Following the Federal Government’s Ransomware Action Plan released yesterday commentary from three cybersecurity companies, who have provided different perspectives on the plans effectiveness with recommendations on further steps that need to be taken by our Government.
The Federal Government’s Ransomware Action Plan has been warmly welcomed by security professionals, one of which calls for a greater focus on prevention and adoption of advanced cyber security measures
Home Affairs Secretary Karen Andrews announced the plan on Wednesday, saying that companies with annual sales of $ 10 million or more would have to report ransomware attacks if it went into effect.
She said the government will also introduce new crimes and tougher penalties. However, Andrews gave no indication of when the plan would take effect.
Scott Leach, Vice President of Sales, Varonis Asia Pacific (APAC), said :
Australia Ransomware Action Plan falls short and needs more commitment from our Government
“Any time the Federal Government recognises the increasing risk ransomware poses to Australian organisations is a positive. However, there is still room for improvement in today’s Ransomware Action Plan. There are a number of actionable steps that the government could have included, with the aim of improving compliance in a range of industries. For example, the government could issue directives that encourage organisations to introduce a range of positive cyber security measures by a particular date, such as a Zero Trust approach and a strict policy of least privilege, which means employees are only given access to the files necessary to do their jobs.
These directives would have a significant and immediate impact on the organisations who adopt them. Restricting access to an organisation’s most sensitive files ensures that if a data breach ever does occur, the risk of attackers stealing these sensitive files and moving laterally throughout the network is significantly reduced. With little or no access to sensitive files, ransomware is significantly less effective, saving organisations thousands of dollars (if not millions in some cases) and taking the power away from hackers.
Lani Refiti, ANZ Regional Director, Claroty, said :
Australia’s Ransomware Plan is a positive step for our critical infrastructure.
The Federal Government release of the Ransomware plan is a positive deterrent for criminal groups who are thinking of targeting critical infrastructure. It’s becoming more and more of a targeted sector, largely because ransomware groups know that the ransom will most likely be paid, such as in the case of Colonial Pipeline and JBS who were forced to pay to get their systems operational again.
The new disclosure rule for companies with a turnover of $10 million or more is a good compromise between the $3M turnover for the current Privacy Law Amendment and balances out the regulatory component, while encouraging organisations to be proactive. On the flip side it might make the SME sector, one of the most problematic to not take the RAP as serious. It’s always a balance between carrot and stick.
The newly introduced penalties for buying or selling ransomware is another positive deterrent without putting more regulatory overhead onto organisations. If we shift the “cost” to the cybercriminals it reduces the overheads for the organisations RAP is seeking to protect. Overall the plan could be perceived as a bit narrow, as it focuses on just one aspect- ransomware. However, it is encouraging to see numerous initiatives rolled out by the Government to support the private sector’s cybersecurity efforts, which only complements the strategy. There will be those who say it’s not enough, that’s a bit like saying “how long is a piece of string?”
Robert Nobilo, ANZ Regional Director at Virsec, said :
The Federal Government’s Ransomware Protection Plan released today is a great starting point to show that the Australian Government is taking a more proactive approach in defending Australians, their businesses and Essential Services.
The plan does cover key areas including cyber security advice for businesses on how to prepare and respond to attacks, mandatory ransomware reporting and additional funding and legislation in place to fight cybercrime (all of which are desperately needed), however there still needs to be ongoing legislative reforms such as SOCI, to help businesses that don’t have the resources of Enterprise Business and Government agencies, to try and stay ahead of cyber criminals. For example, the banking, insurance and superannuation sectors are subject to APRA CPS234, a mandatory regulation that requires organisations to uplift their cyber security capabilities in specific ways.
Many other sectors are not subject to such legislation. While we have the ASD Essential 8, which is fantastic, it’s only a recommendation of a methodology, and not a set of mandated regulations to improve cyber posture. So, perhaps the Australian government could look at developing industry-specific bodies and mandatory regulations similar to APRA for other sectors including Healthcare, Manufacturing, Retail, Utilities, Education, State and Local government, which include frameworks specific to each industry and the threats they face.
Unfortunately, every Australian business is now at risk of cyber-attack, and as we have seen in recent attacks on Uniting Care, JBS and Stonnington Council, they are at the mercy of traditional security tools that don’t have the ability to stop advanced cyber-attacks.
Kate Healy, Head of Security Google Cloud AuNZ, said :
For more than 20 years Google has been operating securely in the cloud, using our modern technology stack to provide a more defensible environment that we can protect at scale. While the threat of ransomware isn’t new, our responsibility to help protect our customers from existing or emerging threats never changes.
Today’s reality shows us that these ransomware attacks have become more pervasive, impacting essential services like healthcare, targeting government agencies locally or globally, or delivery services. Recently, ransomware groups have evolved their tactics to include stealing data prior to it being encrypted, with the threat of extorting this data through leaks. Additionally, some ransomware operators have used the threat of distributed-denial-of-service (DDoS) attacks against victim organisations as an attempt to further compel them to pay ransoms. DDoS attacks can also serve as a distraction, occupying security teams while attackers seek to accomplish other objectives such as data exfiltration or encryption of business-critical data.
Yet despite attempts to stop this threat, ransomware continues to impact organisations across all industries, significantly disrupting business processes and critical national infrastructure services and leaving many organisations looking to better protect themselves. Robust protection against ransomware (and many other threats) requires multiple layers of defense and the Australian Government’s Ransomware Action Plan, along with its reforms to protecting critical infrastructure, is recognition of the need to uplift security in businesses across the economy.
We are deeply concerned by these trends. Security is the cornerstone of our product strategy, and we’ve spent the last decade building infrastructure and designing products that implement security at scale. Protecting against ransomware is a critical issue for all organisations, and best practices such as reporting are only the start of building a mature and resilient cybersecurity posture. It’s important to remember that you can’t focus on a single piece of defense; you need a comprehensive cybersecurity program that enables you to identify, prevent, detect, respond, and recover from threats. Above all, you need a range of solutions from a battle-tested and highly resilient cloud platform that works across these elements in an integrated way with your business.
We’ve recognised the importance of helping governments and businesses address the threat of ransomware. In fact, we’ve just announced the launch of the Google Cyber Action Team (GCAT), a team of security experts from across Google Cloud engaged in providing strategic advisory, trust and compliance, customer, solutions engineering, and threat services across the larger organisation. Our team continues to help drive cybersecurity transformation by customers, in furtherance of Google’s additional $10 billion commitment to strengthen cybersecurity over the next 5 years.
Dave Shepard, Director APAC Channel and Alliances at Illumio. said :
Ransomeware will continue to boom as long as cybersecurity follows the status-quo
The recent Ransomware Report by Google shows how the criminal ransomware industry is booming because it continues to take advantage of the cybersecurity status-quo. Typically, attackers use social engineering or commodity phishing to gain access. Once on the inside they move quickly and easily through a network establishing a foothold on a large volume of workloads to inflict enough disruption and suffering for the victim. The effectiveness of a ransomware attack is dependent on freedom to move laterally and spread far and wide, fast. Most attackers want an easy ride and to profit from their actions, so it stands to reason that if we force them to work harder by limiting the opportunity to spread and restricting the speed at which they can accomplish their goal, they’ll go elsewhere.
How exactly can organisations do that? It starts by acknowledging what isn’t working – and that’s a cyber defence strategy relying almost entirely on prevention technology. Because of this, moves to zero-trust architectures and an ‘assume breach’ mindset are gaining in popularity. Australia has taken another positive first step with the Ransomware Notification Bill, and more recently announced Ransomware Action Plan, which creates new offences that target the buyers and users of criminally-acquired data. But it’s incumbent on organisations to review their cyber strategies and consider fresher alternatives to yesterday technologies that are proving ineffective. Illumio exists because prevention fails, and when it does fail containment is what stops a breach from becoming a full scale cyber disaster. Customers who deploy our segmentation technology are more resilient to attacks because they fortified their networks by limiting freedom of movement and ensuring the impact, disruption and cost of recovery following an inevitable breach are all greatly reduced. Through a combination of fresh perspective, modern technologies and government policies we can tackle the problem from all angles – making it more difficult for crime to pay and tipping the odds in favour cybersecurity teams who now have the visibility, intelligence and tools to put up a more credible fight against the cyber adversary.
There’s a reason why this industry says ‘it’s not a case of if, but when’ so often. It’s the truth.
Scott McKinnel, ANZ country manager at security outfit Tenable, said :
“Ransomware isn’t just a financial threat, but an urgent national security risk that threatens schools, hospitals, businesses, and governments across the board.
“Cyber attacks — including ransomware — are big money makers, so ultimately we need to do everything in our power to make it more difficult and less lucrative for cyber criminals. For this reason, we welcome the government’s action plan.
“We believe that greater sanctions and an increase in government and industry co-operation can play a vital role in keeping Australia safe, and we look forward to more detail being released on the plan.
“Having said that, businesses can’t rely on the government alone to protect them.
Matthew Lowe, ANZ area vice-president for security and service management software provider Ivanti, said:
A lot of the conversations around the Ransomware Action Plan are, understandably, currently focused on the criminal offences for ransomware attackers and the mandatory reporting scheme for ransomware victims
The ‘prepare and prevent’ section of the plan outlines minor measures and updates that have, for the most part, already been captured within the announcement of the Australian Cyber Security Strategy in 2020. This has unfortunately diminished the importance of taking a proactive approach to mitigating the risk of ransomware.
“The threat of a hefty fine is still only effective in reducing ransomware if the risk of getting caught is high. Crime is a risk versus reward game, and this plan would need to show a quick and high success rate in fining, and fine collection from, these criminals before we will see a reduction in ransomware.
“Prevention is still the best tool in the arsenal against ransomware. Focusing on cyber education and government sponsored assistance around ransomware prevention and preparedness among businesses would be more impactful in reducing the $3.5 billion lost each year to cyber crime and the damage and pain ransomware inflicts, with almost immediate results.
“Mandatory reporting of ransomware attacks is critical, as accurate information is needed to understand the root cause, and real impact, of ransomware — information that informs some of our strongest and most effective security recommendations like the Australian Cyber Security Centre’s Essential Eight. The more credible and up-to-date information the ACSC can provide to mid-sized business around the effectiveness of aligning their security policy to the Essential Eight, the greater the uptake of the framework—leading to less incidents.
“Addressing these gaps in security is a vital process for every business. With the increasing number and variance of threat vectors, companies need to understand the landscape and be proactive about preventing cyber incidents.”
Nityanand Thakur, head of Cyber Security at Koenig Solutions, said:
“Most ransomware attacks and ransom payments go unreported, as businesses are reluctant to disclose they were attacked. This results in a vicious cycle of funding of cyber criminals to launch further attacks.
“With ransomware attacks targeting important infrastructure such as the recent attack on the Colonial Pipeline, governments are increasingly coming under pressure to act.
“Implementing a reporting requirement is a tool that will help stem the flow of funding to these criminal organisations.”
Eric Abetz, Liberal Senator for Tasmania, said :
Ransomware is indiscriminate and affects individuals, business and critical infrastructure and the total cost of ransomware can be around $1 billion a year. The new Ransomware Action Plan is a welcome weapon in our cyber security arsenal action to disrupt and track and prosecute cyber criminals
We must continue to be agile in our response to the increasing threats to our cyber security and this new plan outlines specific, practical measures to protect people and organisations as well as punish those who engage in ransomware.”
H. Daniel Elbaum, chairman and joint chief executive of VeroGuard, said
“Whilst the recognition of the cyber security problem in the plan is welcome, an immediate increased focus on preventing the crimes is needed and adoption of enhanced cyber security referred to by the World Economic Forum embraced.
“It makes absolutely no sense to continue doing the same thing and expect a different result. For example, a key recommendation by the Australian Cyber Security Centre to prevent ransomware includes turning on multi-factor authentication, but they also acknowledge that not all MFA are equal.
“Breaches of software-based 2FA solutions are becoming common, yet significantly ‘enhanced MFA cyber security’ solutions are already available in the market that happen to be developed, produced and run in Australia.”
Elbaum said the government could be doing a lot more to enhance cyber security and protect businesses and citizens online.
He called for the implementation of measures “that would have immediate and material impact on the problem, such as mandating strong MFA rather than any MFA, integrating strong MFA and digital identity into government systems rather than vulnerable applications and biometric-based tools”.
“I would like to add that a focus on sovereign solutions will also mean better control over our critical infrastructure, economic outcomes and development of high value jobs in the digital economy,” he added.