Industry panel urges govt to adopt clear policy position on ransomware

A telco-heavy industry panel advising the federal government on how to boost the country's cyber defences has urged it to strengthen its ransomware policy as a priority over the next 12 months.

The Cyber Security Advisory Committee made the recommendation in the group’s annual update on Thursday to combat what it described as “one of Australia’s fastest growing threats”.

“The committee recommends… the development of a clearer policy position on the payment of ransoms by organisations subject to ransomware attacks,” the annual report [pdf] said.

The telco-heavy panel includes executives from Telstra, NBN Co, Macquarie Telecom and Fibresense, as well as NAB, PwC and the Cyber Security Cooperative Research Centre. 

It has also asked the government to undertake a “review of cyber insurance regimes to understand their efficacy in mitigating cyber threats”, as well as to develop a series of awareness programs.

The call for a stronger policy position follows a spate of high-profile ransomware incidents that have resulted in payments being made to attackers, including last month’s attack against meat processor JBS Foods.

It also coincides with a Labor proposal for a mandatory ransomware payment notification scheme that would require businesses and government to notify the Australian Cyber Security Centre (ACSC) before paying a ransom.

Shadow assistant minister for cyber security Tim Watts introduced a private members’ bill last month to create a “policy foundation” for a coordinated response to the ransomware threat.

Such a scheme comes recommended by US-based thinktank the Institute for Security and Technology and by former US Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs.

Home Affairs minister Karen Andrews is reportedly “open to exploring” and “already exploring” a mandatory reporting scheme, but believes this process of raising awareness should come first.

Telstra CEO Andy Penn, who chairs the committee, told the National Press Club on Thursday that questions around whether to pay ransoms or not and mandatory notification were “important”.

“Is it illegal or not illegal to pay ransomware [gangs] and should [the government be notified of] a ransomware attack? I think these are important questions,” he said in response to questions after the keynote.

“For operators of critical infrastructure there are already obligations to disclose [malicious activity] to government through things like ... the SOCI [Security of Critical Infrastructure] Act, and that would absolutely capture ransomware.”

Asked whether companies that pay ransoms are helping or hindering the rest of the industry, Penn said that Telstra’s policy is “not to pay ransoms”.

“I can certainly see situations where businesses are tempted to do so. I mean, their whole business livelihood could be at threat from a ransomware attack,” he said.

“But candidly, it’s hard to see how that is ever going to end well if you pay a ransom. Obviously, you’re sending a signal to criminals that that’s something you’re willing to do.

“Criminals talk amongst themselves on the dark web. You’re just as likely to invite a ransomware attack, and there’s no guarantee that you can trust the counterparty that you’re engaging with.

“The best advice is to be well prepared to prevent a ransomware attack… Prevention frankly is much better than trying to solve it after the event.”

Penn added that double extortion – a technique where a copy of the data is stolen or exfiltrated before it is encrypted – made ransom payments even more counterintuitive.

“Even if the victim can restore systems, they have the double jeopardy of crucial and sensitive data being published onto the dark web if the ransom isn’t paid,” he said.

The Australian Cyber Security Centre currently advises organisations not to pay a ransom as there is “no guarantee paying the ransom will fix your devices”.