Okay so I've had a chance to go through the Cth government's Ransomware Action Plan.

Here's a thread comprising some of my thoughts thereon.

#InThaCybers #Ransomware
I applaud the Cth for finally delivering this document, given the severity of the national security threat posed by the ransomware ecosystem.

A threat which the Minister for Home Affairs, @karenandrewsmp, highlights in her foreword.
The Action Plan rightly acknowledges the nature of counter-ransomware policy as multi-stakeholder by design.

That is, the state working with domestic partners and overseas partners.
Which is key because:
a) most ransomware threats originate from, and dirty monies therefrom, flow overseas; and
b) the private sector operates most of the computer networks (especially in critical infrastructure assets) that we rely on to function as an economy and society.
Okay, so the Ransomware Action Plan has 3 objectives.

Let's go through them.
Objective 1: 'Prepare and Prevent'

First things first, this seeks to build our _resilience_.
Which I find curious because prevention of cyber risk is not necessarily a pillar of the definition of cyber resilience.

(Source for screenshot is @asicmedia's Report 429: download.asic.gov.au/media/3062900/…)
Objective 1 contains good measures targeted at the giving of advice from Cth agencies to stakeholders on cyber risk management, as well as awareness raising.
But also some proactive measures.

The underlined one reminds me of 'clean pipes' initiatives whereby the state (here, through @ASDGovAu) is to work with telcos and ISPs to tackle internet traffic ferrying malware, scams, etc.
Okay, onto Objective 2: 'Respond and Recover'.

This one seems more targeted at the above definition of cyber resilience, focused on victims of ransomware attacks and the incentives behind their approach to incident response.
Funding for support through IDCARE is highlighted as an existing initiative, as is 'promoting information sharing and advice'.

I would love some more detail, however, on what this all looks like.
Because, to quote a blog post of mine (see screenshot), effective support services are crucial for incentivising victims to make the right decisions (ie 'do not pay the ransom').

Especially tangible help, not merely advice.

(Here's the blog post: anujolt.org/post/1104-rans…)
Of course, this is a potentially unfair comment by me on the document because it is merely setting the Cth's 'strategic approach', rather than being an in-depth policy manual.
Speaking of payments, the Cth makes clear the importance of ransom payments to the ransomware economy.

But the screenshotted bit made me scratch my head.
What does this mean? Or achieve?

Will this deter victim entities from coughing up ransoms?

Isn't it the equivalent of Bernard Woolley saying 'That was very wrong'?

(I'm biased because I argue in favour of prosecution for money laundering: anujolt.org/post/1104-rans…)
I also have issues with this future measure.

Unless these reforms are to do with making it easier for our LEAs to work with _overseas_ counterparts, I really don't know what the point of this is.

Because our rozzers already already do the things stated in the screenshot.
I dig this, however.

If the regulatory perimeter is appropriately drawn, this will ensure that entities - especially companies not covered by continuous disclosure laws - cannot exploit grey areas with the NDB laws to avoid incident reporting.
Onto Objective 3: 'Disrupt and Deter'.

Which I dig as well.

Since when is it bad to go on the front foot?
Current measures announced include the bolstering of LE capabilities to fight ransomware, including interagency cooperation, both with domestic and overseas partners.

Which is great.

This will be a great mechanism for intelligence gathering as well as disruption of ransomware networks.

(Devil's advocate: AFP/ACIC wanting to get in on some of the turf traditionally enjoyed by ASD?)
This is the real highlight for me, especially since it is marked as a 'current and immediate initiative'.

When the spooks know a fair bit about who these ransomwarers are, what financial and technical infrastructure they use, etc etc, why not go after them in the 5th domain?
I argued in a recent essay why this makes sense from a criminal law theory standpoint.


On the other hand, I question these proposals.

Why are existing cybercrime offences not enough?

Will an aggravated offence deter someone who is already depraved enough to target critical infrastructure?
Yes, joint statements with allies, etc and more attribution is great.

But again, what does this achieve?

Why not use the big guns like lobbying for these states to be placed on the FATF grey list, for instance?
Indeed: we worked with allies to take down ISIS's online propaganda capacity: we can do the same to ransomware actors.

Time to put those words in joint statements and reports into action.
Yes, of course, we can (and indeed) prosecute(d) financial crime involving virtual assets locally

But this measure involves international cooperation per the previous tweet by default, given the realities of virtual asset and ransomware ecosystems

Like through FATF and the J5
Or even through coordinated sanctions with, say, the US, the UK and the EU to ensure that attempts to cut off ransomware ecosystems' access to the international financial system are actually wide-ranging and meaningful.
So, on the whole, a good document with some areas for improvement and further enumeration, as above.

To read more about my views on counter-ransomware policy, check out this thread.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Ravi Nayyar

Ravi Nayyar Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ravirockks

13 Oct
A thread on what caught my eye from the @WhiteHouse's Fact Sheet on 'Ongoing Public U.S. Efforts to Counter #Ransomware'.

#InThaCybers #CyberDiplomacy
The second paras describe the national security threat posed by ransomware and the global nature of that threat. No surprises here.
Counter-ransomware policy = Multi-stakeholder by design.

The state must work with industry and other states because of inherent technological and economic realities.

Plus, it takes a network to take down a network like a transnational ransomware gang.
Read 18 tweets
13 Oct
Today, @karenandrewsmp, the federal Minister for Home Affairs, released the Cth's Ransomware Action Plan.

While I go through the latter, here's a collection of my thoughts hitherto on counter-ransomware policy.
Part 1 of 4 in my series for the @anujolt_law on counter-ransomware policy, here looking at the national security risk posed by ransomware.
Part 2 of 4 in the series, here exploring the ransomware economy.
Read 10 tweets
12 Oct
Hmm, USA sharing intel with the Indians to help the latter's COIN and CT efforts in Kashmir and ops along the LAC? I dig.

'Enhanced cooperation with like-minded partners' = Wait, they're not going for a clique like others suggest?
Interoperability is already helped by India buying and deploying US-made platforms like the C-17, Apache, C-130J and P-8I aircraft, and the M-777 ultra-light howitzer (eg at the LAC).

Source: hindustantimes.com/india-news/wea…
Read 8 tweets
12 Oct
The @USDISA is planning on looking at alternatives to the common access card, which US service personnel use to identify themselves to gate and chow hall staff, and when using computers.

DISA Director, @usairforce Lt. Gen. Robert Skinner, considers identity management an 'one area where the department can look to industry for a way ahead.'

'We want to leverage that technology to be able to provide greater options, so it's... truly multi-factor [auth]'.
'... the department must leverage what's happening in industry, and undergo a change in culture, to get to a "data-centric" environment versus a "network-centric" environment', that is, 'protect data' > 'protect infrastructure storing data'.
Read 4 tweets
11 Oct
This piece goes through the August judgement of the High Court, which granted the USA leave to appeal Assange’s discharge on two key grounds.

Additional to three key grounds that the USA wanted and got leave to appeal on in July.

—> If I were @TheJusticeDept, I’d be optimistic.
Of course, usual caveats:
1) I am neither an admitted lawyer nor an expert on UK law;
2) I have zero tickets in extradition matters, rather I am an Australian law nerd doing my PhD in critical software and infrastructure regulation; and
3) If you want to correct my points, please do for that helps me learn!
Read 4 tweets
11 Oct
Per the PM's speech, 4 pillars of Indian #SpacePolicy:
1) allowing the private sector to innovate;
2) government acting as an enabler;
3) preparing the youth for the future; and
4) seeing the space sector as fuel for India's development.

English summary of the PM's remarks.

cc: @Dr_M_Davis
Nicely in synch with the Quad's agenda for space cooperation.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!