Fraud Management & Cybercrime
,
Geo Focus: The United Kingdom
,
Geo-Specific
Committee Witnesses Favor Resilience Over Bans
The British government should focus on building operational resilience rather than imposing hardline measures such as ransom payment bans, security experts told a parliamentary committee.
See Also: Demostración Del Producto: Backup Y Recuperación De VM
The British government floated a ban on public sector and critical infrastructure owners paying out digital extortion money in a January consultation set to run until April 8 (see: Under Discussion: UK Mandatory Ransomware Incident Reporting).
Security experts who testified Monday at a Joint Committee on the National Security Strategy hearing reacted badly to the proposal, urging the government to instead focus more on building resilience.
“If you can implement a ban when nobody pays the money, then that would deter from that particular sector, I’m sure, but it does not get rid of the threat actor,” said Sadie Creese, a cybersecurity professor at the University of Oxford. “They will go elsewhere to make their money. So we would be pushing targets onto other potential victims.”
Jamie MacColl, a cyber threat research fellow at the Royal United Services Institute, said a ban would not prevent ransomware attacks but said he nonetheless supported a ban on ransomware payments by the public sector.
“Will it deter attacks? I think no. Should public sector organizations that use taxpayer money be paying criminals? I also think no so,” MacColl said.
“Anything that the government can do to force victims to be a little bit more deliberate about their decision-making around ransom payments would be positive. But ultimately, the goal should be making organizations more resilient in the first place,” MacColl said.
Creese added that for any potential ransom ban regulation to be effective, it is important for the government to consider whether the victims can continue to operate without paying the ransom.
“In some cases, you may be facing human life risk if those systems cannot continue to operate so that kind of mechanism will need to be supported by other mechanisms to ensure those sectors that don’t pay have an ability to continue to deliver service as is necessary, and those that are not covered by the ban are supported when they are more likely to be targeted,” she said.
The consultation also asked for responses on a proposal requiring Victims of ransomware attacks would have to report that fact to the government within a specific timeframe. Existing statute requires victims to disclose hacks within 72 hours to the Information Commissioner’s Office, but only if the cyber incident included the leakage of personal data.
Committee witnesses testified the success of a mandatory reporting measure will depend on how it’s written.
“It should be around seeking clarity of what the information and what the purpose of that information is,” said Kelly Butler, cyber head at Marsh. “Many times, it wouldn’t be clear to the victims what is happening to their organization within 72 hours. So really careful consideration around the requirement, who would get that information and how to use it would be helpful,” she added.
MacColl added in addition to incident reporting, victims should be encouraged to report ransom payment details. The information flow should be two way, he said. “It can’t just be a black hole where victims put data in and then nothing gets fed back to the community,” MacColl said.