Australia moving closer to mandatory ransomware disclosure

The JBS ransomware attack on critical infrastructure highlights ‘perilous’ risk to key industries, and government action including but not limited to disclosure mandates are under consideration.

Ransomware  >  A masked criminal ransoms data for payment.
Mikkel William / Getty Images

Suggestions that Australian companies could be forced to reveal payments to ransomware gangs were already emerging before the major attack on meat-processing giant JBS on 1 June shut down abattoirs across Australia and sent thousands of workers home indefinitely.

The ongoing ransomware attack disabled operations across the United States, Australia, and Brazil, where the company—the world’s largest supplier of beef, chicken, and pork—operates 47 facilities, including the largest meat-processing factory in the southern hemisphere.

Thousands of employees have been stood down while the company works to restore operations, and Australian authorities and US FBI specialists are investigating the incident—with US government authorities attributing the attack to Russian interests amidst warnings that the ripple effects from the attack could disrupt a range of downstream businesses. JBS claims it is making progress on resolving the disruption.

Ransomware attacks get bolder, and cause greater harm

After a flat year of industrial control system (ICS) vulnerabilities in fiscal 2018-19, an observed a 56% surge in ICS vulnerabilities last year was translating into bolder attacks by cybercriminals who, ICS-security firm Claroty’s ANZ regional director Lani Refiti said, know that “a ransomware attack that seizes up operations abruptly will present a dramatic cost to the enterprise. This factor makes food and beverage companies a high-prized target, and more likely to give into the demands of attackers in the case of ransomware to get their facilities operational again.”

During previous work conducting security audits at the likes of Deloitte and PwC, Refiti said it had become clear that meat-processing plants “typically have a very low level of maturity when it comes to cybersecurity programs. … Many companies are blind to cyber risk—a factor that makes meat-processing plants a dream target for cyberattackers.”

The JBS attack is the second major ransomware attack in a month to target significant critical infrastructure, following the attack that shut down the US’s Colonial Pipeline—an 8,850km network of pipes that moves crude oil between drilling sites in Texas and refinery operations as far away as New York City.

Colonial Pipeline supplies about 45% of fuel to the populated east coast of the US, and the incident caused widespread disruption to fuel supplies that ultimately eased after the parent company paid a $5.7 million ($US4.4 million) ransom to the gang responsible. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told the Wall Street Journal in explaining what he knew would be a “highly controversial” captain’s call.

Such calls are likely to become increasingly necessary as cybercriminals pursue what threat-detection firm Vectra AI’s CEO Hitesh Sheth called “a disturbing shift in cyberwar strategy. … It looks like a ransomware attack,” he said, “but what’s really telling is the choice of targets. This is an important global supply chain moving essential goods to 100 countries, and the motive here runs deeper than ransom. The question is: Does our joint commitment to a more effective defence run equally deep?”

Mandatory ransomware disclosure is on the table

As attacks on critical infrastructure continue to disrupt daily life and as the financial success of ransomware makes it cybercriminals’ weapon of choice, a growing regulatory response in Australia looks set to formalise ransomware’s status as a clear and present operational risk to business continuity.

“Very business savvy” cybercriminals will “chase opportunity” where they find it, said Department of Home Affairs secretary Mike Pezzullo during a recent Senate Estimates hearing where he flagged the “deeply concerning” threat environment that Australia faces. He telegraphed significant proposed changes to the government’s Security of Critical Infrastructure (SOCI) Act.

These changes include the creation of the Government Assistance Measure (GAM) capability under which the Australian Signals Directorate (ASD) could “actively deploy … very advanced malware recognition [and] the sort of recognition tools that our signals authorities have that, say, a cybersecurity company, even the best of them, would not have, simply because they’re highly classified.”

Faced with a flood of cybercriminal attacks, the Australian government recently added food and energy supply chains, among others, into its expanding definition of critical infrastructure—which it has been working to protect through a multifaceted Cyber Security Strategy that was updated in 2020.

The need to more closely monitor ransomware incidents and outcomes had led the government to consider requiring companies to disclose ransomware incidents and payoffs like those made to restore Colonial Pipeline operations.

Although details were still being discussed, Pezzullo said, “it’s likely that a regime … will be proposed. … Most advanced economies are at a point where … a much more active defence posture will be required,” he said, “simply because of the prevalence of the attacks.”

Australia has not been invited to participate in a US FBI-led Ransomware Task Force that was exploring more formal processes to protect critical infrastructure. But Australia is continuing to explore more proactive policies to defeat ransomware, and Pezzullo said he “can’t imagine that such a construct wouldn’t be in some sort of future strategy”.

Although he agreed that mandatory reporting of ransomware payouts “is a positive step in the right direction”, Veritas Technologies’ Asia South and Pacific director of strategy and architecture Geoff Coley warned that “this sort of regime raises a number of factors for consideration in the instance of a ransomware attack. … There is still a stigma of negative press for companies that fall victim to attacks,” adding that “companies that are at the receiving end of a ransomware attack are often caught off-guard and likely to take the easy way out by giving in to extortions especially when critical data, services, and systems are at stake.”

That’s why Coley said, “Unless there is an incentive in place for a company to go public as a victim of ransomware and not pay the fee, we are still nowhere near to reining in ransomware in Australia. … The introduction of mandatory ransomware management schemes will only be valuable from a business perspective if reporting the attacks becomes normalised.”

Coley’s warning about reputation were echoed by GlobalData consumer analyst Ramsey Baghdadi, who warned that supply chain disruptions “can ultimately affect the choices of consumers, as brand trust is pivotal in consumers purchasing decisions.” With 57% of consumers claiming that product choices are always or often influenced by how trustworthy the brand is, Baghdadi said, “data breaches, delays to shipments, or halted production can compel consumers to look at alternative brands—particularly during sensitive times such as a pandemic.”

To Baghdadi, the correct response is clear: “Businesses need to focus on cybersecurity investment in their future since the frequency of cyberattacks is increasing exponentially. [But] in general, organizations fail to understand the landscape they are trying to defend. Consequently, defensive decisions aren’t taken and actions are not prioritized, leaving enterprises open to compromise.”

That inaction is no longer acceptable and is likely to continue creating problems for companies regardless of government guidance, Home Affairs Secretary Pezzullo said—warning that the ongoing “perilous” situation, including potential threats from nation-state actors, meant ransomware and other cybersecurity attacks were a “pressing, urgent problem” that business executives needed to be closely monitoring.

“COVID has been dreadful,” he said. But “imagine trying to do COVID without electricity. [The threat] is as immediate, it’s as realistic, and it’s as credible a threat as that. … If you’re on a board or you’re the chief executive, don’t worry about the IT team, the CIO, and CISO; that’s their day job,” he said. “If you’re a chief executive, a deputy head of a company, or the board and you’re not paying attention to that public information that [the Australian Signals Directorate] put out every day, you are not doing your job.”

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)