The UK government has released new anti-ransomware guidance designed to address the weaknesses in supply chains that have been the ultimate source of several of many of the record 204 “nationally significant” incidents dealt with by the National Cyber Security Centre (NCSC) in the past year.
Developed alongside the Singapore authorities as part of a joint commitment made last year under the auspices of the Counter Ransomware Initiative (CRI), the guidance aims to help organisations spot issues in their supply chains before cyber criminals are able to exploit them and sets out several practical steps to check supplier security and guard against vulnerabilities. The CRI is backed by over 67 countries – but not the US – and bodies such as Interpol and the World Bank.
“Ransomware and cyber attacks pose an immediate and urgent threat to our nation’s security and economy,” said UK security minister Dan Jarvis. “We are taking decisive action to counter this threat, but global coordination is essential.
“Cyber security must be a top priority for all businesses. It’s vital that the counter-ransomware guidance is followed and strong measures are taken to defend against these destructive attacks.”
NCSC director for national resilience, Jonathon Ellison added: “A ransomware attack on one organisation can severely disrupt entire supply chains, affecting businesses and services across the UK and beyond. We know that many of these incidents are preventable by implementing basic cyber security measures, such as the UK’s Cyber Essentials certification.
“We strongly urge organisations to follow the NCSC’s supply chain security guidance to help protect themselves, their partners, and the UK’s national cyber resilience.”
The guidance itself – available to read in full here – sets out a multi-step plan to enhance supply chain resilience. These steps emphasise factors such as the need to select suppliers that have implemented security controls aligned to the risk levels of the activity they are participating in; the need to communicate your organisation’s own security expectations to supplier partners; the need to build cyber into the contracting process; the need to conduct independent audits and tests of suppliers or requiring external accreditation from cyber technical authorities; and the need to insist upon cyber insurance policies being in place.
The guidance additionally advises organisations to work hand-in-hand with suppliers to review any incidents or near misses, exercise response plans, share new threat intelligence or revised best practices, and keep contracts updated to reflect the changing cyber security landscape. It also urges organisations to do more to drive dialogue and coordination across their supplier network and among their peers.
“Meticulously planning, investing in the right tools and running countless exercises are vital, but even so, nothing truly prepares you for the moment a real cyber event unfolds. The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse,” said Shirine Khoury-Haq, CEO of The Cooperative Group, which was hit by a massive ransomware attack in April that cost the group £206m.
“What matters most is learning, building resilience, and supporting each other to prevent future harm. This is a positive step in the right direction for building a safer digital future,” she added.
UK to sign controversial UN cyber convention
UK delegates also plan to sign a controversial new United Nations (UN) convention on tackling global cyber crime this weekend at a ceremony in Hanoi, Vietnam.
The UN Convention against Cybercrime was adopted at the General Assembly on 24 December 2024 by resolution 79/243, and is the first comprehensive global treaty on cyber crime.
The convention was initially proposed by the Russian government which objected to the longstanding Budapest Convention on Cybercrime, a Council of Europe-backed initiative dating back to 2004.
Although the European Union (EU), UK and US initially aligned against the convention on the basis they believed it to be a power grab by Russia to increase its control over the wider internet, the Biden administration ultimately rejected human rights concerns and was swayed to back it on the basis that it was felt more important for the US to have a seat at the table.
Whether or not it will truly be effective in tackling the notorious Russian-speaking ransomware gangs to which Moscow effectively turns a blind eye remains to be seen.
However, besides supposedly getting tough on ransomware, the convention importantly aligns the criminalising of cyber-enabled offences such as child sexual exploitation, fraud, and the non-consensual sharing of intimate images.
It also establishes a global network to strengthen international law enforcement collaboration with a constant point of contact in every state to assist in cross-border investigations.
