Following the latest Medibank data leaks, Australia’s Cyber Security Minister Clare O’Neil said the government was considering a law that would make it illegal to pay ransoms, according to Australian ABC News.
O’Neil noted that there were compelling reasons to make it illegal for companies to “try to buy their way out of trouble” while praising Medibank’s decision not to pay a $15 million ransom to prevent the release of user data.
“The idea that we’re going to trust these people to delete data that they have taken off and may have copied a million times is just frankly silly,” she told Insiders on Sunday.
She also announced the formation of a new Australian task force, which combines the expertise of the Australian Federal Police (AFP)) and the country’s cyber spy agency, the Australian Signals Directorate, designed to “hack the hackers.” O’Neil said the task force is an entirely new operating model for the two organizations and a permanent standing force of 100 of the “best and most capable cyber experts in [Australia]” that will be undertaking this task for the first time.
“What they will do is scour the world, hunt down the criminal syndicates and gangs” that target Australia in cyberattacks, and disrupt their efforts, O’Neil said. “This is Australia standing up and punching back. We are not going to sit back while our citizens are treated this way and allow there to be no consequences for that.”
When asked to elaborate on the expectations of the task force, O’Neil emphasized that Australia must “shift away from the sense that the only good outcome here is someone behind bars,” noting that the main goals of the government would be to disrupt hacking operations and not allow Australia to be a soft target.
While this approach has been considered for a long time in other parts of the world, “it hasn’t been broadly implemented. This is primarily because it does not work,” says Casey Ellis, Founder and CTO at Bugcrowd. “If a business is existentially threatened by denial-of-access then it’s likely that they’ll opt for breaking the law in the interest of survival. Secondly, organizations now face the unintentional consequence of giving ransom operators more points of leverage, not fewer, in receiving payment. Australia and the ASD have world-renowned offensive and counter-offensive cyber capabilities, as we have seen with their work to actively disrupt offshore scammer infrastructure during the onset of COVID in 2020.”
While there are legal and authorization issues surrounding these types of hack-back or proactive offensive operations, Ellis adds that if there’s one thing that appears to be effective at interrupting Ransomware as a Service (RaaS) or ransomware gangs, “it is exposing their operations and turning them against each other. This would be well within reach of the attack team [the minister] is alluding to here.”