to insist on cyber insurance policies.
The guidance also recommends that organizations work hand-in-hand with suppliers to review any incidents or near misses, implement response plans, share new threat information or revised best practices, and update contracts to reflect the changing cybersecurity landscape. It also calls on organizations to do more to encourage dialogue and coordination within their supplier networks and among colleagues.
“Careful planning, investing in the right tools and conducting countless exercises are vital, but even then, nothing truly prepares you for the moment when a real cyber event unfolds. The intensity, urgency and unpredictability of a real attack is unlike anything you can rehearse,” he said. Shireen Khoury-Haq, CEO The Cooperative Group, which suffered from a massive ransomware attack in April that cost the group £206 million.
“What's most important is learning, building resilience and supporting each other to prevent future harm. This is a positive step in the right direction to build a safer digital future,” she added.
UK to sign controversial UN cybersecurity convention
UK delegates also plan to sign a controversial new United Nations (UN) Convention against Global Cybercrime this weekend at a ceremony in Hanoi, Vietnam.
The UN Convention against Cybercrime was adopted by the General Assembly on 24 December 2024 by resolution 79/243 and is the first comprehensive global treaty on cybercrime.
The convention was originally proposed by the Russian government, which objected to the long-standing Budapest Convention on Cybercrime, a Council of Europe-backed initiative adopted back in 2004.
Although the European Union (EU), UK and US initially opposed the convention on the grounds that they saw it as a power grab by Russia to increase its control over the Internet as a whole, the Biden administration ultimately rejected human rights concerns and was inclined to support it on the grounds that it was considered more important for the US to have a seat at the table.
Will it really be effective in the fight against the notorious Russian-speaking extortion gangs? to which Moscow actually turns a blind eye remains to be seen.
However, in addition to purportedly tightening the fight against ransomware, the convention importantly criminalizes cybercrimes such as child sexual exploitation, fraud, and non-consensual sharing of intimate images.
It also creates a global network to strengthen international law enforcement cooperation, with a permanent point of contact in each state to assist in cross-border investigations.
