In January 2021, the UK’s Guardian newspaper ran an interview with Ciaran Martin, the founding head of the National Cyber Security Centre (NCSC), who since leaving his post in 2020 has become involved with a number of other ventures, including teaching and startup investment.
In this interview, Martin – who has previously been outspoken over his concerns about ransomware, saying that at the NCSC it had frequently kept him awake at night – said the scourge was now near to getting out of control and highlighted in particular the risk to the NHS and other critical systems during the Covid-19 pandemic.
According to Martin, the ransomware problem is now being exacerbated by victims paying ransoms to their extortionists and then claiming back this sum on their insurance. He described this as an “incentive” that encourages victims to pay to solve their problem quickly.
He told the newspaper it was now time to “look seriously” at changing insurance law to ban payments – or, if not that, to enter into consultation with the industry about how to respond.
The question of whether or not to criminalise the payment of ransomware demands in some form has arisen with increasing regularity in the past 12 months, alongside the rise of ransomware attacks as possibly the most significant cyber security threat faced by the average organisation.
In this light, the fact that one of the UK’s foremost leaders and authorities on security has declared his opinion on the issue is significant. So, is this is an idea that the industry is ready for?
Not without precedent
Beyond the world of technology, kidnapping and ransom (K&R) insurance as a concept has existed for a long time and became widespread in the 1960s when terror and separatist groups in Europe began to adopt kidnapping as a tactic.
In the 1980s, Margaret Thatcher proposed banning it, arguing that it left British citizens more at risk of attack and extortion overseas. The debate went all the way to the then European Community (EC) in Brussels, but a ban never made it to the statute books.
Nevertheless, in one country with an organised crime problem, a ban on ransoms and the sale of K&R insurance was implemented: Italy. In 1991, a law was passed that went so far as to freeze the assets and bank accounts of the families of people kidnapped by Mafia groups to stop them from coughing up.
The ban was to some extent successful, although one side-effect was apparently, and unsurprisingly, that reported kidnappings dropped in the statistics, a highly salient point we will return to in due course.
Nevertheless, it establishes that precedent does exist for implementing such a ban to cover cyber crime and engaging with and paying off malicious actors.
Fiona Kingscott, a commercial law solicitor at legal practice Langleys, says the nature of cyber crime makes implementing legal remedies a tough proposition.
“Using ransomware is an offence under the Computer Misuse Act 1990, but enforcing the law is no easy matter. Cyber criminals are hard to detect: they use sophisticated methods to hide their identity and location. Often the crime has a cross-border nature: the criminals may have an IP address in one country, target victims in a second country, and send the proceeds of crime to a third country,” she says.
“Multinational cooperation in enforcement is important, and this can be difficult, as the laws governing the internet vary from country to country. It is an issue if an act in the process is not criminal in one country, but is in another.
“It is difficult to obtain evidence and put a case together. It can also be difficult to establish which the controlling mind of the criminal enterprise is. Furthermore, a computer will often contain legally privileged information, and the process of safeguarding this from disclosure during the evidence gathering exercise adds a lot of extra time onto the action.”
Russell Haworth, Nominet
However, despite these difficulties, Kingscott says she is not against the idea at all. “The growth in cyber crime seems undeniable, and must be checked, given the fact that the potential proceeds of this sort of crime are enormous and will feed other crimes, and the risk it poses to businesses and individuals is high,” she says.
“But it is no easy matter to enforce the law, and so other methods of checking the growth of these crimes must be found. I would welcome fines for paying ransoms, as I can see little option.”
Russell Haworth, CEO of Nominet, is in agreement that something needs to change. “Changing the law so that firms can’t claim ransomware payments on insurance would be a smart move to shift how businesses respond to attacks,” he says.
“The easy way out of a ransomware attack should not be paying the ransom, particularly when there is no guarantee that hackers will keep up their side of the bargain and data may still be at risk. The more we perpetuate this cycle, the more fuel it will add to the fire. Cyber criminals will perhaps even become bolder in their approach, searching for higher value targets in critical industries like healthcare or energy,” he says.
Time for a conversation
Erin Kenneally, director of cyber risk analytics at Guidewire, and previously a staffer in the US Department of Homeland Security’s cyber division, says dialogue is needed to disincentivise both the supply-side and the demand-side for ransomware payments – banning insurance payments would evidently fall under the former approach. She also highlights that current light touch interventions for ransomware have been shown to be ineffective.
“The US, for example, has issued an Office of Foreign Assets Control [OFAC] advisory on the sanction risks of paying ransoms and a FINCEN Advisory on reporting ransomware red flag indicators. To date, there have been no civil penalties levied against victim companies, insurers or response firms for paying or facilitating the payment of cyber extortion,” she says.
“In a nutshell, since the ransom is often lower than the cost of recovery, business interruption and lost business – the convergence of which can spell financial death – many victims and insurers simply pay the ransom and risk sanctions.
“As a result, insurers have taken a rational economics approach to ransomware payments, leading to a growing sentiment that the industry is worsening the problem by paying extortions.”
Kenneally says legislative action can be an effective means of forcing systemic change and ending the case-by-case, discretionary approach by insurers and victims – a recipe for ransomware whack-a-mole if ever there was one.
“While on an individual policy level it may be rational to pay extortionists, when viewed in the cumulative and long term, the current approach likely encourages ransomers and arguably other bad actors whose profits stem from crypto market price increases,” she says.
“Combined with the loose legal framework that can discourage payment transparency by victims, we have the high-reward/low-risk environment that likely predicates terrorist and state-sponsored actor affairs. So, there are non-trivial collateral implications for continuing the current payment dynamic.”
Charl van der Walt, head of security research at Orange Cyberdefense, is also ready for the conversation. “It’s absolutely essential that we have this discussion,” he says. “But what is less clear is whether making it illegal to yield to the demands of hackers by paying a ransom is really the right solution. It is something that remains highly contentious.
“There are still question marks over the true benefits of criminalising ransomware payments. We’re talking about a harsh response to a prolific problem, but if the threat of ransomware continues to rise, we may have no other choice. Unfortunately, this would undoubtedly result in business casualties in the short term. It’s a question of ripping off the plaster to heal the wound.
“On the flipside, there is some precedent for this kind of approach, given how it has worked in other contexts. However, cyber space is highly unregulated, and cyber criminals are responsive and agile, so it would be very bold indeed to assert that such a response on its own would be enough to eliminate the threat.”
Balanced and pragmatic
Guidewire’s Kenneally adds that any legal mechanism will need to be carefully balanced to ensure it is fair and equitable. For example, it will need to account for extenuating circumstances where human life is at stake, such as in an attack on a hospital.
“We should be careful that those least able to sustain a ransomware attack aren’t also the entities hardest hit by criminalising payments. As well, since legislation often operates on long time horizons and this problem may demand more immediate responses, we should consider other interventions. For example, the insurance industry can act on its own and take a policy stance to refuse payment, barring defined, exceptional circumstances that threaten life and safety.
“This would be a whole-of-insurance, self-regulatory approach that establishes a ransom non-payment policy. This is already being embraced on the victim-payer side; more than 225 US mayors signed on to a resolution not to pay ransoms to hackers,” she says.
“It can be implemented by insurers by leveraging traditional compliance clause provisions, such as excluding payments that are subject to existing regulatory restrictions or freezing policy benefits subject to government oversight of sanctions violations compliance.”
Matt Lawrence, F-Secure
Matt Lawrence, F-Secure director of detection and response, takes a similar line: “It is critical that we approach this subject pragmatically. Is it acceptable for an organisation to risk serious impact that could lead to a material impact on the livelihoods of the people that depend on it, based on a catch-all policy that doesn’t take into account the complex environment organisations operate in?”
Lawrence proposes that instead of an outright ban, the law acts instead to better assist the insurance industry in supporting ransomware victims.
“Insurance has a key role to play in mitigating risk,” he says. “Rather than penalising businesses for attempting to save themselves, a progressive policy that acknowledges the challenge and focuses on supporting organisations to do the right things up front through preparing adequately for compromise, for example, would have a much broader impact on this problem.
“Let’s remove the taboo connected with being compromised, and help organisations to improve to the extent where extortion becomes an unviable business for the criminals,” he says.
Criminalisation brings new risks
But there is a powerful – and, for many, persuasive – argument that to enact an outright ban on facilitating such payments merely serves to change the nature of the risk faced by organisations, as Patrick Arben, partner at law firm Gowling WLG, points out.
“The obvious problem is that if it becomes unlawful to pay up then that could stifle the availability of insurance. When I’ve acted on ransomware attacks, the amounts demanded are relatively modest to encourage people to pay. If the victim refuses to pay because its unlawful then the impact on their business could be catastrophic,” he says.
If insurers are made to exclude liability for ransomware attacks from their cyber risks and PI policies, Arben says businesses will be left exposed with no effective remedy because they cannot pay and they cannot insure themselves to mitigate against the costs of not paying.
“Granted, this might lead to the decline of ransomware attacks over time, but the collateral damage to business in getting there could be severe,” says Arben.
Bharat Mistry, technical director of Trend Micro UK, says: “On the face of it, criminalising ransom payments could look like it’s working, but in reality organisations will look to cover up any cyber breaches by citing service outage due to something like a hardware problem.
“It’s not an effective strategy, as enterprising cyber criminals will always innovate and adapt to the changing environment and will follow the money. I can see victim organisations in desperation looking to use discreet underground money laundering services for payment.
“The biggest problem I see is how the government will enforce such legislation and make it fair. It also makes you question what would happen to the cyber insurance market, which is very lucrative at present,” he adds.
A&O IT Group head of technical cyber security Richard Hughes agrees: “We can, of course, consider legislation banning the payment of ransoms, and this would almost certainly have a positive effect, but in some cases, it will simply push the problem into the shadows as organisations left with no options other than to pay or fold may choose to ignore any law and take the only action possible to survive,” he says.
Sounds familiar? The Italians had the same problem with their kidnapping statistics.
Is technology the real solution? Arguably so
Absent any formal legal remedies, the optimum scenario for any organisation is to avoid becoming a victim of ransomware to begin with, as Adam Palmer, chief cyber security strategist at Tenable, points out.
“Government policy should encourage the basic cyber hygiene practices that harden systems and avoid ransomware attacks,” says Palmer. “Known vulnerabilities continue to be the favourite attack methodology for even advanced attackers. User awareness, malware detection, system backups and strong vulnerability management can all significantly reduce the likelihood of harm from a ransomware attack.”
Adam Palmer, Tenable
A&O’s Hughes adds: “While I would support a ban on the payment of ransoms, prevention is always better than cure. Organisations must consider their security posture and take steps to mitigate the vulnerabilities that lead to ransomware attacks. Regular vulnerability analysis and penetration testing should be encouraged and legislation to enforce assessment for organisations meeting certain criteria should also be considered.”
Guidewire’s Kenneally also makes the argument for better security controls. “While there’s no silver bullet, there are known-knowns, basic blocking and tackling that can significantly decrease ransomware risk exposures,” she says.
“These include recoverable system and data backups, ensuring that RDP [remote desktop protocol] ports and services are not openly exposed to the internet, maintaining updated software patches for VPNs and appliances that provide entryways to corporate networks, implementing email fraud/social engineering controls, and using multifactor authentication to harden IAM [identity and access management].
“These risk prevention controls are the direct responsibility of corporate policyholders, yet cyber carriers on the whole have done little to incentivise their adoption,” she notes.
Additionally, she concludes, improving attribution and enforcement against bad actors may disincentivise the demand-side of the problem by making it harder to carry out the attacks that leave victims and insurers with the “Hobbesian choice” of whether to pay and feed the beast, or to refuse and suffer serious damage.