IT industry association techUK has said the Government should not ban public sector organisations from paying ransomware - but it should set up a ‘one stop shop’ for reporting incidents.
It has set out its position in a formal response to the ongoing consultation on Home Office proposals to deal with the increasing number of ransomware attacks.
Earlier this year, the Home Office indicated that one of the prime measures would be a targeted ban on ransomware payments for all public sector bodies and owners and operators of regulated critical national infrastructure (CNI).
techUK said it shares the ambition to ensure the UK is better protected against ransomware attacks, which are becoming increasingly complex and professionalised. But its own discussions with its members have led to the position that the Government not implement a ban.
Its reasons include that making payments an offence would impact the victim rather than the criminal, and that they it remove a mechanism that some organisations use to recover from an attack when they feel they have no other means. The latter point could extend the time in which digital systems are down, extending the disruption to key services.
Personal data threat
It could also create disproportionate challenges for particular groups that may lack the resources or expertise to comply, and lead to the leaking of personal information that attackers are able to obtain from the affected systems.
The response also calls for more work to refine the definition of which CNI sectors would fall within the scope of the new law, and that the current voluntary incident reporting regime should continue to be used with a more structured approach to provide value in the reporting.
To support this, the Government should create a single portal – or one stop shop – for reporting incidents, and outline the next steps to be taken in in the event of an attack.
It should also share anonymised threat intelligence using data gathered from incident reporting.
The document adds that any measures should also be aligned with the Cyber Security and Resilience that is expected to be laid before Parliament soon.
