Cyber security strategy stalls ransomware-payments ban | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Digital marketers and global online platforms have emerged as the Albanese government’s first comprehensive cyber strategy big winners, with regulatory carve-outs for a range of well-known risks and threats still firmly in place and education, corporate hardening and tightened reporting and compliance requirements all getting a boost.

In a document that affirms much of the task of threat neutralisation and emergency intervention as the role of the Australian Signals Directorate, home affairs and cybersecurity minister Clare O’Neil on Wednesday declared that the shake-up of the nation’s cyber apparatus and outreach initiatives would put “Australia on track to being a world leader in cyber security by 2030.”

This isn’t to say the cybersecurity strategy isn’t urgently needed — it is. But there’s much clearer delineation between education, advocacy and regulation (Home Affairs and friends) vs actual operations and interventions (Australian Signals Directorate and adversaries).

Australia is probably right now already a cyber world leader in some respects, after being repeatedly thumped and sinking $10 billion into cyber operations through Defence’s REDSPICE program, but there is merit in the ambition and desire to do well, and cyber was an explicitly stated political hill that the Albanese said it would take during the election.

Raising the standard

On Wednesday, O’Neil was left on her own to plant the flag on that hill and sell the new vision splendid, with home affairs secretary Mike Pezzullo sidelined for allegedly plying politics and national cybersecurity coordinator Darren Goldie recalled to Defence on a workplace matter.

The strategy is fairly comprehensive, even if some of the harder asks have been parked until telecommunications and tech lobbyists run out of breath or excuses.

Security hardheads looking for political will to solve some of the sector’s more pernicious outliers — like hardening web traffic and transactions with DNSSEC, banning data lines on SMS to stop them from being exploited and weaning marketers and corporates off bit-shorteners (that shield URLs) — won’t be surprised that these have all been kicked down the road for fear of real unintended consequences, like disrupting surveillance capitalism.

There is also seemingly no appetite for toilet-training banks and the payments industry by making them financially responsible for the increasing losses consumers and small businesses are suffering at the hands of online fraudsters, identity thieves, stolen data brokers, crypto exchanges and ransomware and malware crews.

But what is present is a fairly comprehensive workplan that doubles as an industry roadmap in that it states pretty specific targets and outcomes that are fairly logically divided into six “national cyber shields.”

Previously announced, these shields are:

  1. Strong businesses and citizens
  2. Safe technology
  3. World-class threat sharing and blocking
  4. Protected critical infrastructure
  5. Sovereign capabilities
  6. Resilient region and global leadership

There’s a relatively modest pot of money — $587 million — that is meant to stretch out until 2030 but is obviously front-loaded towards the near term.

Better, stronger, smarter

Around half of the money, $290.8 million, is earmarked for “Shield 1: Strong businesses and citizens”. That includes a swag of small business support, community outreach, incident support, education and — once again — cleaning up after lazy banks and platforms.

The UK’s experience in this regard is instructive, especially given that Blighty is where a lot of Australia’s regulatory thinking on open banking, the consumer data right and ISO2022 (real-time payments, payments with data, the ability to send automated payment requests) is imported from.

Fraud and scams exploded so badly in the UK under the reform regime, which Australia is broadly copying, that the UK government was forced to intervene and flip 50% of liability back to banks after consumers started losing confidence in the system, prompting the government to mandate a “right to cash”.

There is a linkage between cybercriminals running ransomware and those feeding off vulnerabilities in the payments system. Compromised personal information is the breeder stock for identity fraud and theft that’s used to make purchases, open accounts, shuffle around crypto coin, mule money etc.

Trust me. I’m an extortionist

The biggest call in Shield 1 is a commitment to “work with industry to break the ransomware business model”.

“The ransomware business model is fuelled by payments made to cybercriminals, with cryptocurrency transactions enabling malicious actors to anonymously profit from extortion claims. Paying a ransom does not guarantee that sensitive data will be recovered. It also makes Australia a more attractive target for criminal groups,” the strategy observes.

There is clear and specific guidance on why not to pay ransomistas, but again, no instrument to ban such payments.

“Consistent with our Counter Ransomware Initiative (CRI) commitment, the Australian Government continues to strongly discourage businesses and individuals from paying ransoms to cybercriminals. There is no guarantee you will regain access to your information, or prevent it from being sold or leaked online. You may also be targeted by another attack,” the strategy says.

If not now, when?

The banning of any payments to ransomware extortionists would eliminate the current legal grey market, but O’Neil is arguing business and government do not yet have sufficient coping mechanisms for an outright immediate ban.

“We are in a situation in our country where it is clearly not the right time at this moment to ban ransoms, and that’s because we haven’t done the hard work,” O’Neil told ABC Radio National.

“We don’t have, for example, a federal police force that’s properly resourced and properly equipped to deal with this problem, and we solve part of that problem in the strategy. We don’t have a proper system of supports for companies that are undergoing cyber-attack, and we solve that problem in the strategy.”

Which begs the question as to which evil is worse: a business banned from making a ransomware payment having their data stolen and leaked or a company not banned making a ransomware payment having their data stolen and leaked?

Either way, that ball’s been boxed until after the next election.

No sudden moves

One logical argument against a sudden ban that the government is unlikely to make public is that a rapid shift in regulation and enforcement could prompt a hard reset in criminal typology that goes straight for the money rather than try to extort it. Another is that there is now a large body of actionable intelligence that can be used at a later date to far greater effect. O’Neil admitted the ban is on the cards, just not in the strategy.

“So my plan for the country on ransoms is that we undertake what is the first two years of this strategy, and then we revisit where we are then and contemplate what I think is inevitable for countries around the world, and that is one day a ban on making ransomware payments. We just can’t feed cybercrime like this,” O’Neil said.

Again, there’s some decent UK form to learn from here. When British banks announced a deadline for transactions on payment cards that made cards chip-and-PIN mandatory and moved away from magnetic stripes, the assumption by banks was that fraud would fall.

Instead, it went into overdrive as card cloners and skimmers used all the stolen stock they had before it was knocked out of business.

It’s a knockout

The big mover on the security compliance and regulation front is telecommunications, which shifts from the Department of  Communications to Home Affairs.

“The Government will work with industry to move the security regulation of the telecommunications sector from the Telecommunications Sector Security Reforms (TSSR) in the Telecommunications Act 1997 to the SOCI Act,” the strategy says, cementing a widely expected move.

“This will better align obligations for critical infrastructure entities that span multiple sectors, reduce regulatory duplication and complexity, and provide scalable obligations for the telecommunications sector.”

Managed service providers (that’s outsourcers and data centre operators) also get collared by the strategy.

“The Government will also seek to clarify cyber security obligations for managed service providers, aligning closely with data protection initiatives established under Shield 2,” the strategy says

“Together, these initiatives will complement the protections and obligations for personal information established by the Privacy Act and action taken by the Government to strengthen individuals’ trust in the management and storage of personal data.”

Hand over the keys

The strategy says implementation of the Systems of National Significance framework, the toughest obligations, will be expedited along with take-over powers widened.

“The Government will consult with industry on how it can help entities better manage the consequences of cyber incidents. This includes the proposal to introduce a last resort all-hazards consequence management power to help industry deal with secondary consequences stemming from significant incidents, where no other Commonwealth, state or territory legislative levers are available to provide an effective response,” the strategy said.

“Under this proposed power, Government would be able to authorise specific actions to manage consequences of a nationally significant incident, including cyber attacks or other hazards. Such powers reflect calls from critical infrastructure for enhanced government support when managing the ongoing impacts of an incident.”


New strategy to set Australia up to be most ‘cyber secure’ nation by 2030


Click Here For The Original Source.

National Cyber Security