Ciaran Martin has urged the UK to take the lead and claimed that only ‘terrible arguments’ have thus far prevented a formal ban on acquiescing to the demands of cybercriminals

The founding leader of the UK’s National Cyber Security Centre has called on the UK government to take the lead in passing legislation to criminalise the act of paying a ransom demanded by cybercriminals.

Ciaran Martin, who was chief executive of NCSC for the first four years after its creation in 2016, claimed that the failure to create such laws means that perpetrators are often “rewarded and incentivised” for acts of crime, terror, or warfare. In a piece written for The Times, he pointed to research from security vendor Proofpoint that found that 82% of UK ransomware victims pay the money demanded by attackers – compared with a wider global figure of 58%.

The ex-NCSC boss claimed that several factors have previously got in the way of outlawing these payments, including a reluctance on the part of US legislators which discourages other countries from taking a different approach. The suggestion that prohibiting payments could push victims to deal with attackers via unregulated channels is another of various “terrible arguments” that have previously been made against a ban, according to Martin.

Related content

• Cyber Security Week: Analysis – how and where are attackers getting in?
• ‘The prospect of a category-one cyberattack is not receding’
• Officers pose as attackers for hire as NCA doubles number of ‘major cyber disruptions’ in FY23

The former intelligence chief asked whether “company directors [will] really knowingly break the criminal law?”, adding that other reasons for allowing firms to make ransom payments are “falling apart”. Martin cited the example of the 2022 hack of health insurance company Medibank, in which highly sensitive information related to a significant proportion of Australian citizens was compromised but, when the data was published by attackers, “it was suppressed by law enforcement and the media and no harm was done”.

Although it has stopped short of a ban on ransomware payments, the government recently announced that no Whitehall agency has ever paid a demand, and pledged that this will remain the case. The announcement of this policy, which was jointly made by the governments of 46 member states of the global Counter Ransomware Initiative, came alongside a call for all public bodies to adopt a similarly staunch stance.

““We will not tolerate the extortive actions of these cyber criminals who too often act with seeming impunity,” said a joint statement from the countries, which was also undersigned by international law-enforcement agency Interpol. “Therefore, we strongly discourage anyone from paying a ransomware demand. Each of us intends to lead by example. We have reached consensus that relevant institutions under the authority of our national government should not pay ransomware extortion demands.”