Wednesday, 2 June 2021
This week ransomware became a literal barbeque stopper when JBS Foods, Australia's largest meat processor, was paralysed by a ransomware attack mounted by Russian cybercriminals. All beef and lamb kills along the east coast of Australia were cancelled. It might not be immediately obvious, but the meat business is heavily reliant on IT systems for record keeping, regulatory documentation, shipping, labelling and inventory, and doing these things without IT networks is crippling.
JBS has access to backup systems and is doing its best to get back up online quickly, but these attacks frequently cause outages of multiple weeks. The White House is assessing the potential of this attack to cause meat shortages in the country. That's bad news for barbeques around the country but even worse news for the 11,000 people JBS employs in Australia and the thousands that have been stood down indefinitely as a result of this attack. It's a timely reminder of the economic cost of the scourge of ransomware—it's a jobs and investment destroyer when the economy can least afford it.
It has also highlighted the urgent need for the Morrison government to adopt a national ransomware strategy to combat these attacks. This year, 2021, has seen an onslaught of ransomware attacks targeting Australian organisations, which are increasing in scale, including the targeting of the Nine Network and eight hospitals. Since February, Labor has been calling for a comprehensive national ransomware strategy that coordinates government action to reduce the volume of these attacks on Australia, but all the Morrison government does is continue to blame the victims.
Fighting ransomware certainly begins with organisational IT security, but it doesn't end there. As we've seen in the recent international Ransomware Task Force report, a proactive government utilising the levers available to it across policy and regulation, law enforcement, diplomacy and its intelligence capabilities could pursue a strategy to reduce the volume of these ransomware attacks on Australian targets. Labor has been calling for such a national ransomware strategy for months now, and we've set out the kinds of things this strategy could include. But, despite the ongoing, serious attacks and incidents, such as on JBS, the Morrison government continues to refuse to act. The JBS Foods barbeque stopper should be a wake-up call for the Morrison government to finally take responsibility.
As part of such a national ransomware strategy, the Morrison government needs to get serious about using its signals capabilities to disrupt cybercriminals and deter attacks on Australian targets. To date, these ransomware crews have been able to target Australian organisations with impunity. No wonder we've seen these attacks increasing in their scale and frequency. The Morrison government talks tough on cybersecurity, and I note that the new home affairs minister has listed it as a priority for her new portfolio, but what does it actually do? The head of the Australian Signals Directorate said:
Our offensive cyber campaign has only just begun and we will continue to strike back at these cyber criminals operating offshore as they attempt to steal money and data from Australians.
But we heard in Senate estimates earlier this afternoon that, in response to the Nine attack, the Australian Signals Directorate took no offensive operations against those that we know are responsible for the attack. Similarly, it's taken no offensive cyberoperations against any of the crews responsible for the ransomware attacks on Australian hospitals.
In general, the position of the Morrison government is not to tell us or the cybercriminals targeting Australia what they are doing to disrupt them. A secret deterrent is no deterrent at all. As the former head of the UK National Cyber Security Centre's Ciaran Martin has said, unless statements that we will impose costs on adversaries and take offensive operations against these actors are followed by specific, tangible actions, they risk becoming 'a catchy, useful political slogan devoid of meaning, substance and, consequently, impact'. The Morrison government needs to heed the call of Ciaran Martin. The scourge of ransomware has become an intolerable burden on our nation—a $1 billion annual burden, collectively. It's time that we said enough is enough. It's time to release the hounds on these ransomware crews.
As recommended in the international Ransomware Task Force report, the Australian Signals Directorate should develop a target list of the top 10 ransomware groups targeting Australian organisations and then set about disrupting their command and control infrastructure, their communications platforms and their finances. Ransomware groups should fear the consequences of being added to ASD's targeting list. We need to end the age of impunity for ransomware attacks and teach these ransomware groups that there are consequences for targeting Australian organisations with ransomware attacks and that these attacks are not worth the potential benefits. The Morrison government has left Australian governments, businesses and community groups to combat these international ransomware groups for too long. It's time it took responsibility, did its job and developed a national ransomware strategy. These groups are the modern-day pirates, and it's time we treated them that way.