A cybersecurity “policy vacuum” has allowed Australian organisations to become prime targets for worsening ransomware attacks, a new paper warns.
The Australian Strategic Policy Institute report calls for mandatory reporting of ransomware strikes, better incentives for companies to improve their cybersecurity measures, and an expanded national alert system.
It stops short of calling for the payment of ransoms to be criminalised, but suggests payments should “always be a last resort”.
The ASPI report, by the Cyber Security Co-operative Research Centres’ Rachel Falk and Anne-Louise Brown, states that ransomware presents a unique threat which the private sector cannot deal with alone.
In the past 18 months, a host of major Australian companies have been hit by ransomware attacks including Toll Holdings, BlueScope Steel, Lion Dairy and Drinks, Nine Entertainment, Eastern Health, Uniting Care Qld, and JBS Foods.
The malicious software, designed by state and non-state cyber criminals, locks up infected systems and data until the victims pay for them to be unlocked and decrypted.
“A current policy vacuum makes Australia an attractive market for these attacks, and ransomware is a problem that will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed,” the report states.
“Developing a strategy now is essential. Not only are Australian organisations viewed as lucrative targets due to their often low cybersecurity posture, but they’re also seen as soft targets.
“The number of attacks will continue to grow unless urgent action is taken to reduce the incentives to target Australian companies and other entities.”
The report states payments to cybercriminals are legally “murky”, with the Criminal Code making it an offence to provide funds if they could become “an instrument of crime” or support terrorism offences.
But criminalising payments “could punish organisations for taking proportionate action to protect stakeholders and the community”, it continues.
The report calls for better education about the threat, and better incentives to encourage companies to be better prepared.