UK Home Office Ransom Ban Proposal Needs More Clarity

A collection of British cybersecurity policy wonks poured cold water over a British government proposal to outlaw ransom payments by government agencies and from regulated operators of critical infrastructure.

See Also: Demostración Del Producto: Backup Y Recuperación De VM

The Home Office in January opened a consultation – that closes Tuesday – weighing legislation requiring the mandatory reporting of all payments to ransomware groups, as well as their limited ban.

But a ban wouldn’t likely represent a significant blow to ransomware profits, said 38 participants of a February workshop convened by the Royal United Services Institute, a London think tank. Attendees included CISOs from critical infrastructure sectors, incident response executives and cybersecurity vendors and insurers.

A ban also wouldn’t likely deter ransomware hackers from banning British targets, the consensus ran, since ransomware attacks are mostly opportunistic, reads a report based on the workshop.

The government proposal would also require U.K. organizations weighing whether to pay off their attackers to engage with government authority that would determine if such a payment would be legal.

“For instance, whether a payment could go to North Korean entities. Once authorization was granted, the victim organization would be able to take its authorization certificate to its chosen ransomware payment intermediary and proceed with the payment,” the report said. Government officials on hand during the workshop suggested the authority would get back to applicants within 72 hours. Some participants stated that turnaround would be “too slow” for the fast pace of incident response. A few others raised concerns whether the government could provide an accurate incident evaluation within a short time span.

“A victim going through a cyberattack is going through the most stressful period and they also need to make really informed quick decisions. And the idea that they might not hear from the government in 72 hours about the ransom payment could potentially create issues in terms of that initial response. That first 24-48-72 hours are so important,” said Verona Johnstone-Hulse, the U.K. head of government affairs at the NCC Group.

A likely outcome is that the reporting mechanism could create more barriers for victims, Johnstone-Hulse said.

Other stakeholders said the consultation paper lacks clarity on whether they could appeal a negative decision by the government. Attendees also requested the government sharpen its thinking over how it would censure non-compliance and how to address loopholes, such as payment to ransomware hackers organized outside of the United Kingdom.

“As well as asking will it work, there is also the question of is it fair,” said Jamie MacColl, a senior research fellow in cyberthreats and cybersecurity at RUSI. “To make it fair, particularly for cash-strapped public sector organizations that are part critical national infrastructure, there needs to be additional funding and technical incidents response support for victims who no longer have the resources to recover and pay.”