UK's Computer Misuse Act to be reviewed, says Home Secretary as she condemns ransomware payoffs Priti Patel has promised a government review of the UK's 30-year-old Computer Misuse Act "this year" as well as condemning companies that buy off ransomware criminals. The Home Secretary pledged the legal review in a speech at the CyberUK conference this afternoon, organised by the National Cyber Security Centre (NCSC). "As …
Sadly theres not many choices.
a) Stop storing so many secrets on servers that are open to the whole company. This means that any attack can get to less information.
b) Stop storing so much data - do you REALLY need to store the inside leg measurement of someone who just wants to contact your customer service or apply for a job? If I wanted a bloody account on your server to apply for a job then you should not employ me as I am evidently stupid. What you should do is open up a route for me to submit a CV for a job direct to the person responsible.
c) Switch off known and obvious vulnerabilities - you dont need macros enabled to view a word document.
d) Compartmentalize - its what the terrorist guys do, its what the resistance in France did, in fact it goes back long before that - if people in the office in Vancouver dont have access to information that is only relevant to the guys in London then they cant lose it and cant have it locked.
e) Sort out backups. Yes I understand that some of these attacks manage to set themselves up so your standard copying the files to another disk doesnt help because they too are somehow actually encrypted - so find a route to backing it up into a different file format that you write fresh - e.g. print it to a text file or some such - and then you can just read the text file back into the database - yes it IS slow but hell, it isnt as bad as paying billions.
In order for any of the above to work you need managers that understand IT, you need to pay engineers enough money they actually give a shit about the company. Basing wages in London on what you might be get away with paying an Outer Mongolian goatherd isnt going to get you the people with the skills you need or the enthusiasm to cover your arse.
One thing that really pees me off is buying stuff online and I get to the 'checkout' stage and I have to set up an account with yet another username and password, for a company I will probably never buy from again in the next 5 years. I generally try to find some other supplier. Some companies do have a 'proceed as guest' payment option, which I use, and is welcome, but on the occasions where I've needed to generate an account, what do I do, write down the password or just realise I'm going to forget it in the next half hour anyway?
Yes backups are really useful, but they have to be offline at some time so that the ransomers can't encrypt those as well.
Oh and as for "In order for any of the above to work you need managers that understand IT, you need to pay engineers enough money they actually give a shit about the company." I feel your pain, bro, I feel your pain*.
*Or at least I did until I retired a couple of years ago.
Sorry, RANT OVER. I need a drink.
Or, back up to tape, and regularly (at least once a week) take a full backup tape out of the machine and put it in a safe offsite location.
"Old fashioned" I know, but it works. No-one is going to hack or encrypt a tape that's not in a machine. And if the office is destroyed by fire or natural disaster, you have a backup.
Fancy backup-to-disk tech is great for when someone accidentally deletes a file, but they don't help with ransomware or other major disasters.
Letting you send your CV directly to the hiring manager wastes their time filtering out a lot of people they don't want and removes some of the controls required to assure hiring obeys relevant laws and regulations.
I agree an account shouldn't be required but there are plentiful reasons for routing your application through recruitment professionals within the company first.
Considering who is promising the review, I wonder if there will be prison sentences for typos and floggings for clogging keyboards with pizza crumbs?
Aside from any likely governmental ridiculousness, the act does need an overhaul so this is hopefully going to be a good thing, also including recommendations or standards for in house hygiene may be helpful as a means to go some way towards preventing attacks in the first place.
... and it won't be.
The people in charge need to carry the can for the cock-ups. They aren't shy about (over-)rewarding themselves when things are going (even moderately) well and the customary justification is the enormous burden they have to shoulder. But when the excrement hits the air movement device their shoulders become both even more slopey and virtually frictionless.
The turkeys will be responding to the 'call for information' feeling that they will have made some contribution to an improved act.
What they are likely to discover as the axe is raised over the chopping block, is that none of their views will have contributed and the New Improved Act™ contains whatever the Home Office wanted from the start.
Encryption (or a version of it) may rear it's ugly head at the reveal, not mentioning it now is a good tactic.
It seems like favoring corporations. If ransomware payouts are banned, then criminals will be inclined to hold individuals to ransom with the data they scraped. There was a big scandal in Canada where a healthcare company that stored therapists' notes was hacked and had its database stolen. Their clients subsequently received demands for payment otherwise their information would be published.
Given her past history (look it up), plenty of iffy behaviour (e.g. the Israel stuff) but a quick slap on the wrist (brief sacking, then back in the cabinet) I imagine she feels bulletproof as far as blackmail goes.
Look at the UK cabinet, many have done stuff that would have been instant sacking / resignation back in the day, but they are all still there despite that.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
