The Home Office have launched a consultation on legislative proposals for ransomware. Their proposals aim to introduce legislation to increase incident reporting and reduce payments to criminals.
Background
The Home Office has launched a consultation on proposals to protect public services from ransomware attacks. In the UK, ransomware is considered the greatest of all serious and organised cyber-crime threats and is treated as a risk to the UK's national security by the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC). In recent years there have been a number of ransomware attacks on the public sector, and increasingly councils across the country are the target.
The Home Office has three immediate and overarching objectives for tackling ransomware attacks:
- reduce the amount of money flowing to ransomware criminals from the UK, thereby deterring criminals from attacking UK organisations.
- increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing our intelligence around the ransomware payment landscape.
- enhance the Government’s understanding of the threats in this area to inform future interventions, including through cooperation at international level.
The consultation response is due at 5pm on 8 April 2025.
A summary of the legislative proposals
1. Targeted ban on ransomware payments for all public sector bodies, including local government and for owners and operators of Critical National Infrastructure, which are regulated or that have competent authorities.
- Currently central government cannot make ransomware payments, this proposal would extend those principles to all public authorities.
- The Home Office is also seeking views as to whether essential suppliers to these sectors should also be included. Extending the current principles so that all publicly funded bodies cannot pay a ransomware payment.
- As well as seeking views on what effective and proportionate measures should be put in place to encourage compliance with the proposed ban, ranging from criminal to civil penalties, or other measures that could be used to encourage compliance.
2. A new ransomware payment prevention regime, which would require any victim of ransomware to engage with authorities and report their intention to make a ransomware payment before paying over any money to the criminals responsible.
- After any report is made, the potential victim would receive support and guidance.
- Authorities would review the proposed payment to see if there is a reason it needs to be blocked.
- The information provided through the initial reports, and any further engagement with the authorities, may feed into the intelligence used to support operational activity and contribute to major investigations.
3. A ransomware incident reporting regime, which could include a threshold based mandatory reporting requirement for suspected victims of ransomware.
- The Home Office is consulting on whether this should be economy-wide or whether it should only impact organisations and individuals who meet a certain threshold.
- The reporting requirement would apply regardless.
What does this mean for local government?
With the increased digitisation of council's services and increasing global tensions, council’s cyber vulnerabilities have increased, and they have seen themselves at the forefront of cyber-attacks, such as distributed denial-of-service (DDoS) attacks.
The Home Office Consultation presents a valuable opportunity for local government to respond to proposals that could deliver significant change to how cyber incidents in the public sector, and its suppliers are managed.
Currently there is no legislation in place that criminalises the payment of ransoms by local government, except in the case of funding terrorism. However, the LGA is unaware of any local authority paying a ransom even when the financial implications and impacts of ransomware attacks have often far surpassed the original demand, with one incident costing a council up to £ 12 million. Councils share data and access to systems with various agencies to deliver essential services. These multiple intrusion points can increase vulnerability. It is essential that suppliers should be considered in the targeted ban in order for it to be effective and in order for local government to be able to exist in a cyber resilient market.
The Home Office notes that the additional costs from this policy would predominately be for private organisations since local authorities are already not allowed to use central government funds to pay ransoms. However, there may be further benefits for local authorities from the proposed prevention scheme and reporting regime as the Home Office highlights, decreasing the likelihood of attacks in certain sectors and even displacing ransomware attacks outside of the UK entirely, reducing harms to the UK. There are also may be benefits to CNI and the public sector from a lower level of ransomware attacks. This may include lower ransomware insurance costs, lower data loss costs or lower recovery costs for example.
Relevant LGA responses and key lines
In previous calls for evidence or response to the topic of Ransomware such as Ransomware: LGA response to the Joint Committee on the National Security Strategy inquiry – December 2022 the LGA called for legislation to criminalise the payment of ransoms to local government. Noting that by reducing the intent of adversaries by having a well-publicised position of not paying a ransom and ensuring that no-one does through legislation, the cyber risk is reduced. This must also be coupled with a clear delineation of financial risk ownership between central and local government and a more effective cyber insurance market for local government.