Ciaran Martin formally of GCHQ has recently called for legislation to make ransomware payments illegal where human life could be put at threat. This comes following a massive acceleration in international cyber-attacks including just this month, the Kaseya attack which The Washington Post is claiming has gone on to impact more than 1,000 companies and counting.
Last month saw the U.S. Pipeline hack, the costs of which have yet to be calculated, an attack on Japanese industry giants, Toshiba, and the catastrophic hack on the Irish Health Service Executive. Martin pointed out that there is legislation against paying ransom to terrorist organisations in the UK, but where criminal gangs are protected by a hostile state, it is allowed, and this makes no sense.
Whilst CEO of specialist cyber security company CyberCrowd and anti-phishing and ransomware (un-caped) crusader Mike Robinson, wholeheartedly agrees with Mr Martin, he would argue that we need to go further in the UK.
“We should be calling for legislation that requires any corporation, but in particular any business with a ‘danger to human life’ element, to not only have the controls in place to avoid and protect against ransomware but to be required by law to have independent security auditing, certified and regularly monitored, with all board-level executives held accountable for this testing to be in place.”
The days of ‘it won’t happen to us’ or ‘we are too small to be a target’ are over. Everyone is effected, whether through direct damage done by the hackers themselves, impact from the shut down of a larger supplier or client, or impact on business costs.
Currently, insurance companies are offering to indemnify against these attacks. However, CyberCrowd would argue that this only fuels the sense that this is a ‘victimless crime’ and perpetuates it. In turn, this will price SMEs out of the market as insurance renewals spiral and ransom attacks begin to fall under the ‘price of doing business’ catch-all for hopeless cases.
“At the very least, where payments are made – especially by public or floated companies, there should be forced disclosure, so the situation can be more closely monitored at stakeholder level” concludes Robinson.