I applaud the Cth for finally delivering this document, given the severity of the national security threat posed by the ransomware ecosystem.
A threat which the Minister for Home Affairs, @karenandrewsmp, highlights in her foreword.
The Action Plan rightly acknowledges the nature of counter-ransomware policy as multi-stakeholder by design.
That is, the state working with domestic partners and overseas partners.
Which is key because:
a) most ransomware threats originate from, and dirty monies therefrom, flow overseas; and
b) the private sector operates most of the computer networks (especially in critical infrastructure assets) that we rely on to function as an economy and society.
Okay, so the Ransomware Action Plan has 3 objectives.
Let's go through them.
Objective 1: 'Prepare and Prevent'
First things first, this seeks to build our _resilience_.
Which I find curious because prevention of cyber risk is not necessarily a pillar of the definition of cyber resilience.
Objective 1 contains good measures targeted at the giving of advice from Cth agencies to stakeholders on cyber risk management, as well as awareness raising.
But also some proactive measures.
The underlined one reminds me of 'clean pipes' initiatives whereby the state (here, through @ASDGovAu) is to work with telcos and ISPs to tackle internet traffic ferrying malware, scams, etc.
Okay, onto Objective 2: 'Respond and Recover'.
This one seems more targeted at the above definition of cyber resilience, focused on victims of ransomware attacks and the incentives behind their approach to incident response.
Funding for support through IDCARE is highlighted as an existing initiative, as is 'promoting information sharing and advice'.
I would love some more detail, however, on what this all looks like.
Because, to quote a blog post of mine (see screenshot), effective support services are crucial for incentivising victims to make the right decisions (ie 'do not pay the ransom').
Of course, this is a potentially unfair comment by me on the document because it is merely setting the Cth's 'strategic approach', rather than being an in-depth policy manual.
Speaking of payments, the Cth makes clear the importance of ransom payments to the ransomware economy.
But the screenshotted bit made me scratch my head.
What does this mean? Or achieve?
Will this deter victim entities from coughing up ransoms?
Isn't it the equivalent of Bernard Woolley saying 'That was very wrong'?
Unless these reforms are to do with making it easier for our LEAs to work with _overseas_ counterparts, I really don't know what the point of this is.
Because our rozzers already already do the things stated in the screenshot.
I dig this, however.
If the regulatory perimeter is appropriately drawn, this will ensure that entities - especially companies not covered by continuous disclosure laws - cannot exploit grey areas with the NDB laws to avoid incident reporting.
Onto Objective 3: 'Disrupt and Deter'.
Which I dig as well.
Since when is it bad to go on the front foot?
Current measures announced include the bolstering of LE capabilities to fight ransomware, including interagency cooperation, both with domestic and overseas partners.
This will be a great mechanism for intelligence gathering as well as disruption of ransomware networks.
(Devil's advocate: AFP/ACIC wanting to get in on some of the turf traditionally enjoyed by ASD?)
This is the real highlight for me, especially since it is marked as a 'current and immediate initiative'.
When the spooks know a fair bit about who these ransomwarers are, what financial and technical infrastructure they use, etc etc, why not go after them in the 5th domain?
I argued in a recent essay why this makes sense from a criminal law theory standpoint.
Will an aggravated offence deter someone who is already depraved enough to target critical infrastructure?
Yes, joint statements with allies, etc and more attribution is great.
But again, what does this achieve?
Why not use the big guns like lobbying for these states to be placed on the FATF grey list, for instance?
Indeed: we worked with allies to take down ISIS's online propaganda capacity: we can do the same to ransomware actors.
Time to put those words in joint statements and reports into action.
Yes, of course, we can (and indeed) prosecute(d) financial crime involving virtual assets locally
But this measure involves international cooperation per the previous tweet by default, given the realities of virtual asset and ransomware ecosystems
Like through FATF and the J5
Or even through coordinated sanctions with, say, the US, the UK and the EU to ensure that attempts to cut off ransomware ecosystems' access to the international financial system are actually wide-ranging and meaningful.
So, on the whole, a good document with some areas for improvement and further enumeration, as above.
To read more about my views on counter-ransomware policy, check out this thread.
Hmm, USA sharing intel with the Indians to help the latter's COIN and CT efforts in Kashmir and ops along the LAC? I dig.
'Enhanced cooperation with like-minded partners' = Wait, they're not going for a clique like others suggest?
Interoperability is already helped by India buying and deploying US-made platforms like the C-17, Apache, C-130J and P-8I aircraft, and the M-777 ultra-light howitzer (eg at the LAC).
The @USDISA is planning on looking at alternatives to the common access card, which US service personnel use to identify themselves to gate and chow hall staff, and when using computers.
DISA Director, @usairforce Lt. Gen. Robert Skinner, considers identity management an 'one area where the department can look to industry for a way ahead.'
'We want to leverage that technology to be able to provide greater options, so it's... truly multi-factor [auth]'.
'... the department must leverage what's happening in industry, and undergo a change in culture, to get to a "data-centric" environment versus a "network-centric" environment', that is, 'protect data' > 'protect infrastructure storing data'.
Of course, usual caveats: 1) I am neither an admitted lawyer nor an expert on UK law; 2) I have zero tickets in extradition matters, rather I am an Australian law nerd doing my PhD in critical software and infrastructure regulation; and
3) If you want to correct my points, please do for that helps me learn!