Millions of pounds of taxpayers’ money has been handed to cyber criminals in recent years, Britain’s security minister said as he unveiled proposals to combat ransomware attacks.
Dan Jarvis also suggested hostile actors could have extorted thousands more from organisations like the NHS without the Government knowing because there is no mandatory reporting regime.
The Home Office on Tuesday launched a consultation on how to crack down on ransomware, with plans to ban all public sector bodies from making payments under consideration.
Proposals also include a mandatory reporting regime and payment prevention system, designed to increase the National Crime Agency’s awareness of live attacks and block payments to known criminal groups and sanctioned entities.
Speaking to broadcasters on Tuesday’s morning media round, Mr Jarvis said cyber criminals based in countries like Russia are “quite literally holding our country to ransom” and warned the problem was “extensive.”
Asked how much public bodies had paid out in recent years, Mr Jarvis said “significant” sums had been handed over, telling Times Radio: “Millions of pounds have been paid.
“It’s a huge problem internationally.”
On how much the NHS had given, Mr Jarvis said: “The truth of the matter is we don’t know the precise figures, because there isn’t a mandatory reporting regime.”
Asked whether that meant that a trust could have paid out thousands of pounds to criminals to get its computers back without the Government knowing about it, he said: “In theory, that is the case, and that’s why we’re looking to change the law to bring in a mandatory reporting regime so we’ve got much more visibility of these kind of activities.
“But fundamentally, this is about putting measures in place that will ensure that we are much less vulnerable to these attacks in the future.
“We are working internationally with our allies as well, but these cyber criminals are incredibly devious in the tactics that they use, but it is the wrong approach for public sector authorities to actually pay these ransoms, because… there’s absolutely no guarantee even if they were to pay the ransom, they get the information that they require.”
Cyber criminals are incredibly devious in the tactics that they use
Security minister Dan Jarvis
The Home Office said the introduction of its proposed scheme would help deter criminal gangs from attacking national infrastructure and public sector bodies such as the NHS, local councils and schools.
Recent targets have included a key supplier to London Hospitals and Royal Mail.
The UK’s National Cyber Security Centre (NCSC) has previously highlighted ransomware as one of the biggest cyber threats facing the country.
NCSC chief executive Richard Horne said: “This consultation marks a vital step in our efforts to protect the UK from the crippling effects of ransomware attacks and the associated economic and societal costs.
“Organisations of all sizes need to build their defences against cyber attacks such as ransomware, and our website contains a wealth of advice tailored to different organisations.”
He added: “And organisations across the country need to strengthen their ability to continue operations in the face of the disruption caused by successful ransomware attacks.
“This isn’t just about having backups in place: organisations need to make sure they have tested plans to continue their operations in the extended absence of IT should an attack be successful, and have a tested plan to rebuild their systems from backups.”