The British government has taken a step forward in its efforts to address the escalating ransomware crisis by publishing its formal response to a public consultation on amending the law. This consultation, a standard part of the UK’s legislative process, focused on three key policy proposals: a ban on ransomware payments by public sector organizations and critical national infrastructure entities, a requirement for victims to notify the government before making any extortion payments, and a mandatory reporting requirement for all ransomware attacks. These proposals come in the wake of several high-profile incidents that have severely impacted the country, leading to disruptions in essential services and even contributing to a patient’s death.
Despite being presented as part of the government’s “Plan for Change,” these proposals are not new; they are identical to those developed under the previous Conservative government.
The consultation’s launch was delayed by a snap election, highlighting a broader issue of the government’s slow response to the ransomware threat. For years, ransomware attacks have been a dominant topic in the British government’s crisis management meetings, yet successive home secretaries have seemingly prioritized other issues. This lack of urgency has occurred while ransomware attacks on British organizations have consistently risen year-on-year for the past five years, underscoring the growing and persistent nature of the threat.
While experts acknowledge that these proposals indicate a more serious approach to ransomware, significant questions remain regarding their potential effectiveness.
Jamie MacColl, a senior research fellow at RUSI, expressed skepticism about the proposed ban on payments, particularly for critical national infrastructure. He argues that ransomware is largely an opportunistic crime, and cybercriminals are unlikely to adjust their operating models based on the nuances of British legislation or the designation of critical infrastructure. MacColl believes this measure risks making recovery harder for critical infrastructure operators without actually reducing their likelihood of being victimized.
The proposed mandatory reporting requirement aims to provide the government and law enforcement with a clearer picture of the ransomware problem’s true scale. However, there are serious concerns about whether law enforcement agencies, particularly the National Crime Agency (NCA), will have the necessary resources to effectively process and utilize this increased intelligence. While the NCA has achieved successes in disrupting ransomware operations in the past, such as the international takedown of the LockBit gang, its director-general has acknowledged that more resources are needed to do more. Without additional funding, experts fear that law enforcement will be overwhelmed by the influx of new data, hindering their ability to proactively counter these threats.
Ultimately, any new legislation from the Home Office to tackle the widespread ransomware crisis will not be introduced in the current parliamentary session. This delay means that a comprehensive reworking of the country’s cybersecurity regulations, which were prematurely described as “updated” three years ago by the previous government without actual legislative introduction, will again be pushed back. The ongoing postponement of meaningful action raises concerns about the UK’s ability to effectively protect itself from the ever-evolving threat of ransomware.
Reference: