Australia declares war on cyberattacks

“The United States of America does not negotiate with terrorists.” That used to a mantra of US domestic policy – if you hit us, you get nothing, because you’ve sunk beneath the pale of civilized interaction. While cyberattacks only qualify as terrorism if they target national civil or military infrastructure, that spirit of zero tolerance has found a new home – in Australia. The country’s Cybersecurity Minister, Clare O’Neil, has determined that Australia will “punch back” against cybercrime, going after cybercriminal gangs pro-actively – before there’s even evidence linking them to specific cyberattacks. And, while the announcement of the new gung-ho approach has energized law enforcement, one of the additional options on the table has taken everybody by surprise. Australia is considering banning the act of paying ransoms after a ransomware attack.

The aggressive new strategy flies in the face of longstanding business wisdom, which has focused on paying huge sums of money to protect company systems and train staff to avoid providing a gateway for bad actors, while also paying increasing sums in cybersecurity insurance. Beyond that, the specter of cyberattack has globally become a thing that is factored in as the cost of doing business, with huge ransom payments increasingly the norm in the APAC region, to unlock or retrieve compromised data.

Two mega-attacks

The new Australian fightback comes in the wake of two crippling cyberattacks – one against the telecoms giant Optus, and a second against insurance titan Medibank. The implications of these two cyberattacks were perhaps clear: “no-one and no organization, however large, however important to the national interest, is safe. Pay us and we’ll leave you alone – for now.”

It’s possible that whoever was behind these cyberattacks has never threatened Australians before.

Australians have an international reputation for mateship (friendliness and bonhomie), but they are also often stereotyped as coming from a land where everything is either breathtakingly beautiful, or absolutely lethal – and often both at the same time.

It’s a very, very bad idea to threaten Australians.

Hence, O’Neil’s almost Elliot Ness-style declaration of open war against the cybercriminals. The war will involve the setting up of a “Joint standing operation,” as part of which, the Australian Federal Police and the Australian Signals Directorate (Australia’s version of the NSA) will run a team with the express aim “to investigate, target and disrupt cybercriminal syndicates, with a priority on ransomware threat groups.”

Australia fights back

O’Neil said the operation will “scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyberattacks, and disrupt their efforts.”

“This is Australia standing up and punching back,” she added while being interviewed on local radio. “We are not going to sit back while our citizens are treated like this and allow there to be no consequences for that.”

“This is not a model of policing where we wait for a crime to be committed and then try to understand who it is and do something to the people who are responsible. We are offensively going to find these people, hunt them down and debilitate them before they can attack our country.”

The move to make it illegal for people or companies to pay ransomware demands is an extremely hardcore proposal, which would, if implemented form part of the blitzkrieg-style crackdown on cybercriminals. As yet, the move has not been implemented, but it’s by no means unique to Australia – similar moves have been considered by several other governments as a way of cutting off the reward and the incentive for ransomware attackers.

Will the plan work?

Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi, a cybersecurity specialist, said the hardline plans chimed with research Venafi had done on the willingness to pay ransoms.

“The proposal from the Australian government on banning ransomware payments is sound, as it’d hit ransomware operators where it hurts – their wallets,” he explained. “We surveyed 1500 security professionals last year – including over 300 UK respondents – to find out their attitude towards paying ransoms. Over a third of UK respondents (37%) would pay a ransom if compromised, which is in line with the global figure (also 37%).” But there was a surprise twist in the tail of the findings. “62% in the UK said they’d pay a ransom if they had to publicly admit it, which was above the global average of 57%. This suggests that such laws impact decisions on whether or not to pay ransoms.”

But Bocek was realistic on the impacts of such laws on companies. “The harsh reality is that even if businesses pay ransoms, there is no guarantee that their data will be returned, because hackers are increasingly following through with extortion threats regardless. 35% of ransomware victims who paid the ransom were unable to recover their data, and 18% of ransomware victims who paid the ransom had their data exposed on the dark web. Paying ransoms is clearly no longer the failsafe it once was, so businesses should use this proposed law as a wake-up call to address the problems at its root and strengthen their security posture.”

New ways to get paid

But will banning ransom payments not dry up the incentive for criminals to make ransomware attacks? Bocek didn’t think so. “If ransom payments are banned, it won’t end cybercrime, it will just force threat actors to change their tactics. Ransomware gangs will target other locations without regulations in place, or they may try alternative methods of generating revenue. Selling stolen machine identities, such as code-signing certificates, is a potential pivot. We’ve seen those sell for significant amounts on the dark web, and threat groups like Lapsus$ regularly use them to carry out devastating attacks.”

Whether the Australian crackdown reduces – or at least radically changes – the cyberattack profile of the country remains to be seen. If it does, then irrespective of whatever mutations to their initial plans the hackers may try to deliver, it’s likely that the model may well be taken up elsewhere. In fact, a 40-country coalition aimed at stamping out cybercrime altogether had already been formed before Australia revealed its new plans.