The Home Office is today opening a consultation on a series of proposals to address the ransomware threat to UK society, and hopes to widen the scope of an existing ransomware payment ban across sectors critical to the functioning of daily life, including the NHS.
Such a ban is already in effect covering government departments but under the new plan being put forward, all public sector bodies from local councils to schools and the health service, as well as operators of critical national infrastructure (CNI) such as utility providers, would be forbidden from making payments to cyber criminal extortionists.
Describing the proposal as “world-leading”, the government said that cutting the flow of payments would “strike at the heart” of the cyber criminal business model and protect organisations that people rely upon across the UK, helping deliver on its wider Plan for Change.
“Driving down cyber crime is central to this government’s missions to reduce crime, deliver growth, and keep the British people safe,” said security minister Dan Jarvis.
“With an estimated $1bn flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this government’s Plan for Change is built.
“These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate,” said Jarvis.
“Today marks the beginning of a vital step forward to protect the UK economy and keep businesses and jobs safe,” he added.
“This consultation marks a vital step in our efforts to protect the UK from the crippling effects of ransomware attacks and the associated economic and societal costs,” said National Cyber Security Centre (NCSC) CEO Richard Horne.
“Organisations of all sizes need to build their defences against cyber attacks such as ransomware, and our website contains a wealth of advice tailored to different organisations. In addition, using proven frameworks like Cyber Essentials, and free services like NCSC’s Early Warning, will help to strengthen their overall security posture.
“And organisations across the country need to strengthen their ability to continue operations in the face of the disruption caused by successful ransomware attacks. This isn’t just about having backups in place: organisations need to make sure they have tested plans to continue their operations in the extended absence of IT should an attack be successful, and have a tested plan to rebuild their systems from backups,” he said.
Besides a targeted ransom payment ban, the consultation – which will run until 8 April 2025 – will also seek input on a proposal to establish a wider payment prevention regime. This will offer ransomware victims not in scope of the ban advice and guidance on how to respond to attacks and will require them to notify the authorities if they intend to pay a ransom. The government also wants to give itself the power to assess potential payments and block them in certain circumstances, such as if they are being made to a suspected sanctioned entity or known gang.
Alongside this, the Home Office is also seeking views on the implementation of the previously-proposed mandatory ransomware reporting regime – which forms a key part of the Cyber Security and Resilience Bill and is set to be introduced into parliament in the near future.
It said these further proposals would help bring ransomware “out of the shadows” and enable bodies such as the National Crime Agency (NCA) and NCSC to maximise their analysis and intelligence-gathering capabilities to better establish the true scale of the ransomware threat, target their investigations and actions, and get out ahead of emerging ransomware operations.
Among other things, the consultation will explore whether or not these proposals are to apply universally or whether or not a threshold ought to be established.
Deputy director Paul Foster, Head of the NCA National Cyber Crime Unit, commented: “We welcome this consultation, which will give businesses a chance to formally input on this important topic.
“Ransomware is the most significant cyber crime threat facing the UK and the world, with attacks costing millions in terms of losses and recovery.
“The number of identified attacks on UK victims is increasing, with those in 2023 double the number of the previous year, so it’s vital that victims report incidents as soon as possible, so they can get the urgent support, guidance and expertise when it’s needed most. The more victims report, the better our ability to tackle the threat,” said Foster.
“We look forward to engaging with this process and supporting efforts to further improve the UK’s cyber security.”
Mixed feelings
Ransomware expert Jamie MacColl, cyber research fellow at the Royal United Services Institute (RUSI) think tank, said he had mixed feelings about some of the government’s suggestions.
“The proposal to mandate reporting of ransomware incidents is sensible and will improve law enforcement’s ability to disrupt criminals. By shining a light on organisations that pay, it may also cause some victims to think twice about paying a ransom,” he said.
“However, I have serious doubts about whether banning ransom payments for specific sectors will stop them being disrupted. Ransomware operators are opportunistic – they do not target specific sectors and so are unlikely to be discerning enough to avoid UK CNI. I’m also sceptical of the proposal about the government authorising individual ransom payments – victims will require government and law enforcement to be uncharacteristically dynamic in responding to requests to make a payment. If the government refuses requests to make a payment, it also raises the question of whether the government will step in to financially support victims who can’t afford operational downtime.”
However, he added, should the proposals make it to the statute books, they would represent the most significant intervention on the issue of ransomware by any national government to date. “The government’s ambition should be celebrated given the UK’s ostrich approach to ransomware and cyber crime over the last decade,” he said.