Shadow Assistant Minister for Cybersecurity Tim Watts and Shadow Home Affairs Minister Kristina Keneally are calling on the federal government to develop a national ransomware strategy that will make Australian targets less appealing to cyber criminals.
In a discussion paper released on Wednesday, 24th February, the Opposition outlined a number of policy suggestions and strategies that would make the online world safer for Australians and Australian businesses.
“We urgently need a National Ransomware Strategy designed to increase the costs and reduce the returns of ransomware campaigns targeting Australian organisations,” Mr Watts said.
“That’s why [Kristina Keneally] and I have released a discussion paper calling for a National Ransomware Strategy and outlining potential policies to do this.”
Ransomware attackers use malicious software to block organisations from their own IT systems and data which they hold ‘hostage’ until a ransom is paid.
According to the Australian Cyber Security Centre (ACS), ransomware attacks have grown in both scale and severity over the past 18 months due to the increasing sophistication and targeting abilities of ransomware attackers.
Security researchers have also pointed out that cybersecurity threats have increased during the COVID-19 pandemic as businesses switched over to remote working and started to rely more on multi-cloud technologies.
Manufacturing, healthcare, and government organisations are among the most targeted by attackers who use new and innovative methods to make targets pay, such as threatening to publish an organisation’s confidential information.
Toll Group, Bluescope Steel, Lion, Spotless, Regis Healthcare, Law in Order, and regional Victorian hospitals are some of the high-profile companies and organisations that recently fell victim to ransomware campaigns although smaller businesses have also been subject to attacks.
Mr Watts said that Australia’s response to ransomware has so far been on a case-by-case basis with the emphasis placed on individual organisations rather than collective government action and policy.
“Instead of dealing with this scourge the Morrison Government’s approach is to play the blame game, telling businesses it’s up to them to harden their defences. The responsible Minister, Peter Dutton, has never even mentioned the word in Parliament,” he tweeted.
“But the government CAN do more to fight these attacks. The sophisticated way ransomware gangs now analyse the ROI of potential targets is an opportunity. As a nation we can seek to reduce the ROI of ransomware attacks on Australian targets and, therefore, the volume of attacks.”
Ransomware strategy outline
The discussion paper says that the Morrison government has a number of tools “that only it can deploy in an effort to reduce the overall volume of ransomware attacks” including regulation making, law enforcement, diplomacy, international agreement making, offensive cyber operations, and the imposition of sanctions.
“None of these interventions are silver bullets. But the threat of ransomware isn’t going anywhere soon, and the government cannot leave it to Australian organisations to confront this challenge alone,” it reads.
“While individual organisations will always be primarily responsible for securing their own networks, governments can intervene strategically to shape the overall threat environment in ways that make Australian targets less attractive.”
Although ransomware attacks are criminal offences under the Commonwealth Criminal Code and are punishable by up to ten years’ imprisonment, prosecutions are rare while the incidence and costs are poorly understood.
“If Australia wants to impose sufficient costs on ransomware crews to deter attacks on Australian targets, we need to put an end to this legal impunity,” it says.
The government will also need to develop greater diplomatic measures and partner with like-minded countries to “aggressively” advance international law enforcement cooperation in order to prevent the emergence of new ransomware groups.
Where law enforcement is not effective, Australia should seek to impose costs on ransomware attackers by disrupting their activities through offensive cyber operations. Recommendations include imposing controls on ransomware payments, cracking down on rogue bitcoin exchanges and hardening network security of public and private organisations.
“If Australian organisations can develop a reputation for being less likely to pay ransoms than targets in other jurisdictions, the return on investment for targeting Australian organisations will fall and so too will targeted ransomware attacks against Australian organisations,” the paper said.
Mr Watts called on Home Affairs Minister Peter Dutton to deliver a Ministerial Statement in Parliament outlining the government’s approach and stressed the need for a dedicated Minister for Cybersecurity that would oversee policy development and implementation.
In August 2020, the federal government announced a $1.67 billion Cyber Security Strategy which seeks to improve cyber resilience in the country over a 10-year period although it is not clear on how it plans to address the issue of ransomware specifically.
The full discussion paper can be accessed here.