Combatting ransomware with domestic cyber security action

To fight increasingly sophisticated actors, the Australian Government should consider its policy options for repelling ransomware attacks and prioritise policies that disrupt the global business model of cyber criminals.

Read time: 5 mins

Based on Combatting Ransomware Policy Paper, published August 2023.

Key takeaways

1

Ransomware has become the most destructive cyber-crime threat facing Australians, affecting every sector of the economy.

2

To complement coordinated responses with groupings such as the Quad, Australia has domestic options that would strengthen its resilience.

3

Introducing a requirement for Annual Cyber Resilience Board Statements and sanctioning individuals are potentially strong choices on the domestic front would work to combat ransomware.

New research from ANU Tech Policy Design Centre has highlighted the many options before policymakers that could build Australia’s resilience to ransomware attacks.

For instance, the research suggested that Annual Cyber Resilience Board Statements for ASX-listed companies would help drive the cultural change needed to prioritise cyber security.

There is precedent for this sort of compliance model. Accountability at the board level is a feature of Australia’s Modern Slavery Act (2018), which requires boards to report on actions taken to address risks of slavery in supply chains.

While that Act is often criticised for a lack of penalties and enforcement, it has indisputably directed board-level attention to the issue of modern slavery and set a public expectation of corporate behaviour.

Similar cyber resilience obligations would need to be carefully calibrated to ensure that boards weren’t obligated to disclose known vulnerabilities in the process of being rectified.  The report suggests that if the focus of Board Statements was on fostering cyber resilience, not tick-box compliance, this risk would be mitigated.

The annual statements would also capture expenditure on the replacement of legacy equipment. This generally isn’t allocated against the cyber security budget, but it has a direct impact on a company’s cyber resilience. 

A cyber insurance taskforce, housed under the National Cabinet, would create a more viable market for insurance while lifting the bar on cyber resilience, as well as reducing the impact of ransomware. 

A national cyber-insurance market could be used to encourage cyber resilience. For instance, if entities can demonstrate good cyber security against agreed standards, liability could be capped and premiums for cyber insurance reduced.

Sanctioning individuals and entities most prolifically conducting ransomware attacks would complement law enforcement activities.

Australia should consider imposing sanctions in coordination with like-minded countries. While it would never be possible to sanction all malicious actors, the deterrent effect of targeted sanctions shouldn’t be underestimated. This would require rapid and public attribution, necessitating capability investment by the Australian Government and would be enhanced by collaboration with international partners.

Stepping up international engagement to combat ransomware is needed to deal with ‘safe haven’ states.

‘Safe haven’ states are jurisdictions where ransomware actors operate with impunity due to explicit state protection, wilful blindness towards the activities of ransomware groups, or local authorities’ inability to respond.

Australia, Quad nations and other like-minded countries can exert pressure for states that are wilfully allowing ransomware attacks in their jurisdictions. This could include economic and trade sanctions, ‘naming and shaming’ in public forums, withholding military or foreign aid, or denying visas to citizens.

Additionally, capacity-building programs and joint law enforcement operations could help address ransomware attacks originating from states whose local authorities are simply ill-equipped to respond.

“(There’s a) palpable demand from the public and industry for the government to act.”

Conclusion
Research from ANU has highlighted several opportunities for policymakers to fight cybercrime through domestic policy action. These options would complement coordination efforts through groupings such as the Quad.

Based on the work of ANU experts

ANU Tech Policy Design Centre