By Samir Jeraj

Copyright newstatesman

JLR, manufacturer of the iconic Jaguar, is still picking up the pieces after a catastrophic cyberattack at the end of August. It’s the most recent high-profile attack after hackers breached the defences of the Co-op, Marks and Spencer’s, and Heathrow airport. Last year four in ten businesses reported breaches in their cybersecurity, as did three in ten charities. But are UK cyberattacks increasing, or just getting more successful?

It has certainly become much easier to launch a cyberattack in the past few years. The rise of “ransomware as a service” means an attack can be commissioned by someone without technical expertise. The operation is outsourced and sub-contracted, with different people and groups potentially supplying each part of the attack in exchange for a cut of the fee. Other tools to launch distributed denial of service (DDoS) attacks can be rented at very affordable prices.

Developments in AI and quantum computing will further increase the capabilities of hackers to breach systems. AI can be used not just to write convincing emails, but to clone voices – and the ability to make convincing videos is not far off. The first successful cyberattack using a deepfake video was carried out last year against British firm Arup, where an employee was instructed over video to make $25m in payments.

Targets are not usually chosen at random but are the result of extensive research to maximise the impact. Retailers, for example, hold a lot of customer data that can be ransomed or sold on to enable identity fraud and scamming emails and texts. Manufacturers are highly vulnerable to supply-chain disruption, while science and tech companies have high-value intellectual property to protect. Every organisation has its weak points, from legacy IT systems to poor security in their supply chain to poor training.

“The supply chain has become the Achilles’ heel of modern business: interconnected, efficient, but highly vulnerable. Attackers know that breaching a supplier or service provider can open the doors to multiple high-value targets at once,” said Matthew Hull, global head of threat intelligence at NCC Group.

Who is launching attacks is an open question. While Russia and other hostile states directly and indirectly support cyberattacks, there are plenty of domestic and home-grown cyber criminals in the UK, and the profit motive is borderless. There is speculation that the JLR attack was perpetrated by Scattered Spider, an English-speaking group who are believed to have launched the successful attacks on the Co-op, M&S and Harrods.

The JLR attack has also raised questions about the outsourcing of the company’s own cybersecurity and IT services, in its case to Tata Consultancy Services, which is ultimately owned by the Tata Conglomerate. Cybersecurity professionals are questioning whether outsourced IT helpdesks have the knowledge and processes necessary to defend against “social engineering” attacks where employees are manipulated to share confidential information or carry out actions that undermine cybersecurity.

There are actions businesses can take. While 92 percent of organisations trust their suppliers follow cyber security best practices, only 41 per cent are confident in how they monitor and assess those practices, and a third of businesses don’t conduct regular risk assessments on suppliers, according to NCC Group.

The UK government announced plans this year to outlaw the paying of ransoms to cybercriminals by public sector organisations and critical national infrastructure bodies. There are no known instances of these payments being made so far, but government hopes to signal to those cybercriminals motivated by money that launching a ransomware attack won’t be profitable. Businesses, while still able to make ransom payments, will be required to notify the authorities, who presumably will attempt to dissuade them. At the moment, it is easier for some companies not to disclose to the authorities and customers that they have been successfully attacked, and to pay a ransom and bury it in their accounts under “professional services”.

Cybersecurity professionals point out that hundreds of thousands of cyberattacks are prevented each day, but that it only takes one successful attack to plunge an organisation into crisis. They warn that it is a matter of “when, not if” and that organisations, including the UK government, need to invest in effective cybersecurity. That includes contingencies and plans to help companies pick up the pieces quickly and effectively following an attack. But for every move the UK makes to improve its cyber resilience, cyber criminals will make counter moves. It will be endless.

[Further reading: Why is Labour so cheery?]