The federal government ought to place a greater focus on “community awareness” in the fight against ransomware as the risk of attack continues to escalate, according to outgoing Telstra chief Andy Penn.
But Mr Penn, who chairs the government’s telco-heavy Industry Advisory Committee on Cyber Security, has stopped short of recommending legislation, despite urging the former government adopt a “clear policy position”.
The committee made the recommendation in its annual update last year after observing that it was not clear to business whether paying ransomware gangs was illegal or what best-practice was for incident reporting.
The recommendation followed a spate of high-profile ransomware attacks including one that forced US pipeline operator Colonial Pipeline to proactively close down operations and freeze its IT systems.
The then government took on the advice shortly thereafter, releasing a ransomware action plan in October 2021 that sought to introduce tougher penalties for criminals and a mandatory incident reporting scheme.
But legislation that would have enacted tougher penalties lapsed at the dissolution of Parliament in April, and legislation for the mandatory ransomware incident reporting regime was never introduced.
The newly minted government is yet to detail its plans in this space, though it could form part of country’s revised Cyber Security Strategy. A spokesperson from Home Affairs minister Claire O’Neil’s office has been contacted for comment.
In the previous term of government, Labor attempted to force the Coalition’s hand by introducing a bill that would require businesses and government to notify the Australian Cyber Security Centre before paying a ransomware gang.
During his address to the National Press Club on Tuesday, Mr Penn said ransomware remained “major and escalating issue”, estimating that 80 per cent of Australian businesses had experienced an attack in 2021, up from 45 percent in 2020.
Asked whether legislation was important to address ransomware risks and whether it should be an urgent consideration for the new government, Mr Penn said there was a need to improve “community awareness” first and foremost.
He said that while some of the campaigns launched by government to date had shown promising results, the “level of investment in the context of the broader investment in cyber security, [is] small relative to the benefit it could have.”
“Ultimately, I think the single biggest lever that we have to pull is in community awareness because ransomware generally will end up in someone’s system…through some form of introduced malware,” he told InnovationAus.com after his address.
“That malware will either be introduced by somebody clicking a link or [perhaps from] someone putting an infected USB drive into their computer, or it might be through a worm from another source.”
Mr Penn pointed to the “multiple instances of malware resident in [Digicel’s] systems” that his cyber security team identified after Telstra’s government-backed purchase of the Pacific telco for $2.1 billion last month.
“We can do a lot to identify the malicious activity and block it, but unless we can help the community help themselves by better password protection, patching systems, offline backups, we’re never going to be able to catch everything,” he added.
Penn was generally critical of the former government’s implementation of the 2020 cyber strategy, highlighting “crucial areas where more needs to be done either because insufficient progress has been made under the strategy to date, or in response to the constantly evolving threat landscape”.
The Industry Advisory Committee on Cyber Security will release its second annual report on the strategy on Wednesday.
Do you know more? Contact James Riley via Email.