The Federal Government’s apparent appetite to compel companies to report when they pay a cybersecurity ransom for the sake of information collection could be Australia’s best chance of materially stamping out bad cyber practices. The question is when and how they do it.
Recently, former Home Affairs Minister Clare O’Neal indicated that the government would seek to bring legislation to parliament in these most recent sitting weeks that would force companies to spill the beans when they cough up the dough.
It should be stressed, O’Neal made it clear this was not a case of victim blaming. The identities would not be passed onto the authorities. This is about collecting data so the government could get a better handle on the size of the problem. This helps shape the urgency of the goals within the 2023-2030 Australian Cyber Security Strategy.
This is all welcome. But the last weeks of parliament have come and gone, seemingly without the legislation being put forward. This is perhaps not surprising given there’s been a changeover in the ministerial lineup, but industry is still keen to learn when this new measure will be implemented given progress towards our 2030 goals is slow.
There is also the question of how. From the government’s messaging, it is still unclear to us whether these statistics would be used publicly to give Australian business a sign of how bad the problem is at a national level.
At the moment, there’s a certain amount of game theory that goes into the calculations of paying a ransom. If the size of the ransom is less than the cost of disruption to the business, the incentive to pay the ransom will always be difficult to ignore. Especially the more ransomware becomes part of the furniture. It’ll just be added to the list of things we consider ‘the price of doing business’.
As the government’s Strategy document lays out, paying ransoms during a ransomware attack is because it doesn’t guarantee the safe return of your data. This is compelling, but it’s clearly not a dealbreaker.
The Strategy further points out there’s an externality for every ransomware paid. The more we all pay, the more ransomware actors target our country, which in turn increases the payments. It’s a vicious cycle that must be slowed down at every point.
The Australian government has done a good job gently preparing the public for the reality that cybersecurity incidents are a permanent fixture of our digital lives. What we can’t allow is bad practices to become endemic; specifically, paying the ransom.
Recently, there’s been some chatter in the cybersecurity industry about the growing number of high-profile cybersecurity incidents and whether a significant number of them have been handled by paying the ransom in any way. We’re all heard stories.
The government’s Strategy heralds the arrival of a ‘Ransomware Playbook’. This is a good idea. But it doesn’t change the value proposition for an individual business, especially small businesses.
What if Australia’s ransomware statistics were published anonymously every year to give companies an indication of what they’re contributing to when they pay a ransom? That awareness can help either encourage a company not to pay the ransom or, and I suspect this is more likely, make the proactive investments in their cybersecurity practices to ensure they don’t get stung in the first place.
We need collective effort to address ransomware. What could be better than putting a number on the size of the problem for everyone to see?
