British institutions to be banned from paying ransoms to Russian hackers

LONDON — Hospitals, local councils and operators of critical U.K. infrastructure are among the organizations who will be banned from paying ransoms to hackers under new plans unveiled by the British government.

The move — which will cover all public sector bodies as well as the owners and operators of critical national infrastructure — comes after years of escalating cyber attacks on parts of the British state.

Many of these attacks on British institutions and infrastructure can be traced back to Russia-aligned hacking groups that are now the subject of sanctions. Estimates from Chinalysis suggest ransomware payments globally generated $1 billion from victims in 2023 alone.

The new measures, which also include the mandatory reporting of all ransomware incidents, come following a consultation in which three-quarters of respondents supported a targeted ban.

Security Minister Dan Jarvis told MPs in a written statement on Tuesday that the government’s ransomware plan will provide “vital intelligence to expose, detect and disrupt these criminal networks” and to “defend the economy and our business we need to break the ransomware business model.”

The government highlighted the case of the British Library — which suffered a cyber attack in 2023 but did not pay a ransom to hackers.

But Rebecca Lawrence, its chief executive, said the library “which holds one of the world’s most significant collections of human knowledge” had its technology infrastructure destroyed by the attack, with users still feeling the impact.

This year has seen an escalation in cyber attacks with luxury retailer Harrods, and high-street names the Co-op and Marks and Spencer all seeing their services disrupted by criminals. 

Investment shake-up

While the government is moving to strengthen one arm of its national security operation, it is also seeking to remove what it called “red tape” from other aspects of its defenses.

The Cabinet Office announced Tuesday that it is making changes to its National Security and Investment Act — legislation aimed at safeguarding critical areas of the economy from malign or foreign influence.

These include removing requirements for key businesses to tell the government about internal restructuring changes or alert officials when appointing a liquidator. Pat McFadden, the department’s lead minister, told MPs that the changes “reduce business burdens without exposing the country to greater risk.”

Ministers will also consult on plans to shake up what are defined as key sectors under the legislation to update the importance of areas such as semiconductors and artificial intelligence. The consultation also will look at bringing the water sector under national security legislation. 

This would mean that the industry in Britain — which itself is under extensive scrutiny due to debt-laden ownership structures — will have any potential buy-outs, such as those based overseas, escalated to national security experts.

The annual review of the legislation, also published Tuesday, revealed that the government had only blocked one deal out of all those called in for further scrutiny. A further 16 saw a “final order” notice submitted to mitigate risks to national security, which could include stringent conditions applied to an investment deal.