Peter A Clarke

The Federal Government recently announced support for the International Counter Ransomware Initiative.  Today the Government announced that it will introduce a mandatory ransomware reporting scheme as part of its cyber security strategy. It has been reported by innovation Aus with Business face cyber ransom reporting scheme.  The legislation or even details of the proposal has not been released.

Banning ransomware is difficult.  The first problem is enforcement. Data breaches and ransomware attack are notoriously under reported.  Professional hackers are quite sophisticated and can make the payment of ransom a relatively quick operation.  For a desperate victim whose business is being affected and concerned about reputational damage this can be the least worst option.   Having a no fault no liability mandatory reporting scheme is more complicated than it would appear.  Commonly an organisation will suffer a data breach because of its own laxity; failing to proper patch anti virus software, inadequate privacy training, and poor culture. It is always a matter of the legislation works.  Will reporting a breach provide an organisation with protection from action by a regulator.  Will that protection only go to the notification and the ransomware attack or will it go to any breaches of legislation in not maintaining proper data security.  If it is the latter that has a real potential of undermining the operation of the Privacy Act.  Ransomware attacks are the single biggest form of cyber attack.  Granted that enforcement at the moment is poor it still remains an issue for proper enforcement. 

The Minister’s statement in support of the Initiative provides:

I congratulate the International Counter Ransomware Initiative (CRI) on the success of its annual Summit held in Washington this week and their work to step up the fight against ransomware.

All 50 members involved reaffirmed our joint commitment to cooperate internationally to combat the scourge of ransomware and fight back against the ransomware ecosystem.

I want to highlight the CRI’s shared commitment to not give into ransomware extortion demands and work together to assist any CRI member who gets hit by a ransomware attack.

The forthcoming 2023-2030 Australian Cyber Security Strategy will look at ways that we can work with industry to break the ransomware business model.

The Strategy will also identify way that we can enhance the guidance and support provided to victims of ransomware.

These are the essential steps we need to take as we work towards becoming a world-leading cyber secure and resilient nation by 2030.

I would also like to welcome the addition of Albania, Colombia, Costa Rica, Egypt, Greece, INTERPOL, Jordan, Papua New Guinea, Portugal, Rwanda, Sierra Leone, Slovakia, and Uruguay as new CRI members.

This expanded coalition will further strengthen international efforts to build cross-border resilience against ransomware attacks in the Indo-Pacific.

A key aim for the CRI is boosting industry participation in combating cybercrime and broadening partnerships between governments and industry.

International and industry partnerships are our vital force multiplier in coordinating responses against ransomware criminals. Collaboration sits at the heart of our work.

The International Counter Ransomware Initiative 2023 Joint Statement provides:

The 50 members of the International Counter Ransomware Initiative (CRI)—Albania, Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Colombia, Costa Rica, Croatia, the Czech Republic, the Dominican Republic, Egypt, Estonia, the European Union, France, Germany, Greece, India, INTERPOL, Ireland, Israel, Italy, Japan, Jordan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Papua New Guinea, Poland, Portugal, the Republic of Korea, Romania, Rwanda, Sierra Leone, Singapore, Slovakia, South Africa, Spain, Sweden, Switzerland, Ukraine, the United Arab Emirates, the United Kingdom, the United States,  and Uruguay—met in Washington, D.C. on October 31–-November 1, 2023 for the third convening of the CRI. Previously participating states welcomed Albania, Colombia, Costa Rica, Egypt, Greece, INTERPOL, Jordan, Papua New Guinea, Portugal, Rwanda, Sierra Leone, Slovakia, and Uruguay as new CRI members.

During the third CRI gathering, members reaffirmed our joint commitment to building our collective resilience to ransomware, cooperating to undercut the viability of ransomware and pursue the actors responsible, countering illicit finance that underpins the ransomware ecosystem, working with the private sector to defend against ransomware attacks, and continuing to cooperate internationally across all elements of the ransomware threat.

Over the past year, this group of nations and organizations has grown and built upon the commitments made at the second convening of the CRI in 2022. Through unveiling operational tools, the International Counter Ransomware Task Force (ICRTF)—established at last year’s meeting—began developing platforms for coordinating and disrupting ransomware at an operational level. By adding thirteen new members to the coalition, the Diplomacy and Capacity Building Pillar expanded the CRI’s like-minded umbrella and incorporated capacity building efforts throughout all pillars and working groups of the CRI. The Policy Pillar led efforts to counter the business model that underpins the ransomware ecosystem. This included research on cyber insurance, victim behavior, seizure and confiscation of virtual assets, ransom payments, and best practices in incident reporting and information sharing. Throughout the year, the coalition sought to incorporate the private sector and integrate capacity building at every opportunity.

We remain committed to using all appropriate tools of national power to achieve these goals and jointly committed to the following actions in support of this mission.

2023 Key CRI Deliverables

This year’s CRI gathering is focused on developing capabilities to disrupt attackers and the infrastructure they use to conduct their attacks, improving cybersecurity through sharing information, and fighting back against ransomware actors.

Developing Capabilities

• • Leading a mentorship and tactical training program for new CRI members to build their cyber capacity, including Israel mentoring Jordan;
  • Launching a project to leverage artificial intelligence to counter ransomware;

Sharing Information

• • Launching innovative information sharing platforms enabling CRI member countries to rapidly share threat indicators, including Lithuania’s Malware Information Sharing Project (MISP) and Israel and the UAE’s Crystal Ball platforms;
  • Building the CRI website, maintained by Australia, which includes a forum for members to request assistance from CRI members;
  • Encouraging reporting of ransomware incidents to relevant government authorities; and
  • Sharing actionable information with the CRI members.

Fighting Back

• • Developing the first-ever joint CRI policy statement declaring that member governments should not pay ransoms;
  • Creating a shared blacklist of wallets through the U.S. Department of the Treasury’s pledge to share data on illicit wallets used by ransomware actors with all CRI members;
  • Committing to assist any CRI member with incident response if their government or lifeline sectors are hit with a ransomware attack.

The CRI provides an opportunity to create long-term cooperative approaches and common understandings of accountability in cyberspace, consistent with international law as well as state actions as embodied in the Framework for Responsible State Behavior in Cyberspace, endorsed by all United Nations member states. 

Through the Policy Pillar, CRI members affirmed the importance of strong and aligned messaging discouraging paying ransomware demands and leading by example. CRI members endorsed a statement that relevant institutions under our national government authority should not pay ransomware extortion demands. CRI members intend to implement the Financial Action Task Force (FATF)’s Recommendation 15 on the regulation of virtual assets and related service providers, which would help stem the illicit flow of funds and disrupt the ransomware payment ecosystem. CRI members also affirmed the importance of encouraging ransomware incident reporting within their own jurisdiction, and sharing meaningful information to strengthen our collective efforts to disrupt ransomware actors. The Policy Pillar also examined the centrality of the cyber insurance industry in tackling ransomware, and committed to enhancing engagement with industry, as well as undertaking research into the importance of developing effective crypto asset seizure regimes.

Over the next year, the Diplomacy and Capacity Building Pillar will continue to expand the CRI’s mentorship program and onboarding program. The Pillar will prioritize opportunities to inform potential new members about the Initiative, and it will develop tailored capacity building opportunities to match members’ and potential new members’ needs and requests.

Going forward, the ICRTF will build upon the successes of its inaugural year by operationalizing the tools and platforms developed by its members. Members will work toward attaining a comprehensive understanding of the ransomware threat by sharing information and exchanging knowledge through virtual seminars and labs. Members plan to create and share resources to build their national counter-ransomware capacity, working closely with the other pillars to develop practical tools for governments to prevent, respond to, and recover from ransomware attacks, uplift cyber capabilities across the existing CRI membership, and advocate new membership to those countries who will most benefit from what the CRI has to offer. The ICRTF will also continue to support transnational operations conducted by its members and collaborate with industry to target disruptive activities at key components of ransomware ecosystem, in recognition that ransomware is a cross-border and cross-sectoral threat that necessitates close collaboration across governments and sectors to be effectively combatted.

The third convening of the CRI leveraged the expertise of like-minded partners, private sector participants, and capacity building experts to further reshape the cyber environment so members are better equipped to combat ransomware. Members from around the world reaffirmed our joint commitment to building out our toolkit for collective resilience to ransomware, cooperating to disrupt ransomware, and working together to curb the illicit money flow that ransomware actors rely upon. We are building capacity through long-term cooperative approaches and refining our understanding of accountability in cyberspace, bringing us one step closer to rooting out criminal actors and responding with collective resolve. The members express their gratitude towards the countries who have taken on leadership roles in the CRI: the United States as Secretariat; Australia as lead of the ICRTF; Singapore and the United Kingdom as Policy Pillar leads; and Germany and Nigeria as Diplomacy and Capacity Building Pillar leads. Through the Initiative’s annual meeting, as well as the dedicated work that is happening between each gatherings, we commit to working together on a policy and operational level to counter ransomware threats and hold perpetrators of these vicious attacks accountable.

It has been reported in Businesses face cyber ransom reporting scheme. The article provides:

The Albanese government will introduce a mandatory ransomware reporting scheme for businesses as part of its update to the national cybersecurity strategy, ruling out an outright ban on the payment of ransom demands.

Cybersecurity minister Clare O’Neil unveiled the proposed notification scheme on Monday, as one of the country’s biggest port operators continues to battle a ransomware attack that suspended operations at ports in several states.

It comes just weeks after the government formally pledged not to pay cyber ransom demands itself, a result of a US government push for a non-ransom-payments pledge between Counter Ransomware Initiative members.

An evolution of a scheme proposed by Labor while in Opposition, the no-fault, no-liability ransomware reporting obligations have been designed as an early warning system to help get businesses the support they need. It will require business to report all ransomware incidents, ransom demands and payments.

According to the Australian Signals Directorate, ransomware attacks currently cost the Australian economy $2.95 billion each year, a figure that is continuing to increase, with the ransomware attack on port operator DP World one of the recent high-profile examples.

In the first half of the year, global ransomware attacks grew 45 per cent, according to US deputy national security advisor for cyber and emerging technology, Anne Neuberger. Ransomware payments have also increased 120 per cent this year in the US.

Despite the growing number of payments globally, Ms O’Neil said it was clear from consultation with industry on the 2023-2030 Australian Cyber Security Strategy that an outright ban was not supported, with some arguing that it would complicate matters future.

“Over the last 12 months, I have engaged with hundreds of business leaders across the country and some of the best cyber thinkers in the world, and what we have heard consistently is that Australia is not yet ready for an outright ban of ransomware payments,” she said.

While ruling out a ban, the government will continue to strongly discourage businesses from paying ransoms and will instead step-up support for businesses, including through the creation of a new ransomware ‘playbook’.

“Our first step must be getting the right supports in place for businesses and citizens so that it can become an easy decision to not pay ransoms. And, to build a picture of what’s really going on so we can tackle it head on,” she said.

“The problem today is effectively hidden. We know tens of millions of cyber-attacks are attempted every year. We don’t have that picture of which companies and industries are targeted and when, and how many ransom demands are actually paid.”

The reporting obligation is expected to be co-designed with industry following the release of the updated cybersecurity strategy, which is expected as early as next week, with the consultation also to consider streamlining and coordination other cyber reporting obligations, which remains a bugbear for the sector.

The Australian Federal Police and ASD are also expected to ramp up work to investigate and disrupt the perpetrators of ransomware attacks, with the potential for sanctions to be used against nation states that are found to have a connection.

In addition to new ransomware reporting obligations, the government is planning to fast-track changes to Australia’s critical infrastructure laws that bring the telecommunications sector under the Security of Critical Infrastructure (SOCI) Act.

It follows calls from the Australian Telecommunications Security Refence Group earlier this year for reduced duplication and complexity in national security legislation, with the government committing to work with the sector on the proposed changes.

In classifying telecommunications as one of the sectors under the SOCI Act for the first time, telco providers will be held to the same high standard as other critical infrastructure sectors like energy, data storage and processing, and financial services.

“Our cyber security depends on properly regulated telcos, and that’s why today we’re moving to both strengthen and simplify the rules,” Ms O’Neil said, adding that last week’s Optus outage was another reminder that “nothing much works in the 2020s without reliable internet”.

“Telcos should be held to at least the same standards as other critical infrastructure. Our telcos must be prepared for major vulnerabilities, have risk management plans in place, and build backups to maintain essential services when things go wrong.”