The National Cyber Security Centre (NCSC) and the Information Commissioners Office (ICO) have written a joint letter to the law society. The letter seeks the assistance of the Law Society in stopping solicitors advising clients to pay ransoms.
The focus of the letter is simple. Don’t pay ransoms, and the nasty people will soon go away. What is interesting here is that the attention is being turned on solicitors and the legal advice they offer.
The letter opens with the joint statement, “In recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid and we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay.
“It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.”
A reasonable request?
On the face of it, the letter is a reasonable request to change how people act. It acknowledges that the payment of ransoms in the UK is not illegal, just not condoned by law enforcement. It is an important statement that will remain true in the UK. Should the position change to be one of a legal ban, then there are likely to be consequences.
Among those consequences are the likelihood that companies will seek not to disclose an incident. It would drive attacks underground and make detecting and dealing with them even harder.
Importantly, the letter seeks to remind solicitors of the legal situation over sanctions. It states: “While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance – may change that position.”
The problem with that statement is that it assumes the victim or its advisors can do the correct attribution of an attack. It is something that most cybersecurity companies struggle with. Additionally, with Ransomware-as-a-Service (RaaS), it can be hard to know whom you are paying.
In effect, therefore, this is a statement intended to use fear of sanctions breaking as an attempt to stop payments from being made. To prove that the monies breached sanctions, law enforcement would have to prove who the eventual recipient was in a court. It is unlikely that they will be able to do so with absolute certainty.
The ICO weighs in on mitigation
The most interesting part of this letter is that from the ICO. It states, “For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.”
It is surprising that the ICO feels it needs to make this statement and reiterate its advice. One would have expected anyone offering legal advice to companies to know the ICO position already. If they don’t, one would have to question the validity of that advice.
We know that payment doesn’t guarantee unlocking the data. Even if it does, there is no proof that it will lead to the attackers deleting any and all copies. In most cases, they sell it on, often before seeking a ransom payment. In fact, that secondary sale is seen as a pressure point to make people pay.
So what basis are solicitors making their decisions on for clients? Who knows? At best, it can be a misreading of the ICO rules. At worst, it risks putting clients in danger. It will be interesting to see how the Law Society responds.
So what is the industry response?
There has been a lot of response from the industry. Much of it supports the requests to stop payments. Charl van der Walt, head of security research, Orange Cyberdefense, commented: “If victims keep paying the ransoms demanded of them by cybercriminals, there is no reason to believe that the ransomware crimewave will abate.”
Interestingly van der Walt also commented on the role that cyber insurance plays in the payment chain, saying, “because there is no legal barrier to victims claiming ransom payments back on cyber-insurance, they are in some ways being incentivised to pay.” Interestingly, the NCSC and ICO have not targeted the insurance industry as they have targeted solicitors.
Meanwhile, Steve Bradford, Senior Vice President EMEA at SailPoint, also joined van der Walt in discussing the need for better controls. “To mitigate the impact of ransomware, organisations across all sectors must implement multiple security controls. Two-factor authentication for all data – including that which is backed up – is a must. So too is regular data backup, preferably daily or weekly, and across different mediums, for example external hard drives, USB sticks and cloud space.
“But to reduce the risk of a breach occurring in the first place, technology like identity security is crucial, in order to manage who has access to what and immediately flag any suspicious behaviour within an organisation.”
Enterprise Times: What does this mean?
To pay or not to pay is a major problem for all companies. Many accept they may not get their data back but often feel it’s worth a try. Whether they do so in the hope of mitigating ICO action is questionable. That solicitors are dispensing this advice is why the NCSC and ICO have made their letter to the Law Society public.
But there is a bigger issue here. Paying the ransom is not illegal. Cyber insurance often provides a level of ransom cover. While we all know that won’t make the problem disappear, it is about a quick resolution for companies.
What is rightly not being suggested here is that this should be made illegal. Such an action might reduce the number of payments, but it would not stop them. What it would do is make reporting an incident less likely. The biggest impact would be understanding the scale of the problem. It would drive the problem underground and create a whole raft of unintended consequences.
The reality, however, is that there is no easy solution here. Companies have invested heavily in technical solutions. Many of these overlap with the existing solutions they have. The problem, arguably, is that they now have competing, overlapping solutions that exacerbate rather than solve the problem.
How do we solve this? Nobody really has a firm answer that can be seen to be effective. It is, as always, easier to look at this from the side and make suggestions than produce an effective solution.
What must be kept in mind here, however, is that this is not about a solution. It is about fixing what the ICO and NCSC see as bad advice. It will be interesting to see what happens down the line.