Downing Street understands it needs to catch up with cyber security threats, but will banning public sector authorities from kowtowing to criminal demands work?
Hospitals, local councils and schools would all fall under the new rules, which essentially extends ‘no terrorist negotiation’ policies to cover malicious digital attacks in which perpetrators hold victims to ransom. Usually, the threat revolves around the theft, encryption, destruction or distribution of data unless a significant sum is paid.
Examples of recent major attacks on public sector organisations include a breach at Synnovis, the company responsible for providing pathology services at a number of NHS London trusts. 10,000 outpatient appointments and 1,700 electric procedures were delayed at King’s College Hospital and Guy’s & St Thomas’ NHS Trusts. One death has since been attributed to this.
Support for the ban, which was first tabled in January as Labour unveiled its Plans for Change, has been growing in recent months, in part due to the prevalence and severity of cyber attacks. According to Security Minister Dan Jarvis, those responsible for the malicious acts brought in $1billion globally in 2023 alone.
‘Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change,’ said Security Minister Dan Jarvis. ‘By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.
Public pressure is also growing as a result of data theft and its repercussions. According to an analysis from earlier this year, 30% of individuals who had data stolen via local authority IT infrastructure experienced emotional distress, and one-quarter received no support following the incident.
More recently, a national consultation showed 72% of respondent now backed banning payments from public sector organisations and operators of national critical infrastructure to cyber criminals. 68% also believe a targeted ban would reduce how much money would make it into the hands of nefarious groups. However, just 60% believe it would deter perpetrators, betraying wider concerns about the practicality of the ban.
‘While banning organisations from providing ransomware payouts sounds good in theory, it is a disaster in practice,’ said Allie Mellen, a principal analyst at the consultancy Forrester. ‘If an organisation is paying a ransom, it is because they have no other option, not because they want to. While it’s unfortunate that ransomware payouts happen, the better effort should be spent on supporting organisations in protecting against these kind of attacks. We absolutely recommend discouraging paying the ransom, but to ban it outright is unrealistic.’
Image: Ed Hardie / Unsplash
More on Digital Business:
Glasgow, Cardiff, Belfast lead local government race for £30m tech support
Launch of city-scanning MicroCarb satellite to monitor climate change
Leave a Reply