The three key policy ideas are a ban on payments by organizations working in the public sector or in critical national infrastructure; a requirement for victims to notify the government before making any extortion payments; and a mandatory reporting requirement so all victims inform law enforcement of attacks. “The proposals are a sign that the government is taking ransomware more seriously, which after five years of punishing attacks on UK businesses and critical national infrastructure is very welcome,” said Jamie MacColl, a senior research fellow at think tank RUSI. Recorded Future News previously reported how in 2022, ransomware attacks were making up the majority of the British government’s crisis management COBR meetings — while successive home secretaries instead prioritized responding to the issue of small boat crossings of migrants in the English Channel. The RUSI researcher said he was skeptical that the targeted ban — which aims to reduce the incentives for ransomware gangs to attack public sector entities and organizations working within critical national infrastructure — would actually shape attackers’ behavior. The British government’s proposals to overhaul its ransomware strategy reached a minor milestone on Tuesday as the Home Office published its formal response to a consultation on amending the law, but questions remain regarding how effective the measures will be. “In other words, we may end up in a situation where the government is raising cyber resilience in only a small portion of UK CNI while at the same time banning a much broader swathe of operators from being able to improve their ability to recover from a ransomware attack by paying,” he added. MacColl said there were open questions about how joined-up the proposals were: “At present, the scope for what constitutes ‘critical national infrastructure’ is much more limited in the CSRB than in the ransomware consultation. The formal response published Tuesday, cataloguing feedback for and against the measures, follows a series of high-profile ransomware incidents affecting the country, including several that left multiple high-street grocery store shelves empty and one that contributed to the death of a hospital patient in London. MacColl said: “The proposal to require reporting for ransomware incidents and payments is a positive move, but there are a lot of open questions about how the mechanism will work and what law enforcement will do with the data. The CSRB, which only affects regulated critical infrastructure entities, is expected to overlap with the ransomware rules by improving cyber incident reporting requirements, but it is not yet clear how it will do so. Despite being billed as part of the government’s oft-mentioned Plan for Change, the proposals are identical to those developed when the Conservative Party was in power — as first reported by Recorded Future News — before Rishi Sunak’s snap election delayed the consultation launch. The mandatory reporting requirement should improve the government’s and law enforcement’s visibility over the true scale of the problem facing the country, but MacColl was wary about whether law enforcement would have the resources available to put this intelligence to use. In this case, the Home Office set out three key policy ideas to tackle the ransomware crisis and solicited public feedback to justify forthcoming legislation.
This Cyber News was published on therecord.media. Publication date: Tue, 22 Jul 2025 12:30:23 +0000