Campaign welcomes Government proposals on ransomware payments
On Tuesday morning, the government outlined proposals to ban all public sector bodies and critical national infrastructure from making ransomware payments, as well as to introduce mandatory reporting of ransomware attacks.
The Home Office has also launched a consultation to explore the impact of these changes, which have been introduced to meet three main objectives:
reduce the amount of money flowing to ransomware criminals from the UK, thereby deterring criminals from attacking UK organisations.
increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing our intelligence around the ransomware payment landscape.
enhance the government’s understanding of the threats in this area to inform future interventions, including through cooperation at international level.
In response to today’s announcement, Rob Dartnall, Chair of CREST UK, a supporter of the CyberUp Campaign, said:
"We welcome the Government’s focus on tackling the serious threat of ransomware and the damaging impact it poses to UK society. These attacks disrupt critical infrastructure, public services, and businesses and represent a pernicious threat to our way of life that must be stamped out.
In concert with law enforcement, the UK’s cyber security industry plays a pivotal role to uncover threats and share vital intelligence with authorities to protect victims from increasingly sophisticated attacks. However, our cybersecurity professionals are operating with their hands tied. Our research shows that almost two-thirds of cyber professionals believe the Computer Misuse Act 1990 (CMA)— the main UK legislation governing cybercrime— hinders their ability to protect the UK by inadvertently criminalising a broad spectrum of legitimate cybersecurity activities.
To truly empower this collaboration, the UK Government must combine its enhanced incident reporting with an urgent update to its cyber laws, so that threat intelligence professionals can do their jobs without fear of legal repercussions. Until then, the CMA will remain an outdated piece of legislation, preventing our cyber security professionals from defending organisations effectively and leaving us lagging behind peer nations, as the US and EU move to safeguard ethical cybersecurity work as a cornerstone of national resilience. It is time to create laws fit for the digital age.”