Peter A Clarke

The Verizon’s 2023 Data Breach Investigations Report finds that ransomware was tied to 16% of all data breaches. That is double compared to last year’s report and that ransomware continued to be a factor in 24% of all data breaches. Interestingly in 93% of security incidents involving ransomware, victims reported no financial losses, at least based information submitted to the FBI. The remaining 7% of victims reported a median loss of $26,000. That was double what victims reported two years prior.

The overall costs of recovering from a ransomware incident are increasing while the ransom payouts are lower. This is due to the increase of automation and efficiency of ransomware operators.

The question of paying a ransom is vexed. Ransoms are paid and more often than observers think. Sometimes the hackers abide by the agreement and provide the key which unlocks the data. Sometimes the hackers behave like the criminals they are and take the ransom and provide no key and in fact release the data they exfiltrated from the site, if that was part of the data breach. Some provide the keys but upon unlocking the owner finds the ransomware program has damaged the data. Regulators generally advise against paying ransoms but acknowledge that it is a reality.

The Australian Government is considering making ransomware payments illegal. This has been met with some push back by cyber insurers. The Australian Business Council of Australia has called for a Safe Harbour. This has been reported by the Australian Financial Review at Businesses call for ‘safe harbour’ during major cyber incidents.

The BCA press release provides:

Cyber security is front of mind for businesses across Australia and has been for a number of years.

In 2021, 95 per cent of local CEOs said cyber is a top threat to growth.

Business concerns have continued to rise as the threat environment has worsened, with malicious cyber activity increasing in frequency, scale, and sophistication.

It has been matched with an increasing level of focus on the part of regulators, including internationally, such as through the SEC’s Cybersecurity Regulations and likely amendments in future.

Unfortunately, the risks Australia faces are not static.

The Australian Cyber Security Centre’s (ACSC) annual threat reports have repeatedly highlighted the evolving nature of the threats faced by Australians and Australian businesses.

Our responses must remain similarly agile. As the Minister for Cyber Security, the Hon Clare O’Neil MP has noted, Australia’s ‘patchwork’ of approaches has not kept up.

While recent high-profile breaches have heightened concerns for Australian citizens and businesses, they have also drawn into stark relief the flaws and limitations in the current structures and systems.

A new cyber security strategy is an opportunity to ensure our systems and bureaucracies not only match the new world but keep pace with changes we know are coming.

To underpin new structures, a clear goal is needed for a refreshed cyber security strategy.

A new cyber security strategy must work towards protecting all Australians against the threats that have come with a digitised economy and society. This means having positive incentives for all stakeholders – individuals, businesses (small, medium, and large), community and not-for-profit groups, and government agencies and departments – to do the right thing.

Equally, the strategy must support Australia becoming frontier economy – a country that is diversified, competitive, and outward looking. This will be the only way Australians can get high wage, secure jobs, and a continuing improvement in the standard of living.

If Australia is going to be a top five digital economy, we must ensure there are the maximum incentives for businesses and the community to embrace digital technology, while protecting privacy and data integrity.

To get there, Australia must avoid punitive or inflexible responses to cybersecurity risks save for circumstances which demonstrate gross negligence and recklessness which meet a criminal standard of proof.

Further it is important to keep a clear distinction between privacy and cybersecurity frameworks. There will be significant confusion in the Australian economy if these are somehow merged.

Responding to cyber threats must be a shared, ‘team’ responsibility: businesses should be seen as partners for government, along with working with the Australian community and customers. Government or regulator responses should not re-victimise organisations or individuals who are already trying to cope with a crime committed against them.

Instead, government should set out a plan to construct bidirectional, timely information sharing.

In an environment where business investment as a share of GDP is at 30-year lows and capital is leaving Australia on a scale not seen since World War II, Australia can’t afford to throw more sand in the wheels.

Instead, we should seize the opportunity to not just protect our existing assets and people, but also to grow a new services sector and cross-economy capability.

The AFR article provides:

Companies caught up in major hacking incidents should be allowed to determine when to pay off cyber criminals holding their data, the Business Council says, calling on the government to urgently clarify existing regulation and laws on ransom payments.

The lobby group has told Labor that Australia’s national cyber security office should be given powers to help organisations facing breaches, such as the damaging hacks at Optus and Medibank Private, with a “single window” created for business to report ransomware incidents.

In a submission to the federal government’s cybersecurity strategy consultation, the BCA says a review is needed to identify all reporting requirements that organisations must comply with, and temporary safe harbour provisions created for cyber incidents.

Under the plan, any reports to federal authorities would be treated as confidential, and not passed between government agencies or used subsequently for regulatory investigation or enforcement action, until the incident had been contained and/or resolved.

The submission says businesses should be seen as partners for government on the critical issue of cyber protection, in the interest of employees, profits and the effective functioning of the economy.

“Government or regulator responses should not revictimise organisations or individuals who are already trying to cope with a crime committed against them,” the submission said.

“Instead, government should set out a plan to construct bidirectional, timely information sharing.

“In an environment where business investment as a share of GDP is at 30-year lows and capital is leaving Australia on a scale not seen since World War II, Australia can’t afford to throw more sand in the wheels.”

Home Affairs and Cybersecurity Minister Clare O’Neil announced an industry consultation for development of a new national cybersecurity strategy to cover 2023-2030 in April, naming former Telstra boss Andy Penn to lead a new expert panel.

Cybersecurity Co-operative Research Centre chief executive Rachael Falk and Air Marshal Mel Hupfeld are on a panel advising the government on the strategy.

The BCA says the government should focus on measures which can lift whole-of-economy cybersecurity standards, including for small and medium businesses which face chronic cyber skills shortages and growing risk.

The submission said any new programs should be properly assessed against a future generation of cyber problems and challenges.

Cyber threat exercises are planned with the banking and finance sectors, a strategy which the BCA said must not be used to identify new punitive measures where vulnerabilities or issues are found.

The submission says a strict prohibition of ransomware payments would not be helpful, with many businesses already having policies against paying in place.

“Whether to pay should be left to individual organisations to determine, in close collaboration with government,” the submission said.

“As it stands, businesses do not take these decisions lightly. These decisions involve senior management and board oversight, and involve a wide range of considerations, including operational resilience, reputation and business risk, and the advice of government partners.”

Senator O’Neil’s department expects improving cybersecurity to provide a “significant” boost to the domestic digital economy. The cyber market already contributes about $2.4 billion in gross value added activity, with 11 per cent growth recorded in the sector between 2020 and 2022.

The CSIRO estimates that Australia’s cybersecurity revenue could reach $6 billion a year in 2026.

The BCA said it did not support adding consumer data to critical infrastructure regimes, warning such a move risked exposing businesses to complex additional regulatory requirements.