“Certainly criminals are getting much more sophisticated in their attacks, but in many ways the ease of conducting a cyber attack is significantly greater than the importation of drugs.
“At this stage, for comparatively less effort, their rewards can be much greater.”
Businesses often tend to ignore a ransomware attack. They don’t know what to do.
— Home Affairs Minister Karen Andrews
The Australian Cyber Security Centre received more than 67,500 cyber crime reports during 2020-21 – one every eight minutes – which was a 13 per cent increase from the previous financial year.
But the true number of attacks and hacks is much higher.
“We know there is under-reporting, so we can be very confident there is well in excess of 67,000 cyber crimes that were reported and were actually committed,” Andrews says.
“The way they are going about these attacks and what they’re looking for is changing. We’re seeing a difference in the patterns of behaviour of cyber criminals.
“They’re encrypting networks, they are threatening to publish the stolen information they have, so it’s not just ‘pay the ransom and we’ll give you the keys to be able to unlock’, but it is ‘if you don’t pay the ransom, we are going to make public the information we have’.
“We also know that if someone might choose to pay ransom it doesn’t mean they’re going to get their information back anyway, and quite frankly the evidence is that sets them up for future ransomware attacks.”
The government released last month its ransomware action plan, after months of Labor complaining it was not taking the issue seriously enough.
A part of this includes the establishment of a new federal police taskforce to investigate ransomware crimes, as well as bolstering joint operations with international law enforcement agencies.
The government’s action plan flags the introduction of new laws cracking down on ransomware, including a standalone offence for cyber extortion, and allowing police to track and seize ill-gotten gains.
A mandatory incident-reporting scheme would also be implemented requiring firms to report to government agencies if they had received a ransomware demand.
Andrews says the government is conscious of not unnecessarily increasing the burden on businesses with the mandatory reporting requirements but believes the benefits outweigh the cost.
While businesses often respond to ransomware demands by “sitting with fingers crossed hoping it doesn’t get published”, she says reporting it not only assists the individual firm but also provides a valuable source of intelligence on cyber attackers’ emerging patterns.
“Businesses often tend to ignore a ransomware attack. They don’t know what to do,” she says.
“I am very much aware of the reluctance of businesses to report ransomware attacks, particularly when it related to sensitive data, because they are concerned about reputational damage.
“The ACSC can offer assistance to businesses while they are in the middle of a ransomware attack but also with steps necessary to protect themselves afterwards from future attempts.
“When the cyber criminals are starting to do different things, by that information being reported we can collate that information, do our own research on it and develop a good insight into how these criminals are operating.
“That enables us to close that loop again and go back to support businesses on what they need to do to maximise their cyber security.”
Labor has proposed its own version of a reporting scheme which would require organisations to inform the ACSC before making a ransomware payment to a criminal operator, but Andrews is dismissive.
“Our view is that at that point it is too late. We actually need the reporting beforehand,” she says.
“Our government’s position is clear: we don’t condone payment of a ransom. We actually want businesses to be notifying they have been subject to the right advice so we can help them. If they pay the ransom, then they are just supporting criminal activity.”
One of the most elaborate cyber attacks this year involved hackers exploiting a vulnerability with Microsoft Exchange email servers, which melded the actions of a nation state with that of criminals.
Australia joined the US and dozens of other countries in attributing the origin of the attack to China’s Ministry of State Security, which was accused of using contract hackers to steal intellectual property. These hackers, as a side hustle, also exploited the vulnerability for personal financial gain.
But perhaps the biggest worry posed by nation states in the cyber space is the threat of disrupting the operation of critical infrastructure that keeps Australian society ticking over.
To protect an expanded list of critical infrastructure operators – which include energy, water and sewerage, transport and communications providers, financial services, data storage, the defence and space industries, higher education and research, the food and grocery sector and health care – the government wants to impose new rules and obligations.
Providers will be required to report to the government when they are suffering a cyber attack but, most controversially, the government would also have powers allowing the Australian Signals Directorate to take over computer systems when they come under cyber attack.
The move has met resistance from the tech sector, which warns it sets a “troubling global precedent” and imposes unworkable obligations. It wants the use of step-in powers to be subject to judicial oversight.
Andrews says she understands the concerns of the sector, which has been critical in the past of the government’s grab for new cyber powers related to security and law enforcement, such as encryption and interception.
While Andrews does not find tech companies obstructionist, “I do think they have particular views which are very much focused on the technology and sometimes they don’t think broadly of what the implications are because they focused on their area. As a government we have to look at the broader issue.”
She says the government wants critical infrastructure dealt with in the Senate in the final two sitting weeks, which start on Monday.
“Our critical infrastructure is so important,” she says. “Whilst we know there have been significant cyber attacks on businesses which affect companies, they are important, but they would be dwarfed by an attack on our critical infrastructure.
“I’m talking about our energy networks, our communications systems, our water resources, which would create significant damage if a cyber attack interrupted their delivery.”
Andrews says the government would in the first instance seek to co-operate with a critical infrastructure provider suffering from a cyber attack, although the step-in powers would be available as a last resort
“Whilst there are malicious actors within our country and in other countries as well, we also know some other nations have seriously invested in cyber and they do have the capability and potentially the intent to disrupt,” she says.
“There is a level of vulnerability and we shouldn’t try to sugar-coat that at all. There are risks out there. Yes, the banks, for example, do have good systems and many of the large businesses I have similarly spoken to have been able to demonstrate what their capacity is.
“But that doesn’t mean any system is perfect – in fact, no system can be perfect. Hence, the powers we are looking at from the government to be able to step in to support when we need to are essential.
“No business is absolutely 100 per cent equipped to deal with every cyber-security eventuality. We do need to make sure there is an opportunity for the Australian Signals Directorate to be able to step in for matters of critical infrastructure, and I think the Australian public would have an expectation that’s what their government would do to protect them.”