Should the UK make payments in response to ransomware illegal? It is an idea that is currently being considered by some US states, and Ciaran Martin, the
former chief executive of Britain’s National Cyber Security Centre, recently told the FT that legislation outlawing payments should be looked at. On the one hand, it would seem an
obvious solution to an increasingly large problem for businesses.
Attacks are on the rise and ransomware continues to evolve to allow cybercriminals to target bigger victims, encrypt more of their networks and as a result demand greater ransoms than ever before. The pandemic has only added fuel to the fire, with experts
believing that the sudden transition to home working for large parts of the global workforce has contributed dramatically to the recent rise in attacks.
But is outlawing the payment of a ransom the best way to prevent the crime from occurring in the first place, or does it really just leave businesses more vulnerable than ever before – potentially stuck somewhere between going out of business or breaking
the law?
The legal position in the UK right now is already not entirely clear. At the moment, if a business is targeted, it is probably legal for it to pay a ransom. It does however depend on who exactly is being paid. The Court of Appeal [1] reaffirmed
this in 2011 when it considered the position in the context of ship owners who paid a ransom to pirates to secure the release of their vessel, cargo and crew. It was confirmed that there was no general public policy argument against the payment of ransoms,
though the Court noted that pirates were not classified as terrorists and the public policy might be different if they were.
This is reflected in the UK’s Terrorism Act 2000, which makes it an offence for an entity to pay a ransom if it knows or has reasonable cause to suspect that the money will or may be used for the purposes of terrorism. Even that is not particularly straightforward
– working out who is actually responsible for an attack is difficult when ‘ransom-for-hire’ services are becoming increasingly common.
Subject to what is known about the identity of the attacker, whether or not to pay a ransom will currently ends up being a surprisingly practical, rather than legal, consideration for a UK business. And there are no shortage of practical considerations.
Payment comes with the inherent risk that you identify yourself as a “known payer” and open yourself up to future attacks as a result.
There is also obviously no guarantee that payment of the ransom will result in the return of the encrypted data. In many cases, the type or ransomware used will rely on encryption that will remain unbreakable without the decryption key – no law enforcement
agency or private cybersecurity specialist is going to be able to help. When an attack leaves a company unable to service its customers, the risks associated with payment might be preferable to losing those customers and potentially your business. If attacks
target critical infrastructure such as hospitals, and utility suppliers, the stakes are raised even higher.
It is a threat that is gaining increasing political attention. Those responsible largely act with impunity, and that is a global issue. Leaders at the recent G7 Summit called on states to “urgently identify and disrupt” networks operating within their borders,
and hold those accountable for their actions. US President Joe Biden has raised the issue directly with Vladimir Putin on more than one occasion, asking the Russian leader to take action against those carrying out attacks “coming from his soil”. But if international
diplomacy efforts fail, should the UK take consider matters into its own hands and attempt to prevent the crime from occurring by removing the economic incentive?
Experts are divided on whether outlawing ransomware payments would have the desired effect of reducing attacks. The main argument for is the seemingly logical assumption that if you are a UK business and criminals know that UK businesses cannot legally pay
a ransom, those businesses will be less likely to be targeted. Cyber Threat Alliance president and chief executive Michael Daniel told the BBC that
a payment ban would “take some burden off organisations by removing payment as a legal possibility”, as no businesses want to pay a ransom, but currently feel they have no choice.
On the other hand, it could be that a financial penalty for paying a ransom becomes another factor for a business to weigh up when considering the cost-benefit analysis of payment. Alan Melia, principal incident response consultant at F-Secure, explained
to Verdict that if the cost of penalty does not outweigh revenue, then it may still be worth doing – and for situations where the only alternative is to go out of business, then there is little
to lose. Rapid7 community and public affairs vice-president Jen Ellis recently told the BBC that a possibly terrifying consequence of such a law change would be cybercriminals focussing their efforts
towards the types of businesses least likely to be able to deal with downtime i.e. those providing critical infrastructure. Logically, the more potential harm to society, the more pressure there is to pay, whatever the legal consequences.
Others have pointed out the potential enforcement difficulties. Is punishing a hospital who has paid a ransom in order to save lives really in the public interest? Making
payment illegal would also lead to businesses covering up attacks and the resulting secret payments – this not only makes them vulnerable to extortion by threat of exposure from the original attacks, but also prevents valuable information sharing and data
collection.
What the majority of experts do seem to agree on however is that the fact that if the payment of ransoms were to be made illegal, it is not a step that should happen all of a sudden, and it is certainly not a step that should happen without the Government
providing additional support to businesses. What exact form such support should take - i.e. whether it should be technical or financial or both - remains up for discussion, but it is vital that businesses who fall victim are not suddenly left with an even
more impossible choice than they face at present.
[1] Masefield AG v Amlin Corporate Member Ltd, The Bunga Melati Dua [2011] EWCA
Civ 24