Compulsory Disclosure of Ransomware Payments Looms
6 Aug 2024
Australian organisations will soon be forced to disclose their ransomware payments to cyberthieves.
The measure is included in a landmark new Cyber Security Act to be brought before parliament’s next sitting. It comes in response to research which shows Australian businesses have been paying untold amounts of ransom to hackers in what is now a mounting wave of ransomware hacks.
Ransom payments flourishing
The government is reportedly concerned that the practice of quietly paying off cybercriminals has flourished in secrecy. While the government originally planned to place an outright ban on ransom payments, it’s now focused on mapping the scale of the problem.
"People are paying criminals money and it is happening in the darkness (and) we need to bring this out into the light," said former minister for cybersecurity Clare O'Neil. "Government cannot win this war alone. We need a whole-of-nation effort here."
Every six minutes
In its 2022/23 Annual Cyber Threat Report, the Australian Cyber Security Centre confirmed it was notified of a new cyber incident every six minutes on average.
Ransomware attacks have increased roughly five-fold since 2020.
As worrying as those numbers might seem, they are still only a glimpse of the real problem.
"It is believed that in the Five Eyes countries alone - Australia, Canada, New Zealand, the United Kingdom and the United States - literally billions of dollars in ransoms is being paid, and criminal gangs are reinvesting that money … to attack us again," O'Neil said.
Business groups concerned
Cyber security experts say the proposed changes strike the right balance. However, business groups say they are concerned the new disclosure rules could sink some small operators.
To help tempt reluctant businesses into transparency, the government is proposing that disclosures will not be subjected to "the glare of regulators". A "Limited Use Provision" will prevent the Australian Signals Directorate and the Australian Cyber Security Centre from sharing the information more widely, except in narrow circumstances.
Said O’Neil: "This is a no-fault scheme. We're not blaming businesses … they're victims of a crime."
Under the existing proposal, regulators such as the Privacy Commissioner would still be allowed to investigate and prosecute companies that "leave the front door unlocked", but only using their existing powers.
"It doesn't absolve business of any of their legal responsibilities or liabilities," O'Neil said. "We expect Australian businesses to take care of their customers … but sometimes things do go wrong."
Not just the private sector
The problem of ransomware attacks is not limited to the private sector. The Australian Signals Directorate said almost one-third of cybersecurity incidents reported in the 2022-2023 financial year came from the public service.
Consecutive audits of the government sector have found it has a "low-maturity level" when it comes to cybersecurity, despite holding the largest store of sensitive data about Australian citizens.
As it stands, about 1,000 Australian entities providing "critical infrastructure" such as energy, healthcare and banking services are obliged to report ransom payments.
Attacks escalating
The new mandatory reporting measures are recognition that there is no end in sight to ransomware attacks.
Johanna Weaver, director of the Tech Policy Design Centre at ANU, said "No matter how good our cybersecurity protections are … (attacks) will continue to happen."
She applauded the push to establish an ongoing "Cyber Incident Review Board", similar to what exists in the aviation industry, to learn from other major breaches, such as the attack on MediSecure.
Avoiding Ransom Payments
To be truly secure, an organisation’s data must be protected not only when it’s stored, but also while it’s enroute to and from storage.
Managed File Transfer (MFT) solutions such as the class-leading GoAnywhere MFT encrypt data at rest and in transit, complying with the highest data security standards (including the US’s and Europe’s HIPAA, HITECH, PCI DSS, SOX, and GDPR).
MFT manages inbound and outbound file transfers across an organisation, using industry-standard file transfer protocols such as SFTP, FTPS, and AS2 to send files securely, and encryption standards such as Open PGP and AES to protect data in transit and at rest.
Local Expertise on Hand
Generic Systems Australia are your local experts in Managed File Transfer solutions. We’ve assisted hundreds of organisations across the Asia-Pacific region to secure their data and keep cybercriminals at bay.
If you’d like to discuss improving your cybersecurity, please feel welcome to contact me, Bradley Copson. I’m always happy to have an obligation-free discussion, explain how simply we can transition you from outdated software and approaches, and offer you a zero-cost Proof of Concept.
Attribution: sections of this article were substantially sourced from an item originally published by ABC News Australia.