The UK government has a “strong position” against paying ransomware gangs’ demands, Home Secretary Priti Patel has said.
“Paying a ransom in response to ransomware does not guarantee a successful outcome,” said Patel. “It will not protect networks from future attacks, nor will it prevent the possibility of future data leaks. In fact, paying a ransom is likely to encourage criminality to continue to use this approach.”
Her comments reflect the position held by the majority in the cybersecurity community when advising companies whose computer systems have been infected with file-encrypting malware.
Patel’s comments come as Colonial Pipeline has been forced to shut down its systems in response to a ransomware attack, halting the flow of fuel along its 5,500-mile-long pipe network along the US East Coast.
However, US officials declined to say whether victims should pay ransom to their attackers.
“Typically that is a private-sector decision and the administration has not offered further advice at this time,” Anne Neuberger, deputy national security adviser for cyber, told reporters on Monday.
Speaking at the National Cyber Security Centre’s (NCSC) CyberUK conference on Tuesday, Patel also said the government was launching a formal review of the Computer Misuse Act 1990.
Critics have previously said it is no longer fit for purpose, in part because it can also penalise legitimate security teams scanning for threats.
“The Computer Misuse Act has prove–d to be an effective piece of legislation to tackle unauthorised access to computer systems and it has been updated a number of times to take account of the changes we now face,” Patel said. “Alongside the act, there is also separate legislation that provides the powers for law enforcement agencies to investigate both cyber-dependent and cyber-enabled crime.
“As part of ensuring that we have the right tools and mechanisms to detect, disrupt and deter our adversaries, I believe now is the right time to undertake a formal review of the Computer Misuse Act. And today I am announcing that we will be launching a call for information on the Act this year.”
She called for “open and honest views” to ensure the legislation is sufficient for the modern cyber landscape.