‘Millions’ in taxpayer money paid to cyber criminals in recent years – minister

Millions of pounds of taxpayers’ money has been handed to cyber criminals in recent years, Britain’s security minister said as he unveiled proposals to combat ransomware attacks.

Dan Jarvis also suggested hostile actors could have extorted thousands from organisations like the NHS without the Government knowing because there is no mandatory reporting regime.

The Home Office on Tuesday launched a consultation on how to crack down on ransomware, with plans under consideration to ban all public sector bodies from making any payments.

Proposals also include a mandatory reporting regime and payment prevention system, designed to increase the National Crime Agency’s awareness of live attacks and block payments to known criminal groups and sanctioned entities.

Speaking to broadcasters on Tuesday’s morning media round, Mr Jarvis said cyber criminals based in countries like Russia are “quite literally holding our country to ransom” and warned the problem was “extensive.”

Asked how much public bodies had paid out in recent years, Mr Jarvis said “significant” sums had been handed over, telling Times Radio: “Millions of pounds have been paid.

“It’s a huge problem internationally.”

On how much the NHS had given, Mr Jarvis said: “The truth of the matter is we don’t know the precise figures, because there isn’t a mandatory reporting regime.”

Asked whether that meant that a trust could have paid out thousands of pounds to criminals to get its computers back without the Government knowing about it, he said: “In theory, that is the case, and that’s why we’re looking to change the law to bring in a mandatory reporting regime so we’ve got much more visibility of these kind of activities.

“But fundamentally, this is about putting measures in place that will ensure that we are much less vulnerable to these attacks in the future.

“We are working internationally with our allies as well, but these cyber criminals are incredibly devious in the tactics that they use, but it is the wrong approach for public sector authorities to actually pay these ransoms, because… there’s absolutely no guarantee even if they were to pay the ransom, they get the information that they require.”

The Home Office said the introduction of its proposed scheme would help deter criminal gangs from attacking national infrastructure and public sector bodies such as the NHS, local councils and schools.

Recent targets have included a key supplier to London Hospitals and Royal Mail.

The Home Office believes mandatory reporting is needed to gain a full understanding of the scale of the problem.

Asked whether the NHS has previously paid ransomware attackers, Downing Street said it did not have details to share about “specific cases” but stressed that the Government had identified the “gap in our armoury” and moved to fill it.

“We already have a range of measures in place to protect the public sector, but clearly this was a gap in our armoury and that’s why we’ve introduced this targeted ban on ransomware payments for public sector bodies and critical national infrastructure,” the Prime Minister’s official spokesman said.

“The point is that we’ve identified this gap in the armoury… part of this will introduce a mandatory reporting regime which will bring ransomware out of the shadows and maximise the intelligence used by the UK’s law enforcement agencies and help guard against these threats in the future.”

The UK’s National Cyber Security Centre (NCSC) has previously highlighted ransomware as one of the biggest cyber threats facing the country.

NCSC chief executive Richard Horne said: “This consultation marks a vital step in our efforts to protect the UK from the crippling effects of ransomware attacks and the associated economic and societal costs.

“Organisations of all sizes need to build their defences against cyber attacks such as ransomware, and our website contains a wealth of advice tailored to different organisations.”

He added: “And organisations across the country need to strengthen their ability to continue operations in the face of the disruption caused by successful ransomware attacks.

“This isn’t just about having backups in place: organisations need to make sure they have tested plans to continue their operations in the extended absence of IT should an attack be successful, and have a tested plan to rebuild their systems from backups.”