As Australia considers banning ransomware payments, Will Dixon, global head of the academy and community, ISTARI, argues that it could be a dangerous move for global security
Australia is set to become the first country to break cover and instate an outright ban on ransom payments by making them illegal, hoping to bring the ransomware scourge to an end in the process. Whilst this is attractive in its simplicity, it could well make the situation worse, not better.
Ransomware is a principal risk to business and a strategic threat to government. When nation-states build their cyber resilience strategies in an evolving and complex landscape, it is important to realise that new policies created in silos will not be effective or enough. Whilst controversial, ransom payments still provide business leaders with a measure of last resort to release pressure on their organisation; making this illegal takes this safety valve away. Who knows what will follow?
Forcing bankruptcy?
The issue with an outright ban is that when building resiliency strategies, you have reactive controls and risk management protocols for when the worst happens. These often contain or minimise impact. Payment is often the very last control – not the first. If it has reached this point, removing the pressure valve of a ransomware payment, a victim organisation might not have many places to go. Are we truly prepared for scores of companies to go offline – or bankrupt – because of the criminal acts of others?
Furthermore, the industrialisation of ransomware and the rise of ransomware without encryption means that the risks are even greater than before. Although LockBit’s apology and free decryption tool given to Canada’s SickKids hospital following a recent ransomware attack shows that there is still honour amongst some bad actors, many organisations will not find themselves treated so charitably. Cybercriminals’ intent on getting paid will pile on more and more pressure, publishing large amounts of sensitive data or possibly even wiping systems as they look to force the issue of payment.
Worldwide action needed
The fact is that a government or even a collection of governments banning ransomware payments will likely prove futile until there is a worldwide ban backed by incentives to improve resilience within the ecosystem at scale; something that would be almost impossible to get agreement on. So long as there are places where ransomware payments are allowed, they will be made.
Without strong oversight, an organisation potentially in Australia cannot pay from its Australian bank account, it could look to pay from a subsidiary in a different market where payments are allowed. If that route is closed off, the unintended consequences could be worse still, with such bans leading to the creation of shadowy third-party organisations domiciled in loosely regulated markets that facilitate ransomware payments. If we are to agree that ransomware payments will continue to exist as a measure of last resort, it is only suitable for them to be made from jurisdictions with proper regulation, reporting, and enforcement of best practices.
Cyber resilience negates need for payments
Ransomware payments will continue to be a contentious issue, but without an alternative, they are here to stay and will remain a last resort for a company’s cyber resilience. Organisations need to ensure that they have more complete cyber resilience strategies in place so that they do not find themselves in a position where the only option is to cough up to cybercriminals. This means a strategy that tackles the technology challenge but also ensures there is proper governance and risk mitigation in place.
This includes understanding what the organisation’s most valuable systems are and ensuring that they are properly protected, knowing who key decision makers are in the event of an attack, having a properly war-gamed playbook for the actions that need to be immediately taken when a cyberattack occurs, and having proper mitigation strategies in place such as backups and, you guessed it, cyber insurance in the event of having to make a payment as a last resort.
More sensible policies needed
Banning ransomware payments may seem like an attractive option for governments looking to pull the rug out from under criminal gangs operating with relative impunity inside rival nation-states.
A better solution would be to ensure that companies have to instate proper cyber resilience strategies and mandate that CEOs and other senior business leaders are responsible for such policies. This would reduce the likelihood of a successful ransomware attack and, at the very least, reduce the size of payment in the event that a company had been attacked. Such policies might not grab headlines in quite the same way, but sensible and effective policy rarely does.