We're right behind Computer Misuse Act reforms for busting ransomware gangs, says UK infosec industry

British infosec businessees mostly support beefing up the Computer Misuse Act to directly tackle the ransomware crisis – while reform campaign CyberUp has written to Home Secretary Priti Patel offering “support” for “a renewed, forward looking framework”.

A number of firms that spoke to The Register expressed firm support for changes to the act that make it easier for law enforcement to pursue and convict ransomware extortionists.

The calls come as the Home Office’s consultation period on changes to the Computer Misuse Act (CMA) comes closer to its end date of Tuesday 8 June. Ministers want to review the 30-year-old act to increase police and Crown Prosecution Service confidence in using the law to pursue and convict criminals who commit “cyber-dependent” crimes.

• Computer Misuse Act: Tell the Home Office infosec needs a public interest defence in law, says CyberUp campaign
• We’ve found them! Govt reinstates records previously missing from the Police National Computer
• Prince Philip, inadvertent father of the Computer Misuse Act, dies aged 99
• The UK loves cybersecurity so much, it's going to regulate managed service providers' infosec practices in law
• Brit authorities could legally do an FBI and scrub malware from compromised boxen without your knowledge

Industry is broadly supportive of changes targeting ransomware crooks in particular – but also want to see more safeguards built into the CMA for legitimate tech security researchers.

The popular perception is that the CMA is a roadblock for some forms of infosec research, even though the last decade’s prosecution statistics do not support the idea that gung-ho police are racing around the nation trying to lock up legit security researchers who put a toe out of line.

Crack down on extortionists

Richard Hughes, head of technical cyber security at A&O IT Group, said: “I would fully support changes to the Computer Misuse Act to criminalise the payment of any ransom to cybercriminals as removing the financial incentive is the only way we are likely to see a reduction in ransomware attacks. Whilst this may seem harsh to some who have been affected by ransomware and took the decision to pay the ransom rather than risk the loss of their business, I am sure they would agree that prevention is without exception better than cure in this respect.”

...authorities and security professionals should strongly discourage ransom payments

Joining him was Ed Williams, EMEA director of Trustwave’s Spiderlabs research division, who said: “I would hope that the ransomware section is given some teeth and that it would give UK law enforcement the ability to detect, disrupt and deter ransomware actors.”

Yet others were a bit more cautious about using amendments to the CMA to target ransomware gangs specifically without considering their impact on victims who just want their networks and data back.

Paul Prudhomme, head of threat intelligence advisory at threat intel biz IntSights, said he was in favour of harsher penalties for ransomware extortionists but added: “I am, however, wary of criminalising the payment of ransoms by victims, even though authorities and security professionals should strongly discourage ransom payments. Many victims pay ransoms because they have no other way of restoring their files or regular business operations.”

“Another approach,” he offered, “is to provide victims with incentives to find ways other than paying ransoms to restore their files, such as the use of backups.”

Set up a CMA review committee?

Brooks Wallace, EMEA veep of AI malware detection firm Deep Instinct agreed, telling The Register: “It’s easy to state a policy when you’re not the impacted party. Imagine you are the family of someone in the intensive care unit of a hospital taken offline by ransomware attack. Think of critical infrastructure providers or banks. At that critical point in time when hours count, you don’t care about principles or policies. You just want the situation to be fixed… prevention is better than cure.”

And others think using primary legislation to tackle specific threats of our time may not be a good idea at all. Raghu Nandakumara, field CTO of US-headquartered cloud security firm Illumio, said the law ought to operate in broad brushstrokes so police and others can be left to focus on the detail.

“My personal opinion is that the CMA’s wording is not low level or focused enough to be talking about specific types of attacks," said Nandakumara. "Perhaps in the future we’ll see [secondary legislation] introduced that covers ransomware specifically, but the CMA needs to remain generic to ensure it provides that overall aircover.”

On this theme of keeping the law up to date, Deep Instinct’s Wallace added that the CMA ought to be reviewed much more often by a panel of knowledgeable people.

“Thirteen years since the last review is much too long – I’d advocate for a committee of experts to be meeting every 2-3 years at most,” he said. “The range of bad actors and threat vectors is expanding too quickly for an ageing piece of legislation to keep pace. It’s like having a performing rights act that solely references vinyl and cassette use in an age of streaming music.”

CyberUp and TechUK writes to Home Sec

Meanwhile, the CyberUp CMA reform campaign has joined forces with TechUK, writing to Home Secretary Priti Patel offering to “be ready to engage with your officials to ensure active industry engagement throughout this process”.

In a letter co-signed by CyberUp leading light Ollie Whitehouse, NCC Group’s CTO, and TechUK chief exec Julian David, the campaigners said: “techUK and the CyberUp Campaign share the desire to see a legal framework in the UK that is best able to assist UK law enforcement in defending the UK from an ever-evolving array of cyber threats, and that supports a thriving and internationally competitive UK cyber security industry.”

The full letter can be downloaded as a PDF. ®