The U.K. government has unveiled a proposal aimed at overhauling its strategy to combat ransomware attacks, reflecting a heightened urgency to confront the growing threat posed by cybercriminals. The Home Office originally presented the plan in January. It includes three major policy shifts, like establishing a requirement for ransomware victims to report breaches and a call to ban ransom payments for public sector and critical infrastructure entities.
The justification for the proposed new reporting requirement is to “empower” law enforcement agencies. It would help them get the critical intelligence they need to go after the cybercriminals perpetrating this kind of attacks. The Home Office envisions that mandatory reporting will facilitate “targeted disruptions in an evolving threat landscape.”
To build on these principles, the U.K. government plans to make victim organizations report to authorities when they plan to pay a hacker’s ransom. This new rule is on top of their usual reporting requirements. As a whole, this new effort seeks to stop ransom payments—which some critics deride as a form of cyber extortion that allows criminals to operate freely without consequence.
Ransomware experts have broadly praised the new proposals, particularly those that focus on supporting law enforcement’s anti-ransomware work. Allan Liska, a threat intelligence analyst at Recorded Future, shared his thoughts on the importance of these measures.
“I think it is a tacit acknowledgment of what we’ve known for a while: Ransomware operators and their enablers are not confined to Russia and many of those involved are very catchable and, more importantly, prosecutable,” – Allan Liska.
Arda Büyükkaya, a senior cyber threat intelligence analyst at EclecticIQ, was similarly positive about the initiative.
“While it’s unclear whether everything will unfold exactly as written, we’ll see through future developments. Overall, banning ransom payments and actively pursuing perpetrators is a strong deterrent and helps impose real costs on threat actors,” – Arda Büyükkaya.
These proposed changes are just one piece of a larger policy consultation process that started earlier this year. The Home Office’s initial introduction of these key policy changes has set the stage for the U.K. government’s formal response, which marks a significant step toward potential legislative amendments. As laudable as these proposals are, it’s still unclear if they will be written into law.
In the international landscape, Australia has gotten ahead of the curve by passing a law requiring ransomware victims to report all hacked paid ransoms. The Australian approach goes no further than not outright banning such payments.
At the same time, governments across the world are facing the overwhelming and increasing threat of ransomware attacks. In turn, the U.K. is leading the way in adopting a proactive approach with its proposed cybersecurity regulations.