Holding ransomware to account
The Federal Government’s latest announcement in its Ransomware Action Plan of a proposed mandatory ransomware incident reporting regime is part of its 2020 Cyber Strategy and a major step in the ongoing fight against cybercrime. If implemented, it would be one of the first laws of this kind.
The design of the regime is aimed to benefit, not burden, small businesses. It will only apply to businesses with an annual turnover more than AUD$10 million who will be required to notify the Australian Cyber Security Centre (ACSC) within a prescribed period of experiencing a ransomware attack or face civil penalties if they do not.
The Plan includes new ransomware related criminal offences which could have a wide-ranging impact on the cyber-crime ecosystem.
Evolving cyber regulatory framework
This proposed regime, which will involve the introduction of separate legislation, would operate alongside other regulatory and policy frameworks that currently impose security related obligations, breach reporting requirements and set the standards for how businesses manage their cyber risk.
They include CPS234 for APRA regulated organisations and the Notifiable Data Breaches scheme in the Privacy Act 1988 for eligible data breaches affecting personal information. There are some computer related offences in the Criminal Codes but the Plan proposes to make new specific criminal offences including using ransomware for cyber extortion, selling malware for undertaking computer crimes and knowingly dealing with stolen data while committing a separate criminal offence. The new legislation would also provide for related law-enforcement powers. How the reporting obligations will be enforced remains to be seen as the ACSC does not currently have regulatory powers.
This regulatory framework will be joined by the positive security and mandatory reporting obligations in the Critical Infrastructure legislation which the Department of Home Affairs is developing, which has just been reviewed by the Parliamentary Joint Committee on Intelligence and Security. Highlighting the need to respond to the immediate cyber threats Australia is facing, the Committee has recommended the current Bill be split, to enable the rapid passage of a first Bill to urgently implement some of the proposed measures, including Government step in powers in the event of a cyber attack on critical infrastructure. Related to this, one of the criminal offences the Plan proposes will cover acts targeting critical infrastructure.
Costs of cyber attacks
As we noted in KPMG’s recent submission to the Department of Home Affairs, the Australian Competition and Consumer Commission’s (ACCC) Targeting Scams 2019 report, identified that Australians lost over $634 million to scams in 2019. However, the true cost of cybercrime to the Australian economy, including businesses, has been difficult to quantify. Industry estimates have previously placed cyber security incidents as high as AUD$29 billion annually and the Government’s plan refers to the predicted cost to business from ransomware attacks in 2021 of US$20 billion. Reputational damage, loss of trust and diversion of resources are also critical impacts.
Reporting not banning payments
While the government has stopped short of proposing a ban on ransom payments, it has maintained its position that it does not condone payments to cyber criminals by any organisation and has ‘zero tolerance’ of ransomware. The Plan does not make the choice for business all or nothing.
While an express legislative ban on paying ransomware has been explored in Australian and overseas, governments are hesitant to take this step for a number of reasons. These include the complexities of implementing and enforcing such a law and the impact and risks to Australian businesses from ransomware attacks – they could become a target for ransomware attackers attempting to test Australia’s resolve, be left unable to continue operating as a result of their data, systems or infrastructure being compromised and leave their client confidential data exposed.
At the most serious end, there could also be an immediate risk to the life and safety of their customers or staff or a major disruption to the supply chain (as experienced from the attack earlier this year on US based Colonial First State in which Australian superfunds own a stake). However, there are no certainties that payment of a ransom will guarantee the security of a victim’s data or systems or result in the ability to access them. There are also legal risks of making what could be prohibited payments given the nature of the threat actors that are behind these attacks. Payment can also encourage attackers to try again.
The reporting framework will need to ensure that businesses who do report are protected, and supported, their systems and data not further compromised as a result and they are not penalised for making any payments (noting the complexities of ensuring any payment is not otherwise prohibited). For example, the US approach is to grant limited immunity to businesses that come forward to report a breach, and support to protect their data, as a way of encouraging reporting, even if they have paid a ransom.
Further consideration of the options and impacts of banning ransomware payments requires a global response by nation states and collaboration by governments such as through the Five Eyes and US led Ransomware Taskforce, to address these issues.
Insights and impact of reporting
While the Notifiable Data Breach scheme provides government, regulators and policy makers with an understanding of the cause of cyber incidents that affect the security of personal data, there has to date been no notifiable regime for cyber attacks that steal or encrypt broader confidential and corporate data (including intellectual property and commercial sensitive data) and/or cause operational disruption to extort payments. Ransomware as a service that offers pay-for-use ransomware to affiliates to deploy already developed malware with ease, has become a sophisticated business model, with government and business struggling to stay ahead of organised threat actors.
The intention of the regime is to help provide a better understanding of the threats as well as to enable victims to be better supported. In a recent article on insights for the Notifiable Data Breaches scheme, the OAIC’s key message is that the cyber threat environment is evolving, and organisations need to continually update their processes and protections. It noted that about 60 percent of data breaches notified since the scheme started (in February 2018) have been caused by malicious or criminal attacks mostly as a result of a cyber incident and these can start with social engineering and use of stolen identity data. It also pointed to the ACSC’s latest annual report that notes ransomware is one of the most significant threats to Australian organisations and the nature of the attacks make it difficult to assess what data has been accessed or exfiltrated. The ASCC had received nearly 68000 cybercrime reports in the last financial year (that is one report every 8 minutes). The government has said that it will prioritise education and assistance over penalties in the new regime.
The proposed regime should therefore focus the attention of Australian businesses to make cybersecurity and privacy an organisational priority. They need to effectively manage their cyber risks, improve their prevention of cyber attacks and ensure they are prepared for and can respond to attacks. KPMG’s 2021 CEO Outlook, a study of 1,300 CEOs across 12 countries, found only 78 percent of Australian companies said they had a plan to deal with a ransomware attack, compared to and 65 percent global CEOs.
Responding to ransomware attacks
Businesses should not be waiting for the reporting obligations to commence or reacting to attacks. They should be reviewing and strengthening their cyber incident response planning now. The full impact and extent of ransomware attacks often cannot be easily determined, as a result of multi-level and decoy attacks employed by threat actors. These attacks often lead victim organisations to move immediately to rebuild and restore systems, before the full extent of their actions can be understood. All too often, this approach results in the destruction of key artefacts and evidence needed to quantify data at risk and inform response and remediation efforts.
Understanding the root cause of all cyber issues is a critical step in the enhancement of cyber posture, and early decisive actions to preserve evidence, and fully understand the impact of a cyber event can prevent a technology issue from becoming a data breach. This is also likely to be important for meeting the reporting obligations under the new regime.
A holistic response
Beyond legislation, the government has an important role to play. Any efforts to lift resilience and security in the economy will need to be matched by actions taken by government organisations. Governments must lead by example, both in preparing for cybercrime but also in how they respond to attacks.
Governments and larger businesses will also have a key role in helping smaller businesses lift their cyber security, as well as regulators like the OAIC who are prioritising personal information security and regulatory action for non-compliance. The services and software products of smaller businesses are often critical in the connected digital supply chain, but they may not have the capability or resources to ensure they are cyber resilient and secure or can recover from a successful attack. This poses a risk to their government and bigger business customers. Therefore, government support that focuses on lifting the cyber security and resilience of smaller businesses, as well as educating the community and the workforce, is also required as part of any approach to tackling ransomware attacks.
Addressing ransomware attacks effectively is a very important step in the Government’s cyber reform strategy, both as part of the broader effort to tackle cybercrime as well as to help improve the overall cyber security posture of Australian businesses both large and small, as well as government. A holistic response to ransomware will need to come from across the policy spectrum, from securing systems and data through to deterrence and enforcement.
Now that the government has acted, it is also time for business to step up and help ensure that Australia is as #cybersafe as possible