Ransomware attacks will only get worse for Australia without strategic domestic efforts to thwart it, according to a new report which warns a “policy vacuum” has made the nation an “attractive market” for cyber attackers.
The Australian Strategic Policy Institute report follows a spate of ransomware attacks in Australia and across the world, which have crippled services and infrastructure while costing organisations millions of dollars.
The Opposition called for a national ransomware strategy in February and a mandatory notification scheme for Australia in June. International experts have also called for strategies as part of a coordinated response from national leaders and backed the use of notice schemes.
But the federal government is yet to launch a formal ransomware policy or notification scheme, instead using a business advisory group, an awareness campaign and pledging to work with international allies against the threat.
The latest report from ASPI said much more will be needed in Australia to combat the growing threat of ransomware, part of a $1 trillion “tsunami” of cybercrime.
“A current policy vacuum makes Australia an attractive market for these attacks, and ransomware is a problem that will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed,” the report said.
“Developing a strategy now is essential. Not only are Australian organisations viewed as lucrative targets due to their often low cybersecurity posture, but they’re also seen as soft targets.”
Written by Cyber Security Cooperative Research Centre chief executive Rachael Falk and colleague Anne-Louise Brown, the ASPI report suggests several domestic policy levers to thwart ransomware attackers, which typically operate from foreign countries.
“Such action is essential because the grim reality is that, when it comes to ransomware, prevention is the best response,” it said.
The report’s policy recommendations include a mandatory notice scheme, a dedicated cross-departmental taskforce also involving state and territory representatives, greater clarity about the legality of ransomware payments, more transparency when attacks do occur, expanding the official alert system of the Australian Cyber Security Centre (ACSC), education programs to improve public and the business understanding, and tax, procurement and subsidy measures to incentivise cybersecurity uplift.
On the same day the federal government funded ASPI’s report was released, Home Affairs minister Karen Andrews launched a discussion paper on regulatory reforms and voluntary incentives to strengthen cyber security across the economy.
The paper estimates the cost of cyber security incidents to the Australian economy is $29 billion per year, or 1.9 per cent of GDP.
“We cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security,” Minister Andrews said.
Labor said the ASPI report echoes its continued calls for a ransomware strategy and a notification scheme.
“By contrast, while the Morrison government never misses an opportunity for a dramatic press conference on cyber security it’s missed every opportunity to take the basic actions needed to combat this threat,” said shadow assistant minister for cyber security Tim Watts, who introduced a private members bill for a notification scheme last month which is yet to be listed for debate.
“Instead it’s simply played the blame game, telling businesses it’s up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals.
“Australian businesses and the workers they employ need a government that understands organisational IT security is only part of the response to the threat of ransomware.”
The ASPI report concludes there is a key role for government to play in tackling ransomware but the problem is a shared responsibility.
“While there’s no doubt that organisations must take responsibility for ensuring that their cybersecurity posture is up to scratch, there are practical and easily implementable steps the government can take to provide clarity, guidance and support,” it said.