Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
For the people trying to shield UK companies and infrastructure from cyber attacks, this has already been a year to forget. Some of Britain’s biggest brands — Jaguar Land Rover, Marks and Spencer, Harrods, the Co-op group — have been badly hit. The government is rightly concerned that cyber criminals, who have in the past struck at public bodies such as the NHS and the British Library, will turn their malign attention again to precious national assets.
The Home Office is considering imposing what would be the world’s first legislation barring owners and operators of critical national infrastructure from paying ransoms to hackers. Critics warn such a measure could have severe unintended consequences. It might even present managers with a choice: break the law or trigger the collapse of vital services.
Cyber crime is a vast and growing problem. It is unacceptable that criminals, often operating from another country, should have free rein to extort money from any enterprise, let alone disable the operations of an NHS or a National Grid, endangering lives. But the government should tread carefully.
On the surface, it would be brave of the UK to lead the way here. In domains such as terrorism and kidnapping, collective international determination to resist paying off perpetrators has had partial success. In theory, ransom payments to sanctioned hacker gangs are already outlawed.
But a wider statutory prohibition on payments would go several steps further and might leave the UK marooned on the moral high ground with few allies. Australia has instituted a system of mandatory reporting of ransom payments but stopped short of a ban. The US under Donald Trump has slowed its progress towards broader global co-operation against cyber crime.
Before proposing a ban, the government would need to answer key questions. What constitutes critical infrastructure? How would the law be applied to infrastructure owners based abroad, which could circumvent it by paying the ransom from non-UK sources? If safety valves were put in place, creating targeted exemptions, how would a government avoid puncturing the efficacy of the law? Would politicians be able to resist the temptation to loosen the rules arbitrarily?
Penalising the victims, forcing ransom payments abroad or prompting hackers to divert their blackmail attempts into direct threats to people or property would not achieve the goal of making the country more secure. There are, though, sensible options to bear down on the blackmailers.
The government should push through mandatory reporting of ransom payments, like Australia, to assess the scope and scale of the problem. It could consider distinguishing between ransom payments to criminal gangs that threaten to release sensitive stolen data — which gangs rarely expunge and often sell on even if a ransom is paid — as opposed to those that disrupt critical operations. The government should also build on existing co-operation with insurers to reduce and if possible avoid payments becoming the path of least resistance.
Above all, the rhetoric needs to be underpinned with the means to support improved resilience of critical infrastructure and deal with the consequences of attacks. In January, the National Audit Office pointed out the government would not meet its goal of making “critical functions” resilient to attack by this year. It identified gaps in funding, skills and response planning.
Shoring up protection against attacks and establishing in advance which organisations would merit additional government support, and how to apply it, would help avoid ad hoc decisions by panicked managers and politicians. Hackers like a challenge, but sometimes the best form of defence really is better defences.
Read the full article here