Toll hack shows government's dangerous lack of cyber leadership

24 February 2020

The Australian Financial Review

For the past two months, public health systems around the world have battled to contain the outbreak of the novel coronavirus. While doctors treated individuals, governments worked on the public. Political leaders and health experts fronted public campaigns, raising awareness of the threat and spurring those at risk to act to protect themselves.

But in Australia, when faced with the threat of digital infection, our political leaders are silent.

Toll Group has been in the headlines recently in Australia, but over the past 12 months, the world has faced an epidemic of ransomware infections.

Ransomware is malicious software with a business model. It works by exploiting vulnerabilities in an organisation’s IT system, then effectively locks its data with encryption that requires a complex numerical key to unlock.

In exchange for this key, victims are asked to pay a ransom — usually in the form of difficult-to-trace bitcoin. And some pay: last year, the small town of Lake City, Florida, paid hackers almost half a million dollars to regain access to its system.

According to the anti-malware company EmsiSoft, there were almost 1000 attacks on US government agencies, schools, colleges and healthcare providers last year alone. It was the year the US Department of Homeland Security formally warned the public of a “ransomware outbreak”.

These attacks are enormously disruptive, often taking IT systems offline for weeks. In August, ransomware simultaneously infected 22 Texan cities – one consequence was that police lost access to the computer systems in their patrol cars.

In May, extortionists hit Baltimore, crippling the city’s email, voicemail and its system for paying bills and property taxes — only a year ransomware had disrupted its 911 dispatch system.

This isn’t merely about disruption and lost profit. Vital services have been compromised.

Australia hasn’t been immune to this ransomware epidemic. Last year, a Victorian government regional health network fell victim, shutting down systems and delaying some surgeries.

Then, in late January, Toll — a global transport company based in Melbourne — lost the use of up to 1000 servers in a ransomware attack and was forced to implement manual processes across large parts of its business.

At the time of writing, its systems have still not fully recovered.

Despite this, it has been two years since anyone in the Australian government has even mentioned “ransomware” in parliament.

There’s been no public health-style campaign. No minister has faced the media, flanked by cyber security experts. No minster has been sounding the alarm internally about the poor cyber resilience of government networks that have been revealed in a series of audits going back five years.

Even as the government consults on its next cyber security strategy, there has been little public debate about the best way to respond to an epidemic like this – whether helping organisations to protect themselves is the best we can do, or whether more strategic interventions closer to the source of these attacks might help reduce the risk.

It’s not a coincidence that the last time that ransomware was mentioned in Parliament by a member of the government was when there was a minister with direct portfolio responsibility for cyber security.

Since Scott Morrison abolished this dedicated role, there has been no one to provide the public, or the government, with any leadership on the issue.

Instead, by confusingly spreading responsibility across multiple portfolios, Australian cyber security policy has effectively been politically orphaned.

We need a dedicated position in government to meet challenges like ransomware — cyber security is too complex and too important for it not to be somebody’s day job.

If the government doesn’t shake its complacency, we could soon be experiencing our own ransomware outbreak.