Aggressive nationally and internationally coordinated strategies are needed to tackle the growing threat of ransomware, according to an expert taskforce that included the US, UK and Canadian government cyber agencies.
Australia was not part of the taskforce and the federal government is yet to develop a national ransomware strategy, leading to calls from Labor that Australia is being left behind.
A coalition of global experts assembled by business group, the Institute for Security and Technology (IST), on Thursday released a strategic framework for combatting ransomware, which has quickly grown into a “serious national security threat and a public health and safety concern”.
“This global challenge demands an ‘all hands on deck’ approach, with support from the highest levels of government,” the IST report said.
The framework calls for coordinated global action to deter and disrupt ransomware attacks, and help organisations prepare for attacks and respond to them. According to the report, ransomware victims paid attackers more than US$350 million last year, more than triple the amount in 2019, and the average downtime from an attack was three weeks.
“The immediate physical and business risks posed by ransomware are compounded by the broader societal impact of the billions of dollars steered into criminal enterprises, funds that may be used for the proliferation of weapons of mass destruction, human trafficking, and other virulent global criminal activity,” the IST report said.
The number one goal of the framework proposed by the group is to deter ransomware attacks through a “nationally and internationally coordinated, comprehensive strategy” which would be led by the US.
Labor has welcomed the report but says it highlights Australia’s increasingly isolated position of not prioritising the threat of ransomware at a national level.
The Australian Cyber Security Centre has said that ransomware is the “highest threat” facing Australian businesses and governments in the cyber domain. But the government’s 2020 national cybersecurity strategy mentions it only twice; once in quoting a submission to the report and once advising where victims can report it.
In March, a government advisory group released a report on ransomware urging businesses to implement basic cyber security. But it did not include any recommendations for government or any calls for new policies.
Earlier this month, Australia signed a new communiqué with Five Eyes partners which included a commitment to share lessons on ransomware and, where possible, align national policies, public messaging and industry engagement.
The Opposition released its own ransomware discussion paper in February and called for a dedicated national strategy.
In response to the IST report, shadow minister for Home Affairs Kristina Keneally and shadow assistant minister for cybersecurity Tim Watts said the government is being left behind on ransomware.
“While our major security partners are recognising the need for a plan to tackle this billion-dollar scourge plaguing business, we have yet to hear the Morrison Government’s strategy to address this critical threat to Australia’s economy and society,” a joint statement said.
“Just in the last week we’ve seen ransomware attacks on two Brisbane hospitals and a Geelong secondary school. This followed the major ransomware attack on the Nine Network last month.”
The IST’s ransomware taskforce included cyber industry leaders, academics, and representatives from the UK National Crime Agency, US Cybersecurity and Infrastructure Security Agency, US Federal Bureau of Investigation, U.S. Secret Service and the Royal Canadian Mounted Police’s National Cybercrime Coordination Unit.