Wednesday, 17 June 2020
It was 1989 and the world was experiencing the emergence of HIV/AIDS. Exploiting this moment an unstable biologist unleased the world's first ransomware attack, which is malware that holds IT systems hostage by encrypting files until a ransom is paid. Dr Joseph Popp was ambitious. He sent 20,000 infected floppy disks to medical researchers all over the world, ostensibly containing medical discoveries around the syndrome. Instead, the disks contained a virus that, ultimately, seized their victim's computer and presented a digital ransom note demanding the victim send money to an address in Panama. So, strangely enough, ransomware originated amidst another pandemic but it wasn't used much in the decades since. As recently as 2016 it was considered relatively exotic but, in recent years, fuelled by the rise of cryptocurrencies like bitcoin, it's become an industry driven by well-resourced crime gangs who can scan the world for targets.
In the current COVID-19 pandemic we've seen a tidal wave of phishing lures with COVID themes used to deliver these ransomware pay loans. Last year almost 1,000 US government agencies, education and healthcare providers were attacked by ransomware at an economic cost of billions of dollars. As a result of those attacks, 911 dispatch services stalled, medical records were inaccessible and surgeries were delayed. Schools closed, local governments couldn't provide basic services and police couldn't perform background checks. In other words, ransomware endangered essential services, just as it did in 2017 when a WannaCry virus corrupted Britain's National Health Service. And it's happening here. Late last year a regional health system in Victoria was affected. In January, Melbourne-based logistics company Toll Group was crippled by ransomware. After a second attack on Toll Group last month, the supply of influenza vaccines was disrupted. Steel manufacturer BlueScope has been similarly hit. And last week it was the beverages company Lion.
While the US has so far attracted the highest percentage of attacks, ransomware is an international industry. But Australia isn't heeding the warning. I asked the Parliamentary Library to compare the number of documents submitted to both the Australian Securities Exchange and the US Securities and Exchange Commission that contained the term 'ransomware' in the calendar year 2019. The result: of the 108,334 documents submitted to the ASX, just 24 contained a reference to ransomware, that's 0.2 per cent. Of the 113,937 documents filed with the SEC, 1,139 contained the term, which is only 0.99 per cent but still magnitudes greater than in Australia. These documents included annual reports, including assessments of the risks facing companies, yet ransomware doesn't seem to be appearing to be on the radar of Australian companies. It's only a matter of time before we see the kinds of groups hit in the US being targeted here, and the unprepared are in for a rude shock.
While organisations must assume primary responsibility for their cybersecurity, government plays a role here too. Individuals have primary responsibility for their personal health, but governments undertake preventative health programs because it understands that chronic disease has costs for the whole community. We need a similar public health mindset for cybersecurity, one that engages at-risk groups and lifts the baseline of cyber-resilience. In the broader context of a potential cyberwar, the Defence department—in a mobilisation review recently disclosed under FOI—accepted that improving our country's cyber-resilience should be a whole-of-nation endeavour, because many of the targets will be civilian businesses or individuals. Contingency planning cannot just occur inside Defence or government silos. We've got a long way to go to realise this and ransomware is far from the only cyber threat. Yet, in the face of these evolving threats, Australian cybersecurity policy lacks political leadership. There's no longer a dedicated role for cybersecurity in the executive, which means there's a diffusion of responsibility for cybersecurity throughout multiple departments.
When something is everyone's responsibility, it tends to become nobody's responsibility. With this government you can't find a fixed point of accountability. Trying to pin them down on this is like wrestling with a column of smoke. But, despite all of this, the Morrison government's new four-year Cyber Security Strategy is now two months overdue. Despite growing threats, home affairs minister Peter Dutton has left cybersecurity at the bottom of his in-tray. It's been 10 months since the Morrison government began consultations on the new Cyber Security Strategy. Given how quickly things change in cybersecurity, a virtual millennia in hacker years has passed without action. Labor hopes that the new cybersecurity strategy is released very soon, and we hope that it shows the substance and imagination that our national cyber-resilience deserves. Unlike the previous plan, it should include measurable benchmarks and it needs to include a minister with accountability for delivering on change through this policy. We should have learned a few lessons in crisis preparedness now, but on cybersecurity the government remains detached, ignorant or indifferent. We can't afford to respond to a crisis only after it's happened.