The cycle of companies paying ransoms after being hit by a cyberattack and in turn encouraging more hacking attempts, like the one that stung health insurer Medibank last year, could be broken by a proposal canvassed in a government review to ban the practice.
A review of Australia’s cybersecurity strategy led by former Telstra boss Andy Penn and delivered on Monday asked for feedback on the idea of banning the payment of ransoms to cyber criminals, which the federal government is considering after an industry roundtable.
“When we have an ecosystem where people are constantly paying ransoms then it makes it look like Australia is a soft target, and we are not a soft target,” said Home Affairs Minister Clare O’Neil. “There are many Australian companies that do not pay ransoms and certainly the advice with the Australian government is we would ask you not to do that.”
Cybersecurity Minister Clare O’Neil says that where possible companies should not reward hackers with ransoms. Credit:Alex Ellinghausen
But paying ransoms is not illegal and a survey conducted by pollster YouGov for the advisory firm McGrathNicol, which is often brought in to deal with cyberattacks, found last year that about 80 per cent of Australian businesses hit by a cyberattack pay a ransom averaging $1 million. In that scenario, the criminals render a company’s network inoperable or steal information and say they will undo the damage only if a payment is made, typically in cryptocurrencies that are hard to trace.
Medibank refused to pay the hackers’ ransom last year and the criminal group made good on its threat of releasing the sensitive data of the insurer’s customers.
O’Neil said the government was open to a range of changes, from banning ransoms altogether to banning most but having limited exceptions or compulsory reporting of payments. “These are all on the table at the moment,” O’Neil said. “What I do know is that we can’t continue as we are today.”
Penn, who led Australia’s largest telecommunications company Telstra until August last year, said companies should only contemplate a ransom in the most extreme circumstances.
“It’s a complex area,” Penn said. “I certainly would be an advocate for saying we should avoid paying ransoms, and we certainly wouldn’t recommend paying ransoms. There are potentially limited circumstances where there are life-threatening situations where maybe a complete ban is not appropriate.”
In one 2021 example, a company called Colonial Pipeline paid a $US10 million ransom to end a cyberattack that had imperilled the transmission of fuel to 45 per cent of the southeast coast of the United States.
Rachael Falk, CEO of the Cyber Security Co-operative Research Centre.Credit:
“I certainly think you should – and this would be something that we look at as well – disclose whether there’s been a ransomware demand,” Penn said.
The review of Australia’s cybersecurity strategy for 2023 to 2030 also canvassed imposing a duty of confidentiality on Australia’s cyber agencies to stop them sharing information gleaned during a breach with regulators. The measure would encourage businesses to share information with the government during an attack but could also make it harder for Australia’s corporate and cyber watchdogs to hold firms accountable for breaches.
Industry groups including the Business Council of Australia, Tech Council of Australia and Australian Chamber of Commerce and Industry were at Monday's roundtable in Sydney convened by O'Neil and Prime Minister Anthony Albanese.
The chief executive of the Cyber Security Cooperative Research Centre, Rachael Falk, who was one of the three reviewers along with Penn, said voluntary codes were not enough to make the changes Australia needs. “It is a combination of incentives, bright ideas and, in some cases, regulatory and legal intervention,” said Falk, speaking generally about the cyber problem.
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
Most Viewed in Technology
From our partners
Source: Read Full Article