Former NCSC chief calls for ransomware payments ban, but cyber security experts aren’t keen
The former chief executive of the UK’s National Cyber Security Centre (NCSC) has called for the government to ban organizations from making ransomware payments.
Writing in The Times, Ciaran Martin, who served as the NCSC’s inaugural chief executive, suggested a ban could help put a stop to the ever-increasing proliferation of ransomware, referring to the ‘apparently sanguine attitude’ of British policymakers to cyber criminals groups.
“Ransomware is by far the most damaging cyber threat to most businesses right now. We have to find a way of making a ransom payments ban work,” he wrote.
Martin suggested that any ban would need a better support network for affected companies. However, the lack of such a policy is in part down to the US’ reluctance to introduce a ban amid concerns that it would unreasonably constrain businesses.
Similar concerns have been raised that this could be a particular problem for the country’s hospitals, many of which are in the private sector.
Currently, many governments, including the UK, have a policy that they won’t pay ransoms themselves. In October 2023, 40 countries pledged their support for the International Counter Ransomware Initiative (CRI) as part of an effort to create a more aligned global approach to cyber crime.
Participating nations agreed not to make payments and pledged to share information and create a blacklist of digital wallets being used to deposit and move ransomware payments.
The official advice for UK-based companies is that they should not pay ransoms under any circumstances. The NCSC suggests that even when companies do so, there’s no guarantee that they will get access to their data or systems back, that computers will still be infected, and that those who pay are more likely to be targeted in the future.
Across the cyber security community, there are mixed feelings about whether or not a ban should be introduced.
Oliver Norman, vice president for UK and Ireland at data management firm Veritas, said that regardless of a ban, the outcome of incidents will remain the same, with organizations more likely to be targeted in future and given no guarantees of having data safely returned.
“Whether banned or not, paying not only puts a…