back to article UK's Computer Misuse Act to be reviewed, says Home Secretary as she condemns ransomware payoffs

Priti Patel has promised a government review of the UK's 30-year-old Computer Misuse Act "this year" as well as condemning companies that buy off ransomware criminals. The Home Secretary pledged the legal review in a speech at the CyberUK conference this afternoon, organised by the National Cyber Security Centre (NCSC). "As …

  1. katrinab Silver badge
    Meh

    I wonder if such a review might lead to a ban on the trade in bitcoins and similar, as they are perceived to be only suitable for use by criminals and scammers.

  2. JDPower666
    Black Helicopters

    Oh no, a review of the act by Darth Pritel? This wont end well

    1. ICL1900-G3 Bronze badge

      If she had a brain she'd be really dangerous.

  3. Dave 15 Silver badge

    Sadly

    Sadly theres not many choices.

    a) Stop storing so many secrets on servers that are open to the whole company. This means that any attack can get to less information.

    b) Stop storing so much data - do you REALLY need to store the inside leg measurement of someone who just wants to contact your customer service or apply for a job? If I wanted a bloody account on your server to apply for a job then you should not employ me as I am evidently stupid. What you should do is open up a route for me to submit a CV for a job direct to the person responsible.

    c) Switch off known and obvious vulnerabilities - you dont need macros enabled to view a word document.

    d) Compartmentalize - its what the terrorist guys do, its what the resistance in France did, in fact it goes back long before that - if people in the office in Vancouver dont have access to information that is only relevant to the guys in London then they cant lose it and cant have it locked.

    e) Sort out backups. Yes I understand that some of these attacks manage to set themselves up so your standard copying the files to another disk doesnt help because they too are somehow actually encrypted - so find a route to backing it up into a different file format that you write fresh - e.g. print it to a text file or some such - and then you can just read the text file back into the database - yes it IS slow but hell, it isnt as bad as paying billions.

    In order for any of the above to work you need managers that understand IT, you need to pay engineers enough money they actually give a shit about the company. Basing wages in London on what you might be get away with paying an Outer Mongolian goatherd isnt going to get you the people with the skills you need or the enthusiasm to cover your arse.

    1. Eclectic Man Silver badge
      Unhappy

      Re: Sadly

      One thing that really pees me off is buying stuff online and I get to the 'checkout' stage and I have to set up an account with yet another username and password, for a company I will probably never buy from again in the next 5 years. I generally try to find some other supplier. Some companies do have a 'proceed as guest' payment option, which I use, and is welcome, but on the occasions where I've needed to generate an account, what do I do, write down the password or just realise I'm going to forget it in the next half hour anyway?

      Yes backups are really useful, but they have to be offline at some time so that the ransomers can't encrypt those as well.

      Oh and as for "In order for any of the above to work you need managers that understand IT, you need to pay engineers enough money they actually give a shit about the company." I feel your pain, bro, I feel your pain*.

      *Or at least I did until I retired a couple of years ago.

      Sorry, RANT OVER. I need a drink.

      1. Mr. Moose

        Re: Sadly

        You also need a password manager. Personally, I like Bitwarden.

        As far as computer crime (see, I didn't say "cybercrime") goes, the bad guys have lots of advantages, chief among which is that we can't send out goons to see that "... they go through some things ...".

    2. Anonymous Coward
      Anonymous Coward

      Re: Sadly

      Or, back up to tape, and regularly (at least once a week) take a full backup tape out of the machine and put it in a safe offsite location.

      "Old fashioned" I know, but it works. No-one is going to hack or encrypt a tape that's not in a machine. And if the office is destroyed by fire or natural disaster, you have a backup.

      Fancy backup-to-disk tech is great for when someone accidentally deletes a file, but they don't help with ransomware or other major disasters.

    3. Cederic Silver badge

      Re: Sadly

      Letting you send your CV directly to the hiring manager wastes their time filtering out a lot of people they don't want and removes some of the controls required to assure hiring obeys relevant laws and regulations.

      I agree an account shouldn't be required but there are plentiful reasons for routing your application through recruitment professionals within the company first.

  4. Chris G Silver badge

    Computer misuse

    Considering who is promising the review, I wonder if there will be prison sentences for typos and floggings for clogging keyboards with pizza crumbs?

    Aside from any likely governmental ridiculousness, the act does need an overhaul so this is hopefully going to be a good thing, also including recommendations or standards for in house hygiene may be helpful as a means to go some way towards preventing attacks in the first place.

    1. Boris the Cockroach Silver badge
      Unhappy

      Re: Computer misuse

      Quote

      " I wonder if there will be prison sentences for typos and floggings for clogging keyboards with pizza crumbs?"

      EEEEKKK no more BOFH stories for me.

      1. Eclectic Man Silver badge

        Re: Computer misuse

        Could be the end of "Who, Me?" as well.

    2. Arthur the cat Silver badge
      Gimp

      Re: Computer misuse

      floggings for clogging keyboards

      Hey, she's got to appeal to the more niche interests of the Tory Party members.

  5. John H Woods Silver badge

    There is literally only one important thing that needs to be done ...

    ... and it won't be.

    The people in charge need to carry the can for the cock-ups. They aren't shy about (over-)rewarding themselves when things are going (even moderately) well and the customary justification is the enormous burden they have to shoulder. But when the excrement hits the air movement device their shoulders become both even more slopey and virtually frictionless.

  6. Pascal Monett Silver badge

    "online child sexual abuse"

    Yes, of course, obviously. You definitely need to mention online child sexual abuse if you want anything computer-related to pass into law.

  7. cantankerous swineherd Silver badge

    got to laugh at people welcoming a review turkeys voting for Christmas. this will be the spooks and cops wet dream come true.

    1. Chris G Silver badge

      The turkeys will be responding to the 'call for information' feeling that they will have made some contribution to an improved act.

      What they are likely to discover as the axe is raised over the chopping block, is that none of their views will have contributed and the New Improved Act™ contains whatever the Home Office wanted from the start.

      Encryption (or a version of it) may rear it's ugly head at the reveal, not mentioning it now is a good tactic.

  8. Anonymous Coward
    Anonymous Coward

    Computer misuse Act

    That that include HMG USB drives left on the 9:13 from Surbiton?

    Asking for a friend

  9. Chris Hills

    Not so sure

    It seems like favoring corporations. If ransomware payouts are banned, then criminals will be inclined to hold individuals to ransom with the data they scraped. There was a big scandal in Canada where a healthcare company that stored therapists' notes was hacked and had its database stolen. Their clients subsequently received demands for payment otherwise their information would be published.

  10. Anonymous Coward
    Anonymous Coward

    condemning companies that buy off ransomware criminals

    it's commendable to preach about other people's behaviour, I wonder how high-pitched her condemnation would be if SHE was hacked and blackmailed by somebody threatening to her to blow up her career, unless she pays...

    1. tiggity Silver badge

      Re: condemning companies that buy off ransomware criminals

      Given her past history (look it up), plenty of iffy behaviour (e.g. the Israel stuff) but a quick slap on the wrist (brief sacking, then back in the cabinet) I imagine she feels bulletproof as far as blackmail goes.

      Look at the UK cabinet, many have done stuff that would have been instant sacking / resignation back in the day, but they are all still there despite that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021