UK Lawmakers Unmoved by Calls for Ransomware Payment Ban

In a recent testimony before a parliamentary committee, security experts recommended that the UK government prioritize operational resilience over implementing bans on ransom payments made by public sector and critical infrastructure entities in the face of cyber extortion threats. This guidance comes as the UK government is conducting a public consultation which includes a proposal to prohibit ransom payments, a topic that has sparked significant debate.

The consultation was initiated in January and is set to conclude on April 8, 2025. Security professionals raised concerns during their testimonies regarding the potential consequences of such a ban, emphasizing that it might not eliminate the threat of ransomware and could inadvertently heighten the risks for organizations that become targets. “If you stop one sector from paying, the threat actors will simply shift their focus to other victims,” warned Sadie Creese, a cybersecurity expert at the University of Oxford. Her remarks highlight a common concern that simply banning payments does not address the underlying issue of cybercriminal activity.

Similarly, Jamie MacColl from the Royal United Services Institute expressed skepticism about the effectiveness of a payment ban in deterring ransomware attacks. While he supports a prohibition on ransom payments from public funds, he acknowledged that such a measure would not necessarily prevent attacks from occurring in the first place. “The focus should really be on strengthening organizational resilience, not just on enforcement against payments,” MacColl stated.

Experts further delineated the complexities surrounding the concept of a ransom payment ban. Creese pointed out that it is crucial for the government to assess whether victims could feasibly continue operating without succumbing to ransom demands, particularly in scenarios where operational capability may be tied to critical services impacting human safety. The implications of a ransom ban could vary significantly based on the nature of the business and the potential risks involved with payment versus non-payment.

The consultation also aims to gather input regarding a potential directive requiring victims of ransomware incidents to disclose such events to the government within a specified timeframe. Current laws mandate that victims communicate breaches involving personal data to the Information Commissioner’s Office within 72 hours but do not cover all cyber incidents. The success of a mandatory reporting framework would largely depend on its clarity and practicality, as emphasized by experts during the hearing.

As authorities consider these measures, the information flow between victims and law enforcement needs careful structuring, ensuring that it’s a communicative exchange rather than a one-sided data dump. Cybersecurity advisers argue for a collaborative approach, where victims share ransom payment details and threat intelligence in a way that contributes positively to collective defense against such cyber threats.