Following on the latest Medibank data leaks and backing their decision not to pay the ransom Australian ABC News reported that Cyber Security Minister Clare O’Neil said the government was considering a law that would make it illegal to pay such ransoms. “The idea that we’re going to trust these people to delete data that they have taken off and may have copied a million times is just frankly silly,” she told Insiders on Sunday.
O’Neil also announced the formation of a new Australian task force combing the expertise of the Australian Federal Police (AFP)) and the country’s cyber spy agency, the Australian Signals Directorate, designed to “hack the hackers”. Stressing that Australia must “shift away from the sense that the only good outcome here is someone behind bars”, she said the main aims of the government would be to disrupt hacking operations and not allow Australia to be a soft target.
The lesson learned from this is rather straight forward – If your systems can be damaged beyond repair in a cyber attack, your organisation has not prepared for the risk correctly and applied adequate controls. When we talk about cyber crime today it always come with consequence in terms of financial or reputational damages. It strikes against organizations but also against society, and it should be investigated and prosecuted as such. It is organized crime and extortion against the central functions in our society. As organizations, we need to prepare and mitigate the risk by practicing good cyber hygiene, as a society and collective, we need to discourage.
The recent ransomware incident affecting Papua Vanuatu’s government highlights the harsh reality that every governmental agency must confront: a ransomware attack isn’t just a remote possibility but rather a likely impending event. Being able to shut down operations, encrypt critical operational data, and cause general mayhem in the delivery of governmental services are the main goals of the threat actors behind these attacks. A better course of action other than relying on paying a ransom (which, in this case, the Vanuatu’s government refused to pay) is to prepare for this eventuality with robust recovery capabilities (tools and processes) combined with proactive data-centric protection. The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t exfiltrate sensitive data and use that compromised information as further leverage. Data-centric security methods such as tokenization and format-preserving encryption protect the data itself rather than the environment around it. Even if hackers get their hands on data, they can’t blackmail organizations with the threat of the imminent release of that data.
Modern activists who fight to keep the World Wide Web neutral, don’t remember the history of the internet. Born out of a US Government project in 1969 to connect Research Labs, and then Military institutions and universities, the Internet has been a tool of war and espionage for as long as it existed.
In the 1986 book, “The Cuckoo’s egg,” Cliff Stoll documented an early case of West German-based hackers stealing national security secrets from the US government. It is certainly being used today by terror groups and criminal actors.
We have not found any success limiting criminal groups through diplomatic means. Governments realizing that to deal with the criminal menace, they will need to fight fire with fire signals an acceptance that the scourge of ransomware and other destructive attacks will not just fade away. I am a fan of retaliating in kind and hope this kind of wisdom makes its way to US shores.