Two Labor shadow ministry members have called for a national ransomware strategy, one they say is aimed at reducing the number of such attacks on Australian targets.
In a report [PDF] prepared by Shadow Minister for Home Affairs Kristina Keneally and Shadow Assistant Minister for Communications Tim Watts, Labor declared that due to ransomware being the biggest threat facing Australia, it’s time for a strategy to thwart it.
“Australia needs a comprehensive National Ransomware Strategy designed to reduce the attractiveness of Australian targets in the eyes of cyber criminals,” the report said.
“None of these interventions are silver bullets. But the threat of ransomware isn’t going anywhere soon, and the government cannot leave it to Australian organisations to confront this challenge alone.”
The report pointed to the Australian government’s underwhelming cybersecurity strategy that was published in August.
“[It] rightly identifies that individual organisations have the primary responsibility for securing their own networks against any cyber threat, including ransomware. However, this is far from the end of the story,” the report said.
It also said the government has a range of policy tools that only it can deploy in an effort to reduce the overall volume of ransomware attacks, such as regulation making, law enforcement, diplomacy, international agreement making, offensive cyber operations, as well as the imposition of sanctions.
“While individual organisations will always be primarily responsible for securing their own networks, governments can intervene strategically to shape the overall threat environment in ways that make Australian targets less attractive,” it continued.
One suggestion the report has made is for the Australian government to pursue an approach that seeks to alter the return on investment of ransomware groups that target Australian organisations.
“To do this, it should pursue a range of initiatives designed to increase the costs of mounting campaigns against Australian organisations and to reduce the returns that are realised from such campaigns,” it said.
“The Australian government has tools that it can use to impose costs on ransomware crews that target Australians, including law enforcement action, targeted international sanctions, and offensive cyber operations.”
Additionally, the report said that while Australian law enforcement agencies have been part of some significant international cybercrime cooperation success stories, Australian law enforcement agencies need to be more aggressively and visibly involved in international operations against ransomware operators and pursuing those who target Australia.
It said that in the event where there is no prospect for law enforcement action against ransomware crews, Australia should seek to impose costs on ransomware crews that target Australian organisations by seeking to disrupt their activities through offensive cyber operations.
Labor also believes there is more that Australia could be doing to develop cybercrime prevention programs, such as using existing aid programs to develop diversion programs and developing skilled migration pathways for “young, technically savvy people” in the greater Indo-Pacific region.
Another way the shadow ministers believe the government could seek to reduce the returns of ransomware attacks on Australian organisations is by targeting cryptocurrency exchanges that enable ransomware payments.
“Cryptocurrencies have been a crucial enabling technology for the growth of ransomware by providing a system for the payment of ransoms that is anonymous and outside existing global payments architecture,” they wrote. “The absence of a central organisation controlling cryptocurrencies has made the enforcement of existing ‘know your customer’ anti-money laundering laws far more challenging in this context.”
The report concludes by stating that perhaps the simplest way to reduce the returns of ransomware attacks on Australian organisations is to lift the overall level of resilience of the IT networks of Australian organisations.
Elsewhere, head of information warfare at the Australian Department of Defence Major General Susan Coyle used her appearance at IBM Think Australia and New Zealand on Thursday to say it’s important to patch systems and change passwords frequently.
“First and foremost, we’ve got to accept that there is a risk, thinking that there isn’t a risk makes us more complacent,” she said.