The Home Office proposes to introduce legislation to counter ransomware, and has gone out to consultation – closing on April 8 – about it. Proposed is what the authorities call a ‘targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of Critical National Infrastructure’ (CNI).
A consultation document gives Royal Mail, Capita and the British Library as 2023 examples of ransomware attacks; and in March 2024, NHS Dumfries & Galloway, when three terabytes of stolen patient data got posted on the dark web. It states the UK government principle that local and central government, and CNI owners and operators are prohibited ‘from making a payment to cyber criminals in response to a ransomware incident’.
The Home Office is seeking views on how ‘to encourage’ compliance with the proposed ban, whether criminal penalties (such as making non-compliance with the ban a criminal offence) or civil (such as a fine, or a ban on being a member of a board). According to the document, UK Government has an ‘ambition to drastically reduce the harm caused to UK prosperity and security by ransomware attacks’.
What NCSC says
At the UK official National Cyber Security Centre (NCSC) CEO Richard Horne said: “This consultation marks a vital step in our efforts to protect the UK from the crippling effects of ransomware attacks and the associated economic and societal costs.
“Organisations of all sizes need to build their defences against cyber attacks such as ransomware, and our website contains a wealth of advice tailored to different organisations. In addition, using proven frameworks like Cyber Essentials, and free services like NCSC’s Early Warning, will help to strengthen their overall security posture. Organisations across the country need to strengthen their ability to continue operations in the face of the disruption caused by successful ransomware attacks. This isn’t just about having backups in place: organisations need to make sure they have tested plans to continue their operations in the extended absence of IT should an attack be successful, and have a tested plan to rebuild their systems from backups.”
It provides free advice on the NCSC’s Ransomware Hub.
Comments
Rob Dartnall, Chair of CREST UK, is a supporter of the CyberUp Campaign, which wants to see the law around computer misuse updated from the 1990 Act. He said: “We welcome the Government’s focus on tackling the serious threat of ransomware and the damaging impact it poses to UK society. These attacks disrupt critical infrastructure, public services, and businesses and represent a pernicious threat to our way of life that must be stamped out.
“In concert with law enforcement, the UK’s cyber security industry plays a pivotal role to uncover threats and share vital intelligence with authorities to protect victims from increasingly sophisticated attacks. However, our cybersecurity professionals are operating with their hands tied. Our research shows that almost two-thirds of cyber professionals believe the Computer Misuse Act 1990 (CMA) — the main UK legislation governing cybercrime— hinders their ability to protect the UK by inadvertently criminalising a broad spectrum of legitimate cybersecurity activities.
“To truly empower this collaboration, the UK Government must combine its enhanced incident reporting with an urgent update to its cyber laws, so that threat intelligence professionals can do their jobs without fear of legal repercussions. Until then, the CMA will remain an outdated piece of legislation, preventing our cyber security professionals from defending organisations effectively and leaving us lagging behind peer nations, as the US and EU move to safeguard ethical cybersecurity work as a cornerstone of national resilience. It is time to create laws fit for the digital age.”
Mike Kiser, Director of Strategy and Standards, at the identity security product firm SailPoint, said: “Ransom payments should be banned: increasing payouts mean a corresponding rise in malicious activity. However, as soon as laws are passed to ban ransom payments, an underground market is likely to arrive – resulting in a hidden economic system. Who is then held responsible for violating laws – is it the corporate entity or the fault of the security executive? The time for action to mitigate the rise of ransomware is now. But as with so many other elements of life, prevention is better than cure.”
Dr Darren Williams, CEO and founder of the cyber firm BlackFog said: “Ransomware gangs, like most criminals, are highly motivated by profit and tend to gravitate towards targets that are more likely to pay up. But paying up often doesn’t pay off. At the end of the day, you are negotiating with criminals who are unlikely to uphold their end of the deal, and it many cases they go further than leaking stolen data by targeting the same victim a short time later.
Organisations in the public sector are often a soft target for attacks due to insufficient cybersecurity budgets and a reliance on antiquated technologies. There is no doubt that a ban on ransom payments would make ransomware less appealing to criminals, but firms need to get their house in order first by ensuring they have effective modern security solutions in place to defend against attacks.”
