UK Government Ransomware Payment Proposals
A UK government open consultation is running from 14th January to 8th April 2025. Its aim is to gather possible reactions to legislation preventing public bodies or organisations of critical national infrastructure from paying ransomware demands. These bodies could still pay any such demands but they would be subject to penalties including possible criminal action for payment. There is already a principle in force that central government departments cannot make ransomware payments. The new proposal would extend similar controls to public sector and critical national infrastructure (chemicals, civil nuclear, communications, energy, finance and similar) bodies.
The evidence is gathered through an on-line form linked to from the proposal page. Kindus took the opportunity to enter our views. This took about 15 minutes to click through. Most of the responses are radio buttons or check boxes. In some cases text had to be entered to explain why we had made certain choices on a previous question. The survey ends with an optional section to input personal data together with space to enter additional evidence. It would be possible to fill in the survey anonymously, enter random responses or have a bot fill it all in. Certainly this gives the government an economic means to gather data although there is no obvious means to judge the quality of that data. A filter could be added after the data is gathered to remove responses that include data that is clearly junk. There are no obvious attempts to check the reliability of data by setting contradictory questions. That sort of approach asks questions on the same topic several times but might rate the same view high in one question and low in another. This picks up a user hitting the same numbered response on every question. By taking a simpler strategy and basically asking for a yes/no or scale of agreement on each of the proposed articles a survey does benefit from fewer questions and an increased chance of the user taking the time to answer each honestly instead of rapidly clicking through.
The Ransomware proposals are far from becoming law but give some idea of where government thinking is heading. There will be a mandatory system of reporting ransomware attacks and penalties for paying any related demands. If key businesses are not allowed to pay ransoms then there will be less incentive for a criminal to attack and demand a ransom. There will still be the problem of having data or systems locked and no means to pay off a criminal to restore services. With appropriate backups and procedures there is a good chance that some sort of service will be restored but no absolute guarantee that everything is gone and not coming back.
The proposals consider who will be responsible for any penalties. This could be an organisation as a whole or a specific individual. There could be different approaches depending on the type of business. A problem that is yet to be addressed is that in the case of public bodies a government is effectively fining itself. This moves funds from one department to another. If any department’s fine is notably high then it will subsequently be short of funds and central government will have to bail it out again in effect reducing the original fine.
