Today the UK Government announced their proposal to ban ransomware payments for all public sector bodies and critical national infrastructure in a bid to increase incident reporting and reduce payments to criminals.
Alejandro Rivas Vasquez, SVP, Global Digital Forensics & Incident Response
“The government is taking monumental steps by proposing to tackle ransomware head on, especially as ransomware attacks are rising to levels never seen before. Last December, we saw the highest ever levels of ransomware attacks on record.
“However, the government is treading a fine line with proposals for a ransom payment ban geared solely towards public sector and critical infrastructure. A blanket ban could place a larger target on sectors not included in the ban, such as manufacturing, which doesn’t currently fall under the scope.
The need to address the complexity of ransomware
“The proposed ban also fails to factor in the different motivations behind ransomware attacks. In geopolitically motivated attacks, which can be launched by nation states, ransomware is a tool to cripple critical national infrastructure and steal sensitive data - money is not the objective. Banning payments would be futile in stemming such attacks - the hackers would already have the data they need.
Providing a digital safety net for small businesses
“While the proposal to mandate reporting of ransomware incidents will no doubt strengthen the UK’s understanding of cyber threats, it is critical that a threshold for applying the requirement is implemented.
Applying a blanket rule to businesses of all sizes is a disproportionate approach and could create unfair and administrative burdens that become complex and unmanageable. Instead of a one size fits all approach, we’d recommend the government explore a less burdensome obligation that could be applied to smaller businesses, or focus on incentivising businesses to improve their security posture, rather than punitive action.”
A holistic and nuanced approach to cyber threat is needed
“We have to consider cyber threats that go beyond ransomware too. The government urgently needs to take a more holistic approach to cyber security to make sure laws are fit for purpose to effectively protect the nation. Indeed, the Computer Misuse Act 1990 urgently requires updating so that the UK’s cyber professionals can play their part tackling the range of cyber threats facing the UK.”