Wednesday, 17 February 2021
In its ACSC annual cyber threat report July 2019 to June 2020, the Australian Cyber Security Centre warned that ransomware is now the highest cyberthreat facing Australian businesses and government. Ransomware is malicious software deployed by criminal groups to deny access to an organisation's IT systems and data until a ransom is paid. It's not just Australia battling this threat; ransomware is a global scourge that the world is currently trying to address. Chris Krebs, the former director of the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, recently told the US House Committee on Homeland Security, 'We are on the verge of a global ransomware emergency.' He said that the scale of the problem had become 'truly frightening'.
While the Australian government does not currently collect statistics about this crime, analysis by security firm Emsisoft in 2020 estimated its total annual cost to the nation at a minimum of US$270 million, with a best estimate of US$1.1 billion. According to the ACSC, the volume of ransomware attacks against Australian targets has significantly increased in the last 12 to 18 months as criminal gangs employ increasingly sophisticated organisational models. Australia has recently seen high-impact ransomware campaigns against high-profile targets like Toll Group, BlueScope Steel, Lion, Spotless, Regis Healthcare, law and order agencies and regional Victorian hospitals. The rapidly growing costs of successful attacks on targeted entities in downtime, remediation, ransoms and supply chain interruptions, combined with the growing costs to all organisations of defending themselves against these attacks, are an unsustainable burden on the nation. Ransomware is a jobs and investment destroyer at a time when the nation can least afford it.
The costs of ransomware aren't just financial. Globally, we saw the National Health Service in the UK brought to a halt as a result of the WannaCry ransomware software, resulting in the cancellation of nearly 20,000 medical procedures, and in 2020 we saw what is believed to be the first death as a result of ransomware, in Germany following an attack on a university hospital in Dusseldorf.
Despite this, the Minister for Home Affairs, the responsible policy minister in the government, has not mentioned the word 'ransomware' once in this parliament. All too often, the government's approach has been to play the blame game. The government does some threat sharing and some ad hoc incident response depending on the nature of the target of ransomware attacks, but on the whole the government's position is that organisations need to look after themselves. While individual organisations will always have the primary responsibility for taking the necessary steps to protect their IT systems from cyberthreats, the Australian government does have an important role to play in shaping the broader environment in which ransomware operators identify targets. We need a new approach. It's past time the Morrison government developed a comprehensive national ransomware strategy.
The evolution of ransomware gangs into sophisticated, well-resourced organised crime groups presents both a challenge and an opportunity. The challenge of the emergence of so-called big-game-hunting ransomware gangs is that they carefully research and select their targets to maximise their returns from attacks, and that has increased the potential costs of these attacks, but it has also created a potential opportunity for new strategies aimed at deterring these attacks. Australia needs a national ransomware strategy designed to reduce the attractiveness of Australian targets in the eyes of cybercriminals—a strategy that increases the costs and reduces the returns of campaigns against Australian organisations and sends a message to ransomware gangs that Australian targets are not worth the effort.
Labor has tonight released a discussion paper on such a strategy, outlining a number of potential policies that could be used by government to actively try to stem the growth of ransomware attacks on Australian targets. It includes policy options like a clear framework on offensive cyberoperations against ransomware groups; closing the cyberenforcement gap by increasing the number of international law enforcement actions against ransomware groups; sanctions targeting ransomware groups where enforcement isn't an option; regulation targeting the payment of ransoms and the cryptocurrencies that give these groups anonymity; and strategies to help organisations lift their cyberdefences. In particular, as recommended by the former directors of the US Cybersecurity and Infrastructure Security agency and the UK National Cyber Security Centre, we need to have a serious conversation about regulating the payment of ransoms by Australian targets.
None of the interventions identified in Labor's discussion paper are silver bullets, but the threat of ransomware isn't going anywhere soon and the government can't just leave it up to Australian organisations to confront this challenge alone. The costs are unsustainable, and the trajectory is unacceptable. It's time the Morrison government actively tackled this threat and developed a national ransomware strategy. When it does, it's time for the government to send a signal to these ransomware gangs, to communicate their strategy to them. The Minister for Home Affairs should lead the way in this regard by coming into this chamber and giving a ministerial statement on the government's approach to tackling the biggest cyberthreat in his portfolio. It's time he addressed the cybersecurity aspects of his portfolio.