Earlier this year, the UK Home Office consulted on a package of measures to fundamentally alter the UK's approach to ransomware. Summarised as 'prevention, reporting and payments', the proposals included three key measures to deal with threats posed by ransomware.
Following the conclusion of the consultation in April, the Government's policy response has now been published, alongside stakeholder views and key findings. Support for the three proposals was encouraging, although the proposed targeted ban on ransomware payments and mandatory ransomware reporting regime were viewed more positively than the ransomware payment prevention regime.
It is worth restating that the key policy objectives underpinning the proposals are to reduce the financial incentives for ransomware attacks on UK targets, strengthening public sector resilience, increasing operational agencies’ ability to investigate ransomware actors and enhance the Government's understanding of threats to inform future interventions.
Unsurprisingly, respondents identified several areas needing further clarification, raising questions about the practical implementation of the measures as currently proposed.
These concerns underscore the need for careful attention on the part of the Government when pressing forward with the central elements of the proposals. More detail is needed to ensure these measures are effective and ensure compliance.
Can organisations take steps to prepare?
As the proposals develop, it is clear that the involvement of key stakeholders will be crucial in ensuring that final proposals are workable and avoid re-victimising those impacted by ransomware. A large proportion of responses to each of the proposals emphasised that any new regime would need to be accompanied by guidance documents and tailored support, all requiring a considerable amount of preparation.
The Government's response and accompanying ministerial statements do not set out expected timelines for any further developments. However, those organisations and individuals likely to be affected by this shift in ransomware policy should maintain a close watching brief on developments and also reflect on their cyber security generally.
The Home Office statement accompanying the policy responses emphasised that the ransomware proposals are intended to complement general continuity measures in the event of a ransomware attack; offline backups, plans to operate without IT and appropriate strategies for the restoration of systems are all steps that organisations should take.
Organisations should practice good cyber hygiene and continue to be mindful of any recommendations and guidance published by bodies such as the Department of Science, Innovation and Technology and the National Cyber Security Centre.
Finally, the ransomware proposals form part of the Government's wider policy response on cyber security including the upcoming Cyber Security and Resilience Bill, which will be focused on strengthening the UK's cyber defences and resilience of digital infrastructure and services.
Proposal 1: Targeted ban on ransomware payments
The proposal would formally recognise the existing self-imposed ban on central government departments paying ransoms and then widen it to include all public sector bodies. Consequently, local government bodies, and all owners and operators of critical national infrastructure ("CNI") would be prohibited from making ransom payments to threat actors.
Overall, the proposal received strong support and there was positive feedback with a majority expressing the view that it would act as an anticipated deterrent. Further, some respondents suggested that the ban be widened to the whole economy and targeted at key associates of CNI organisations or the supply chains of those within scope. That said, it was clear from the responses that extra support would be required for ensuring compliance, such as clarity on the scope of the ban (e.g. the definition of CNI organisations and supply chains if the ban was widened) and its extraterritorial effect (e.g. if parent companies are headquartered abroad).
The Government noted the complexity of introducing a wider ban, in particular the implications for additional support for those within supply chains. Although formally confirmed by the policy response, we do not expect that the final proposal will cover a wider range of organisations than public bodies and owner/operators of CNI.
Proposal 2: Ransomware payment prevention regime
This proposal would cover all potential ransomware payments from the UK. Under this regime, victims would be required to engage with the authorities and report their intention to make a ransomware payment before doing so. Proposed payments may be blocked if subject to sanctions or if in violation of terrorism finance legislation.
Given that these two factors are already reasons for preventing ransomware payments, it will be interesting to see if other "blocks" are specified. In any event, the proposal suggests that if a proposed payment is not blocked, then the victim organisation has authority on whether to proceed with the payment.
In general, this proposal received diverse opinions, with no clear positive or negative consensus emerging. It is clear that further development of the plans will be required, but a review of responses provides some perspective on the shape that the final regime may take.
An economy-wide payment prevention regime for all organisations and individuals was identified as the marginally preferred and most effective option. Threshold-based options or regimes excluding individuals were identified as risky due to the possible exploitation of loopholes or criminals altering their methods to target out-of-scope organisations. Some respondents did express concern over the ability of operational agencies to implement an economy-wide payment prevention regime, in particular due to the time sensitivities associated with ransomware.
Regarding the operation of the regime for organisations, the popular view was that an organisation itself (as opposed a named individual or both) should be considered responsible for compliance. Furthermore, a majority concurred that any compliance measures ought to be tailored to organisations and individuals via multiple factors such as organisational size and type, risk profiles, and resource accessibility.
For those who fail to comply with the regime, a similar majority felt this should be approached in the same manner as compliance measures, with any penalties commensurate with the type of victims and their resources.
Proposal 3: Mandatory reporting regime for ransomware incidents
Following Australia recently becoming the first country to introduce a mandatory ransomware reporting regime, it is unsurprising that other nations such as the UK are looking to follow suit, particularly in light of recent high-profile incidents involving major retailers.
The UK proposal would require suspected victims of ransomware to provide the Government with an initial report of key details within 72 hours, and an in-depth report within 28 days.
The introduction of a mandatory reporting regime was favoured by respondents over the existing voluntary regime, which was considered to be far less effective at increasing the Government's ability to understand and tackle the ransomware threat.
In terms of the nature of a mandatory regime, an economy-wide model was again favoured over threshold-based options or regimes excluding individuals.
Civil penalties were considered the most appropriate approach to dealing with non-compliance, again tailored dependent on the victim. The 72 hour reporting period received widespread approval, albeit some respondents queried whether the initial priority following an attack should be containment.
The consultation did question whether the reporting regime should apply to all cyber incidents including phishing and hacking. A large proportion of respondents disagreed.
What next?
As noted above, the Government acknowledged that a number of key issues require clarification such as the prospect of the targeted ban having extraterritorial effect and the inclusion of supply chains. The financial sector will also need clarity of its potential liability in the event of being asked to process potentially illegal payments on behalf of victim organisations (either under the targeted ban or ransomware payment prevention regime).
We expect that technical discussions with interested parties will need to be undertaken before updated proposals are published, and we will continue to monitor and report on developments.
