By John Q. Hosedrinker 
The government is implementing new measures, including mandatory reporting of ransomware incidents, following public consultation. These measures aim to expose, detect, and disrupt criminal networks, protecting the economy and businesses. The British Library’s experience, despite not paying a ransom, highlights the devastating impact of these attacks, as seen also with recent disruptions at major retailers. Simultaneously, the government is also working to streamline other aspects of its national security defenses.
Read the original article here
British institutions to be banned from paying ransoms to Russian hackers is a move that, on the surface, seems like a straightforward response to a serious problem. It’s the idea that we should be cracking down on the financial incentives that drive these cybercrimes. The simple logic here is that if you stop paying the criminals, you disincentivize them. It’s a common-sense approach, really. Why reward bad behavior?
This ban isn’t just about stopping the flow of money to hackers; it’s also about sending a broader message. Financial support for criminal organizations, especially those with ties to hostile nations, should be a significant crime in itself. The sheer scale of the ransomware economy is astounding, and some of these hacking groups operate with a level of sophistication that rivals legitimate businesses, complete with websites and customer support. This level of organization suggests that they are not just opportunistic individuals, but rather, sophisticated operations that need to be disrupted.
The implementation of this ban, however, isn’t without its challenges. Some might see it as an overreach by the government, interfering with businesses’ ability to manage their own affairs. But, given that Russia is already under sanctions, extending those sanctions to prevent ransom payments to Russia-based entities is quite logical and legally sound. This isn’t about telling businesses what they can and can’t do in a vacuum. It’s about aligning with existing sanctions and protecting national interests.
Now, let’s talk about the practical implications. There are definitely security and usability considerations. Businesses must balance robust security measures with productivity. There’s a real risk that overly restrictive measures could hinder operations. And if you make security too complex, you might end up with employees becoming lax and making careless errors. The idea is to encourage a proactive approach to cyber security, rather than a reactive one based on the potential for paying a ransom.
The reality is that even if you pay the ransom, there’s no guarantee you’ll get your data back or that the hackers will honor their word. They might disappear with the money. This uncertainty highlights the need for a policy-driven approach that removes the emotional response from the equation. While it might seem easier to pay in a specific situation, a blanket ban discourages the incidents from happening in the first place.
This ban isn’t about terrorism. It’s about hacking. The best defense against a ransomware attack is a solid backup. If you have your data backed up, you don’t *need* to pay the ransom. This policy will essentially force institutions to prioritize data backups and robust cybersecurity practices. It’s a pragmatic response to a complex problem.
The policy’s strength lies in its directness and absoluteness. It’s the same reason rules are often black and white. People are not always rational and sometimes, in the heat of the moment, they are tempted to do whatever it takes to make the problem disappear. This policy is designed to make it more difficult for those emotions to come into play.
This is in line with established legal precedents like banning banks from providing services to terrorists. The comparison is apt. Just as you wouldn’t let terrorists access the banking system, you shouldn’t allow ransom payments to criminals that can fund even further criminal activity.
Of course, it’s crucial to address the underlying vulnerabilities. Companies must invest in stronger passwords, training about phishing, and improved security measures in general. If mandating these improvements is considered an overreach, then we’ve got a serious problem. If we are not requiring companies to take reasonable precautions, then we are creating the environment for more problems.
The argument about a “terrorist” taking a daughter hostage is a false analogy in this context. A corporation or institution is not a person, let alone someone’s daughter. Furthermore, if we’re talking about terrorism, illegalizing paying them isn’t necessarily a deterrent. However, with standard hacks, the incentive to not pay, backed up by sound cybersecurity practices, should prevent the problem.
Finally, we must recognize the human element. Even with the best security in place, there’s always a risk. How many times will Barbara from HR, despite all the cybersecurity training, open that suspicious attachment from the CEO? The solution is not just in the law. It’s in creating a culture of cybersecurity that prioritizes backups and makes it difficult and costly for hackers to succeed. Maybe, paying the IT staff a decent wage might also help.