UK floats ransomware payout ban for public sector The Register

pA total ban on ransomware payments across the public sector might actually happen after the UK government opened a consultation on how to combat the trend of criminals locking up whole systems and taxpayers footing the billppThe consultation will consider views on extending the ransom payment ban from central government departments to all public services including hospitals schools local authorities and stateoperated transport networksppAnnounced today the 12week consultation will run from January 14 to April 8 and explore three proposals the first of which is the total payment ban for the public sector and critical national infrastructure CNI organizationsppThe overarching notion is to make the prospect of targeting these sectors undesirable for financially motivated criminals It would also involve mandatory reporting of incidents to support law enforcement and intelligence agenciesppSecondly a ransomware payment prevention regime as the Home Office is calling it would take the first proposal even further This idea assumes that a public sector payment ban would be implemented and then additionally require that any organizations and businesses not covered by an existing ban seek the governments approval before they pay the ransom It would be something of a ransomware payment license which may or may not be issued depending on the nature of the incidentppA panindustry approach would also see the nations crimefighting forces empowered with additional data to inform ongoing investigations and operations although the consultation will also consider whether the rules would only apply to attacks that meet a certain thresholdppThe third and much weaker approach proposes to implement a mandatory reporting law for ransomware incidents So no ban This would provide the UKs cybercrime fighters with as much data as possible to better inform their investigations and potentially their disruption efforts à la LockBit but is certainly not as powerful as the other ideas on the tableppLike the second proposal the consultation will consider whether the rule will be for all organizations and individuals or be based on an attack meeting a specific thresholdppDriving down cybercrime is central to this governments missions to reduce crime deliver growth and keep the British people safe security minister Dan Jarvis said in a statementppWith an estimated 1 billion flowing to ransomware criminals globally in 2023 it is vital we act to protect national security as a key foundation upon which this Governments Plan for Change is builtppThese proposals help us meet the scale of the ransomware threat hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operateppToday marks the beginning of a vital step forward to protect the UK economy and keep businesses and jobs safeppAs part of its first Cyber Security Act Australia introduced mandatory incident reporting rules in November 2024 requiring organizations to report ransomware attacks provided they meet the revenue threshold This was set at AU3 million 1845 million which captures approximately 656 percent of Australian businesses according to the countrys Cyber and Infrastructure Security CentreppGiven the UKs close political and economic ties to Australia a similar threshold or percentage of British organizations may be considered if the rule were to be mirroredppNo major economy has taken steps toward banning ransom payments on quite the scale as that being described in some of the UKs proposals today It would be a monumental moment for cyber policy should they be passed and implementedppThe UKs NCSC appears to be onside with the consultation too with new CEO Richard Horne saying This consultation marks a vital step in our efforts to protect the UK from the crippling effects of ransomware attacks and the associated economic and societal costsppOrganizations of all sizes need to build their defenses against cyber attacks such as ransomware and our website contains a wealth of advice tailored to different organizations In addition using proven frameworks like Cyber Essentials and free services like NCSCs Early Warning will help to strengthen their overall security postureppAnd organizations across the country need to strengthen their ability to continue operations in the face of the disruption caused by successful ransomware attacks This isnt just about having backups in place Organizations need to make sure they have tested plans to continue their operations in the extended absence of IT should an attack be successful and have a tested plan to rebuild their systems from backupsppSo for 12 weeks UK policymakers and cybersecurity experts will once again debate the effectiveness of potential approaches to disrupting ransomwareppThe pros and cons of both sides of the ransomware payment ban debate have been well told by now Both camps have fierce proponents fighting their corner although most agree some sort of middle ground will likely be best The issue is largely driven by what compromises are and arent acceptableppCiaran Martin the founding CEO of the UKs NCSC famously opined last year in national news that ransom payments should be banned with the resulting debate quickly reaching fever pitchppHe argued that many of the arguments against the ban were terrible closing the short piece by saying simply We have to find a way of making a ransom payments ban workppOpponents argue that a ban would bring various unintended negative consequences that would worsen the way ransomware is handled Arguments include victims possibly pursuing other illicit means to compensate ransomware operators or recover their data which in turn may discourage their engagement with law enforcement ppThe standpoint is one thats adopted even at the highest levels such as the Institute for Security and Technologys Ransomware Task Force ppOne of the cochairs on that task force security expert Jen Ellis said in an online debate on the matter hosted by the Royal United Services Institute RUSI last year that the idea that policymakers can simply force organizations to become resilient to ransomware is great but completely disconnected from realityppShe said its not a case of organizations being too lazy to meet resilience standards but instead there are a million and one incentives that operate in the wrong direction Examples of these include affordability technical awareness and maturityppAnother related factor is that criticism has been leveled at the cyber insurance industry for making ransom payments easier providing organizations with access to liquidity for doing soppEllis and Jamie McColl research fellow at RUSI both also pointed out that at the time a small number of US states had banned government departments from paying ransoms with little to no impact on attack frequencyppAlthough banning ransom payments may seem like the easy oneclick solution to ransomware cutting the crims off where it hurts ushering in that change wont be an easy feat for the UK government should it choose to go ahead with thisppNevertheless the UKs cyber situation worsens with each year The NCSCs most recent annual review revealed the number of security threats that reached the agencys maximum severity threshold tripled compared to 2023ppThe number of nationally significant incidents and cases of ransomware also rose year on year suggesting the current approaches to combating the crime arent cutting it ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p