The British government’s proposals to overhaul its ransomware strategy reached a minor milestone on Tuesday as the Home Office published its formal response to a consultation on amending the law, but questions remain regarding how effective the measures will be.
Public consultations are a regular part of the British legislative process. In this case, the Home Office set out three key policy ideas to tackle the ransomware crisis and solicited public feedback to justify forthcoming legislation.
The three key policy ideas are a ban on payments by organizations working in the public sector or in critical national infrastructure; a requirement for victims to notify the government before making any extortion payments; and a mandatory reporting requirement so all victims inform law enforcement of attacks.
The formal response published Tuesday, cataloguing feedback for and against the measures, follows a series of high-profile ransomware incidents affecting the country, including several that left multiple high-street grocery store shelves empty and one that contributed to the death of a hospital patient in London.
Despite being billed as part of the government’s oft-mentioned Plan for Change, the proposals are identical to those developed when the Conservative Party was in power — as first reported by Recorded Future News — before Rishi Sunak’s snap election delayed the consultation launch.
Even that proposal in 2024 was late to the issue. Recorded Future News previously reported how in 2022, ransomware attacks were making up the majority of the British government’s crisis management COBR meetings — while successive home secretaries instead prioritized responding to the issue of small boat crossings of migrants in the English Channel. By last year, ransomware attacks on British organizations had risen year-on-year for the past five years.
“The proposals are a sign that the government is taking ransomware more seriously, which after five years of punishing attacks on UK businesses and critical national infrastructure is very welcome,” said Jamie MacColl, a senior research fellow at think tank RUSI. But MacColl said there remained several questions about how effective the response might be.
The RUSI researcher said he was skeptical that the targeted ban — which aims to reduce the incentives for ransomware gangs to attack public sector entities and organizations working within critical national infrastructure — would actually shape attackers’ behavior.
“Ransomware, as the National Crime Agency and National Cyber Security Centre’s own whitepaper makes clear, is largely an opportunistic crime and most cybercriminals are not discerning. Threat actors are unlikely to develop a rigorous understanding of British legislation or how we designate our critical national infrastructure,” he said.
“Given that, I can’t see cybercriminals taking a targeted payment ban into account for their operating models. The move risks making ransomware recovery harder for critical national infrastructure operators without reducing the likelihood they’ll be victimised in the first place.”
New visibility, but no new resources
Notifying the government is intended to contribute to a “payment prevention regime” that would allow the government to intervene in cases where an extortion payment might go to a sanctioned threat actor.
The mandatory reporting requirement should improve the government’s and law enforcement’s visibility over the true scale of the problem facing the country, but MacColl was wary about whether law enforcement would have the resources available to put this intelligence to use.
With the limited funding currently available, law enforcement has managed some successful disruption operations. Last year, the NCA led an international operation to disrupt the LockBit ransomware-as-a-service gang, estimated to have accounted for 25% of all attacks globally before the operation effectively dismantled the gang’s core infrastructure.
At a press event in London, the NCA director-general, Graeme Biggar, acknowledged: “If we had more resources, we’d be able to do more.” To-date the government has not committed any additional funding to these disruption operations — despite a growing number of officials urging the government to get on the “forward foot” instead of “absorbing the punches.”
MacColl said: “The proposal to require reporting for ransomware incidents and payments is a positive move, but there are a lot of open questions about how the mechanism will work and what law enforcement will do with the data.
“If the NCA is going to be receiving more information and intelligence reports, then it needs a significant increase in funding. Without that, we will just end up in a situation where law enforcement is unable to process and exploit the additional intelligence it receives. I haven’t seen any indication that the National Cyber Crime Unit in the NCA will receive additional resources,” he added.
Any legislation from the Home Office on tackling the ransomware crisis affecting society as a whole will not be introduced within this parliamentary session. Instead, the government is expected to bring forward another belated reworking of the country’s cybersecurity regulations three years after the previous government had prematurely described those laws as “updated” while failing to actually introduce the legislation.
Earlier this year, the government set out what the Cyber Security and Resilience Bill (CSRB) will include when it is introduced to Parliament. The CSRB, which only affects regulated critical infrastructure entities, is expected to overlap with the ransomware rules by improving cyber incident reporting requirements, but it is not yet clear how it will do so.
MacColl said there were open questions about how joined-up the proposals were: “At present, the scope for what constitutes ‘critical national infrastructure’ is much more limited in the CSRB than in the ransomware consultation.
“In other words, we may end up in a situation where the government is raising cyber resilience in only a small portion of UK CNI while at the same time banning a much broader swathe of operators from being able to improve their ability to recover from a ransomware attack by paying,” he added. “Given it seems inevitable that the ransomware proposals will be legislated, it’s very important how CNI is designated aligns with the CSRB.”
