Is it possible for the UK to prohibit ransom payments?
The UK government is proposing a new initiative to combat ransomware attacks, with plans to ban public bodies and operators of critical national infrastructure from paying ransomware demands. This move, aimed at disrupting the lucrative operation of threat groups, has sparked a heated debate within the cybersecurity industry.
The potential unintended consequences of this ban are far-reaching. For instance, public sector bodies such as the NHS, schools, and local councils may face prolonged operational disruptions if attacked. This could exacerbate financial, operational, and even life-threatening risks, as seen in prior NHS ransomware incidents that contributed to patient harm[1][2].
With the ban in place, organisations might struggle to resolve ransomware attacks quickly, as they lose the option to pay for recovering data. This could necessitate heavier reliance on backups, technical recovery, and cybersecurity incident response capabilities, which might not be uniformly strong across organisations[1][4].
Cybercriminals may respond to the ban by escalating their methods, potentially targeting less-protected private sector firms or developing more destructive attacks to coerce payment or cause disruption, shifting the threat landscape[1][4].
The new reporting requirements might also complicate decision-making during high-pressure incident management and add administrative overhead, potentially deterring some firms from paying ransoms even when it might be the least harmful option[1][3].
One rationale behind the reporting and banning of ransom payments is to avoid inadvertently funding criminal groups subject to sanctions, many allegedly based in Russia. However, forcing organisations to forego ransom payment without effective alternatives risks prolonging disruption and economic damage[3].
The cost of cyber attacks, including ransom payments, lost business, and staff overtime, to UK businesses alone is estimated to be £64 billion annually[3]. Prolonged service outages due to inability to pay ransoms could increase costs to taxpayers and businesses, undermine confidence in public services, and create broader economic ripple effects, especially if critical infrastructure sectors experience downtime[1][2][5].
In summary, while the ban aims to disrupt criminal ransomware business models and protect national resilience, it may also lead to longer outages, increased operational risk, compliance burdens, and require stronger incident management capabilities within the affected organisations[1][3][5]. These unintended consequences highlight the importance of supporting ransomware mitigation through enhanced cybersecurity investments and government-industry collaboration to reduce overall harm.
The debate over the effectiveness of the new rules is ongoing, with some in the cybersecurity industry praising the ban as a no-brainer, while others warn it does little to defend businesses from attacks. Jonathan Wright, a partner in the UK Data privacy and cybersecurity practice at Hunton, Andrews Kurth LLP law firm, has expressed concern that the ban risks punishing the victims[6].
For businesses not covered by the payment ban, transparency will be key. They will be required to report any intended ransom payments to the government[7]. The IT Pro Podcast is available on Apple Podcasts and Spotify for those seeking more insights on this topic.
[1] [Source 1] [2] [Source 2] [3] [Source 3] [4] [Source 4] [5] [Source 5] [6] [Source 6] [7] [Source 7]
- The ban on public bodies and infrastructure operators from paying ransomware demands could lead to increased reliance on technology and cybersecurity infrastructure for resolving ransomware attacks, as organizations may no longer have the option to pay for data recovery.
- As cybercriminals may respond to the ban by targeting less-protected private sector firms or developing more destructive attacks, there could be a shift in the cyber threat landscape, making it crucial for businesses to strengthen their technology, cybersecurity, and infrastructure.
- Transparent reporting of potential ransom payments by businesses not covered by the payment ban will be necessary, as they will be required to report such intentions to the government, highlighting the need for a two-fold approach in combating ransomware attacks: a regulatory one and a proactive cybersecurity one.
