Okay so I've had a chance to go through the Cth government's Ransomware Action Plan.
Here's a thread comprising some of my thoughts thereon.
#InThaCybers #Ransomware
I applaud the Cth for finally delivering this document, given the severity of the national security threat posed by the ransomware ecosystem.
A threat which the Minister for Home Affairs, @karenandrewsmp, highlights in her foreword.
The Action Plan rightly acknowledges the nature of counter-ransomware policy as multi-stakeholder by design.
That is, the state working with domestic partners and overseas partners.
Which is key because:
a) most ransomware threats originate from, and dirty monies therefrom, flow overseas; and
b) the private sector operates most of the computer networks (especially in critical infrastructure assets) that we rely on to function as an economy and society.
Okay, so the Ransomware Action Plan has 3 objectives.
Let's go through them.
Objective 1: 'Prepare and Prevent'
First things first, this seeks to build our _resilience_.
Which I find curious because prevention of cyber risk is not necessarily a pillar of the definition of cyber resilience.
(Source for screenshot is @asicmedia's Report 429: download.asic.gov.au/media/3062900/…)
Objective 1 contains good measures targeted at the giving of advice from Cth agencies to stakeholders on cyber risk management, as well as awareness raising.
But also some proactive measures.
The underlined one reminds me of 'clean pipes' initiatives whereby the state (here, through @ASDGovAu) is to work with telcos and ISPs to tackle internet traffic ferrying malware, scams, etc.
Okay, onto Objective 2: 'Respond and Recover'.
This one seems more targeted at the above definition of cyber resilience, focused on victims of ransomware attacks and the incentives behind their approach to incident response.
Funding for support through IDCARE is highlighted as an existing initiative, as is 'promoting information sharing and advice'.
I would love some more detail, however, on what this all looks like.
Because, to quote a blog post of mine (see screenshot), effective support services are crucial for incentivising victims to make the right decisions (ie 'do not pay the ransom').
Especially tangible help, not merely advice.
(Here's the blog post: anujolt.org/post/1104-rans…)
Of course, this is a potentially unfair comment by me on the document because it is merely setting the Cth's 'strategic approach', rather than being an in-depth policy manual.
Speaking of payments, the Cth makes clear the importance of ransom payments to the ransomware economy.
But the screenshotted bit made me scratch my head.
What does this mean? Or achieve?
Will this deter victim entities from coughing up ransoms?
Isn't it the equivalent of Bernard Woolley saying 'That was very wrong'?
(I'm biased because I argue in favour of prosecution for money laundering: anujolt.org/post/1104-rans…)
I also have issues with this future measure.
Unless these reforms are to do with making it easier for our LEAs to work with _overseas_ counterparts, I really don't know what the point of this is.
Because our rozzers already already do the things stated in the screenshot.
I dig this, however.
If the regulatory perimeter is appropriately drawn, this will ensure that entities - especially companies not covered by continuous disclosure laws - cannot exploit grey areas with the NDB laws to avoid incident reporting.
Onto Objective 3: 'Disrupt and Deter'.
Which I dig as well.
Since when is it bad to go on the front foot?
Current measures announced include the bolstering of LE capabilities to fight ransomware, including interagency cooperation, both with domestic and overseas partners.
Which is great.
#CyberDiplomacy
This will be a great mechanism for intelligence gathering as well as disruption of ransomware networks.
(Devil's advocate: AFP/ACIC wanting to get in on some of the turf traditionally enjoyed by ASD?)
This is the real highlight for me, especially since it is marked as a 'current and immediate initiative'.
When the spooks know a fair bit about who these ransomwarers are, what financial and technical infrastructure they use, etc etc, why not go after them in the 5th domain?
I argued in a recent essay why this makes sense from a criminal law theory standpoint.
#ReleaseTheHounds
On the other hand, I question these proposals.
Why are existing cybercrime offences not enough?
Will an aggravated offence deter someone who is already depraved enough to target critical infrastructure?
Yes, joint statements with allies, etc and more attribution is great.
But again, what does this achieve?
Why not use the big guns like lobbying for these states to be placed on the FATF grey list, for instance?
Indeed: we worked with allies to take down ISIS's online propaganda capacity: we can do the same to ransomware actors.
Time to put those words in joint statements and reports into action.
Yes, of course, we can (and indeed) prosecute(d) financial crime involving virtual assets locally
But this measure involves international cooperation per the previous tweet by default, given the realities of virtual asset and ransomware ecosystems
Like through FATF and the J5
Or even through coordinated sanctions with, say, the US, the UK and the EU to ensure that attempts to cut off ransomware ecosystems' access to the international financial system are actually wide-ranging and meaningful.
So, on the whole, a good document with some areas for improvement and further enumeration, as above.
To read more about my views on counter-ransomware policy, check out this thread.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.