Last week ransomware became a literal barbeque stopper when JBS Foods, Australia’s largest meat processor, was paralysed by a ransomware attack mounted by Russian cybercriminals. All beef and lamb kills along the east coast of Australia were temporarily cancelled.
JBS was able to get back up and running quickly enough to avoid barbeque meat shortages. But not before thousands of workers in Australia were stood down and an $US11m ransom payment was reportedly made by the company to the criminal group.
The JBS attack was just the latest reminder of the national cost of ransomware. In 2021, ransomware attacks on Australian organisations have grown in frequency and scale including major attacks on eight hospitals, the Nine Network, political parties, accounting firms, consultancies, retailers, and chemical packaging companies.
In total, it’s a billion-dollar a year scourge for our nation. A jobs and investment destroyer when we can least afford it.
Our major allies are treating this threat with the urgency it deserves. The United States Department of Justice has established a dedicated ransomware taskforce providing the same level of centralised law enforcement coordination and attention to the issue that it does to terrorism.
FBI Director Christopher Wray compared the recent wave of ransomware attacks and the challenges they present to 9/11. US President Joe Biden is also set to raise this in a bilateral meeting with Russian President Vladimir Putin at the weekend.
By contrast, the Morrison Government’s primary response to the threat of ransomware amounts to little more than victim blaming. It tells Australian organisations they need to take additional steps to protect themselves from these increasingly sophisticated and resourced organised criminal gangs operating with impunity from the other side of the world.
In an article in the Australian Financial Review on Thursday the Assistant Minister for Defence, Andrew Hastie, accused me of “denigrating” our security agencies by calling for his government to do more on ransomware. Far from it. The issue isn’t our agencies ,who are some of the world’s best and do outstanding work, it’s a lack of urgency and leadership from the Morrison government.
The debate about how best to defend against ransomware certainly begins with individual organisational IT security, but that’s far from the end of the conversation.
When Anne Neuberger, the U.S. Deputy National Security Adviser for Cyber and Emerging Technology, recently issued a memo to business leaders about what the Biden Administration was asking the business community to do in the fight against ransomware, she began by talking about what the U.S. government itself was doing to combat the threat.
She told business leaders that the Biden Administration was “disrupting ransomware networks, working with international partners to hold countries that harbour ransomware actors accountable, developing cohesive and consistent policies towards ransom payments and enabling rapid tracing and interdiction of virtual currency proceeds”.
Unfortunately, the Morrison government can’t tell Australian business leaders that it is doing its part.
Since February, Labor has been calling for the Morrison government to develop a national ransomware strategy to ensure that government is doing all it can to combat these attacks across its policy, regulation, law enforcement, diplomacy and defence capabilities. We released a discussion paper outlining the options available to government in this fight to kick start the conversation.
We’ve said that, at a minimum, this strategy should include the creation of a mandatory notification scheme for ransomware payments, allowing our law enforcement and intelligence agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups. We’ve also said that we need to get serious about using our signals capabilities to disrupt cybercriminals and deter attacks on Australian targets.
To date, these ransomware crews have been able to target Australian organisations with impunity.
We learnt at Senate Estimates in the last fortnight the Morrison government hasn’t deployed these considerable offensive cyber capabilities against the criminals who attacked the Nine Network or the hospital networks in Victoria and Queensland. We also learnt that there has only been one Australian prosecution for a ransomware attack in the last 12 months. The AFP told us they have no dedicated taskforce to coordinate law enforcement actions on this issue.
The age of impunity for ransomware crews menacing Australian business must end.
This weekend the G7 summit will take place in Cornwall. The Biden Administration has rightly placed ransomware on the agenda, with National Security Adviser Jake Sullivan saying that he wants to see an “action plan” on the international response to ransomware out of the meeting.
The Prime Minister has an opportunity in Cornwall to move beyond the blame game on ransomware and demonstrate he’s on the side of Australian business against this threat. There are no silver bullets in the fight against ransomware. Everyone has a role to play. It’s time the Australian government did its bit and developed a national ransomware strategy.
Tim Watts is Labor’s Shadow Assistant Minister for Cyber Security and the federal Member for Gellibrand.