The government’s ransomware payment ban: what are the wider implications?

The UK government’s recently announced ban on public sector ransomware payments has received mixed reactions from industry.

With the aim of removing the financial incentives that fuel ransomware attacks and making public sector bodies and critical national infrastructure less attractive targets, the policy marks a significant step in the fight against cybercrime.

But the introduction of this new policy has not come without criticism. While supporters acknowledge that ransom payments reward criminals and fund more crime, others warn that it could lead to negative consequences such as promoting a secondary black market or impacting ransomware reporting.

Cybersecurity is a complex web with no straightforward solution. While it’s positive to see new ideas being explored, industry experts and policy makers must act with caution and consider all possible consequences before implementing measures to address security risks.

Loopholes in the ban

The legislation seeks to prohibit payments from public sector bodies, but organizations may seek out ways around the restrictions to enable the recovery of their services, minimize financial impact of an attack, or even ensure that their customers data is not leaked to the world.

One potential loophole is the use of overseas bank accounts or third-party intermediaries to facilitate payments without direct involvement. If I were a firm with offices in the UK and Germany, what’s to stop me using my German entity to pay? Or using a third party that I pay back for ‘security services rendered’? Loopholes will be found that businesses can exploit, meaning the ransomware ban will lose its effectiveness and essentially create an uneven playing field for organizations.

The dilemma of payment

Ransomware already provides an ethical dilemma for CISOs. None want to pay, recognising it for promoting the continuing cycle of cyber attacks, however many are hesitant to sign a blanket non-payment policy, fearing that in extreme circumstances, they may need to break it to ensure the survival of their organization.

This ban will amplify that dilemma for Chief Information Security Officers (CISOs) and business leaders.

For organizations facing ransomware attacks, the reality is grim: pay the ransom and recover access to critical systems or refuse and risk prolonged service outages and uncontrolled data spills.

Will the government step in to support businesses that suffer from prolonged disruptions? How about if they face a stark choice between payment and business survival? And what if an organization is responsible for providing life-saving or critical public services, does the government bear some responsibility in ensuring operational continuity?

These are critical questions that remain unanswered.

CISOs may be hesitant to sign a blanket non-payment policy, fearing that in extreme circumstances, they may need to break it to protect their organization. A rigid stance against payment may be ideal in theory, but in practice, businesses need flexibility to respond to complex and evolving cyber threats.

Impact on intelligence gathering

Another significant concern is the impact on information sharing. If businesses are legally stopped from making ransomware payments, they may choose to mislabel such attacks or avoid reporting ransomware incidents altogether to avoid scrutiny or potential penalties. This would enable them to have more flexibility in their response.

This could have severe consequences for cybersecurity intelligence. Reduced reporting means a lack of visibility into attack patterns, techniques, and emerging threats – this could inadvertently benefit cybercriminals in the long run.

Bypassing the ban does not come without risk, however. Secretly paying a ransom could drive the emergence of a secondary blackmail market, where attackers threaten to expose victims who choose to pay in secret.

Organizations may find themselves not only negotiating with cybercriminals for data access but also facing extortion threats over the payment itself. This added layer of complexity could lead firms into worse financial situations, all in their attempts to restore their service in the most effective manner.

A roadmap forward

A rigid stance against payment may be ideal in theory, but in practice, businesses will demand flexibility to respond to complex and evolving cyber threats as they see fit – enabling them to manage the complex risks and issue that follow a cyber attack – such as service restoration and data privacy.

It’s evident that we should strongly dissuade firms from paying ransomware demands, however a need for flexibility is what businesses really need. As such, perhaps the government could embrace a model that permits a controlled path for payment in exceptional circumstances.

Firstly, mandatory reporting of ransomware attacks to a suitable authority should be enforced, regardless of whether a payment is made. This would ensure comprehensive tracking and analysis of ransomware incidents, contributing to a more robust understanding of the threat landscape.

If a firm wished to pay a ransom, this could be permitted but only with the express approval of UK government or National Cyber Security Centre (NCSC). This would keep track of the payments and provide oversight on regular victims who would benefit from resilience improvements.

Businesses should also be required to provide staff with proper training and education around cyber-attacks, ensuring they are ready to react appropriately if an attack occurs.

A measured response is needed

While the government's ban on ransomware payments aims to reduce the financial incentives behind cyberattacks, it also presents several critical issues. Payment dilemmas and impacts on intelligence gathering, for example, must be addressed.

A collaborative effort between businesses and the government, with mandatory reporting, flexible payment options and required training, is needed. By providing the necessary tools, support and a clear protocol for reporting and response, organizations can better navigate the complexities of ransomware attacks.

We've rated the best antivirus software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro