THE EVOLUTION OF RANSOMWARE & ITS IMPACT ON GOVERNMENT
Speech to the Government Data Protection & Breach Response Summit 2022
Thursday 3 February 2022
###CHECK AGAINST DELIVERY###
I’m delighted to be joining you today at this real life, in person conference — it’s so much more rewarding to be able to give a speech to a room of human beings rather than a screen full of disembodied digital heads!
I acknowledge the traditional owners of this land, the Ngunnawal and Ngambri peoples and pay my respects to their elders past and present.
It’s a cliché to say that in this Covid era, we live in unprecedented and rapidly changing times.
But for those of us working in Infosec, it’s been a particularly challenging couple of years.
While the pandemic has raged through the physical world over the past two years, in the digital domain, threats from nation state actors and criminal groups alike have grown more acute.
At times, they’ve become increasingly difficult to distinguish as well.
I know that for those defending networks, and particularly those responding to incidents, it’s been a demanding period and I want to express my thanks for the work you’ve been doing.
While ransomware was already dominating the agenda in infosec circles in 2020, 2021 was the year that ransomware went mainstream amongst policy makers.
Security firm Emisoft received reports of just over half a million ransomware incidents around the world in 2021.
Governments around the world were a major target — more than 2,300 local governments, schools, and healthcare organizations in the US were affected by ransomware attacks in 2021.
And high-profile incidents like the Colonial Pipeline attack attracted headlines around the world and focused the attention of mainstream political leaders.
Australia has not been immune from these global trends.
We’ve seen a number of incidents impacting on public services and critical infrastructure operators including hospitals operated by UnitingCare in Queensland and Gippsland Health Alliance in Victoria, Queensland’s government energy company CS Energy, and Australia’s largest meat processor JBS Foods.
When I released a discussion paper about the need for Australia to develop a National Ransomware Strategy, the responsible Minister in the Australian government had never said the word ‘ransomware’ in the Parliament.
I was the only MP talking about ransomware in Parliament in 2019 and it wasn’t until December 2020 that a member of the current government used the word in the Parliament.
Those days of political obliviousness are now gone.
Ransomware is now a top agenda item at diplomatic summits and multilateral security fora.
While this political attention has been welcome, and the policy interventions that have followed it have been much overdue, early indications are that the ransomware threat is not going away any time soon.
Indeed, there are reasons to be concerned about a worsening outlook over the coming 12 months.
It’s now undeniable that the ransomware ecosystem operates in a feedback loop with geo-strategic trends.
Ransomware groups have long benefited from the ability to operate out of nation states that lack the will or capability to deal with the groups within their own borders.
There’s an ongoing risk that new ransomware affiliates will evolve in states that have existing issues with international organised crime groups within their borders, in regions like Africa and Southeast Asia.
Even worse, like the privateers of the 19th century, a number of states now use ransomware gangs as tools of strategic policy with varying degrees of deniability.
With geo-strategic tensions worsening across multiple fronts, it’s not hard to imagine a scenario in which those state backed ransomware groups become more active as relations between states become more fractious.
2021 also saw the relationship between state actors and ransomware groups evolve in ways that present new challenges to defenders.
2021 saw APTs and increasingly well-resourced ransomware groups begin to exploit supply chain attacks to obtain access to downstream targets.
The SolarWinds supply chain attack showed what the most sophisticated actors could achieve through this attack vector.
Perhaps more concerningly, smaller firms with lower product maturity levels and less scrutinised software offerings have increasingly become a way into technology supply chains for attackers and incidents like the Kaseya and Frontier Software incidents highlighted the potential of this form of attack.
As some APTs have shown a willingness to burn this kind of supply chain access during their own operations, we’ve seen exploits go from tightly held zero day to commodity attack vector at a scary pace.
While the nature of ransomware has evolved and grown, the impact of the threat has now begun manifest itself in new ways too.
As 2021 saw record ransomware payments and organisational downtime, we’ve seen this flow through into the premiums, coverage and pay outs of cyber insurance policies.
In recent times we’ve even seen the scale of the threat to local governments in the US priced into municipal bond markets.
This is the situation we all confront today.
Ransomware isn’t going anywhere soon and the threat evolving and becoming more challenging.
At the same time, the bills for organisations with low levels of cyber resilience are quickly coming due.
And of course, ransomware is just one of the many threats to government data that we confront today.
The message is clear — all of us who are charged with the protection of government data need to lift our game.
Some of us are starting from a better position than others in this regard.
In my role as a Member of Parliament, I sit on the Joint Committee of Public Accounts and Audit.
It’s one of those Parliamentary institutions that’s little known beyond public administration buffs.
But it’s one of the most important institutions of accountability in our Parliamentary committee system.
The JCPAA is established under legislation and is empowered to inquire into the work of the Auditor-General.
The cyber resilience of Commonwealth entities has been a focus of the Auditor-General for the better part of a decade now.
In that time, we’ve had six ANAO performance audits and three JCPAA inquiries that have continued to highlight the same issues.
In the nearly nine years since the Australian Signals Directorate’s Top Four cyber security mitigations became mandatory for Commonwealth entities, less than a quarter of Commonwealth entities audited by the ANAO have been found to be fully compliant.
The latest data from the Government’s own Cyber Posture Report has confirmed that
“entities’ self-assessed implementation of the mandatory Top Four mitigation strategies remains at low levels across the Australian Government”.
This is despite the Government taking significant steps to drive compliance, like writing Agency Heads a letter asking them to take cybersecurity seriously.
The Auditor-General was sufficiently concerned about persistent, systemic non-compliance with mandatory cyber security mitigations that, reflecting on five years in the role, he highlighted it as one of the most significant issues of concern in his mid-term report.
In the face of a worsening threat environment, this persistent failure across the Commonwealth to implement a fundamental set of cyber security controls over the past decade does not bode well.
I welcome the Government’s new hubbing model for Commonwealth cyber security and its recently stated intention to mandate compliance with the Essential Eight — several years after ASD developed the E8 and stressed the importance of its implementation.
But these policy changes will be for naught if we can’t fix the accountability culture problems within Commonwealth cyber security.
My interactions with the ANAO, the Commonwealth PSPF policy holders and the audited agencies during this time have sheeted home to me the need for cultural change in the way we engage with cyber security across the Commonwealth.
Members of the JCPAA have heard the same issues over and over again.
The ANAO has been very clear; that the root cause of this systemic non-compliance is a failure of accountability within government.
In its latest report, the ANAO put it bluntly, finding that:
“The cyber policy and operational entities have not established processes to improve the accountability of entities’ cyber security posture. The current framework to support responsible Ministers in holding entities accountable within Government is not sufficient to drive improvements in the implementation of mandatory requirements.”
From my perspective on the JCPAA, it’s also been clear that there’s currently a resistance to external accountability and an instinct towards secrecy within government, regardless of the context.
Let me give you two examples of this.
First, the Cyber Security Posture Report itself.
In October 2017, in response to an ANAO Cyber Resilience Audit, the JCPAA recommended that “the Attorney-General’s Department and the Australian Signals Directorate report annually on the Commonwealth’s cybersecurity posture to the Parliament.”
The Committee reported that:
“As a strategic priority, it is crucial that Commonwealth entities be
accountable to the Australian Parliament on cybersecurity.”
Keep in mind that this is a committee with a government majority and a long record of bipartisan cooperation between members.
Despite this, it wasn’t until April 2019 that the Government agreed to this recommendation.
The government didn’t produce the first Cyber Security Posture Report in accordance with this recommendation until June 2021.
This report then declared that the next report wouldn’t be delivered until November 2022!
The upshot of this is that in the five years between the time that the government led JCPAA recommended the government report annually to the Parliament on the Commonwealth’s Cyber Posture as a ‘strategic priority’, there will have been just two annual reports.
This isn’t the behaviour of a government that welcomes the important role accountability plays in building cyber resilience.
The second example of how the government’s instinct for secrecy is impeding accountability and a culture of collaboration on cyber security that I what to highlight here is somewhat surreal.
I’ve taken my role as the Shadow portfolio holder for Cybersecurity seriously — all the more so because for the bulk of my time in this role, I haven’t had an opposite number in the government.
I’ve tried to use my role constructively — using the accountability functions of the Parliament to ask the kinds of questions that might prompt a conversation internally on an issue that had previously been neglected, hopefully empowering someone on the inside trying to drive change.
So I arranged to ask all Commonwealth entities questions on notice about their compliance with the Top Four and the Essential Eight.
I received a uniform response to these questions:
“Publicly reporting on individual agency compliance… would provide a single, detailed and individualised snapshot in time of the entire Government’s cyber security maturity and as a result may provide a heat map for vulnerabilities in government networks, which malicious actors may exploit and thus increase an agency’s risk of cyber incidents.”
After receiving these answers, I reflected on this and decided, ‘Ok’, I’m not going to second guess the threat modelling of people trying to protect these networks.
I was less sanguine though when I subsequently asked each of these same entities about the status of their DMARC implementation…and received the same blanket refusal to answer.
Even though DMARC implementation is externally observable!
This isn’t the approach of a government seeking to take a collaborative approach to those outside the organisation that share its aims.
This is the approach of a government that over time has developed an unthinking culture of secrecy and insularity.
This is really the most important thing that I want to talk to you about today.
If Labor wins the next Federal election, and I’m lucky enough to keep my dream portfolio in Cybersecurity, I want to help drive a step change in the Commonwealth’s cyber security culture.
In particular, I want to change the way that the cyber security functions of government — from policy development to information security — interact with the Australian cyber security ecosystem outside of government.
Australia’s cyber security is a whole of nation endeavour.
It requires defending networks operated by multiple levels of government, within small and large businesses, and within civil society.
It demands that we draw on the different experiences and perspectives of individuals across these domains.
It’s a team sport… and we’re more likely to win if we play as a team.
Unfortunately, in my time in this portfolio, I’ve consistently heard from people in the private sector that the Commonwealth is difficult to work with on cyber security.
On policy matters, instead of leading collaborative, co-designed policy development processes, regulation is too often imposed on stakeholders after consultation processes that too often take on the quality of a black hole when difficult issues are confronted.
On operational matters, people in the private sector regularly tell me that they are confused about their terms of engagement with the Commonwealth on cyber security issues.
There’s confusion about what incidents the ACSC will choose to become involved in, and what actions they are expected to undertake when they become involved.
We’ve got a lot of work to do on managing expectations and communicating roles in this respect.
While we have made some progress on the real time sharing of actionable threat intelligence between government and the private sector — particularly compared to the very limited progress that was made on this front before 2020 — we still have a long way to go to reach the full potential of this kind of collaboration.
Despite a reframing of the role of the Joint Cyber Security Centres in the 2020 Cyber Security Strategy, there’s still a broad consensus that they are failing to achieve their objective of facilitating practical collaboration between the Commonwealth, States, territories, and the private sector.
While the government’s Industry Advisory Panel Report recommended that the JCSC’s “reduce the current reliance on collaboration through events”, the first annual review of progress on the implementation of the 2020 Cyber Security Strategy prepared by the Committee still focused on the number of events held at the JCSCs as a metric for their success.
There’s an enormous reserve of will on the part of the private sector to collaborate with the Commonwealth on these issues — all it needs is a willing partner.
If we were to win government, I want to find more ways to kick start routine collaboration between the Commonwealth and the broader Australian cyber security ecosystem.
A bigger effort on staff exchanges is an obvious place to start.
Despite the Industry Advisory Panel Report for the 2020 Cyber Security Strategy recommending that a staff exchange program be created between the ACSC, academia and industry to ‘enable cross-sectoral collaboration and information sharing’, beyond limited secondments involving the top four banks and major telcos, little progress has been made on this front.
The UK’s National Cyber Security Centre has achieved enormous success in this regard, and we ought to learn from their experience.
The ACSC is not charged with responding to every incident that affects an Australian organisation, nor does it have the capacity to do so.
I know how busy it has been as it is!
Private sector incident response firms are all too well practiced in assisting organisations respond to and recover from major cyber attacks, but their relationship with ACSC could be closer.
The UK’s National Cyber Security Centre established a Cyber Incident Response (CIR) scheme to enhance relationships with IR firms, build a basis for consistent bi-directional information sharing, and set standards for incident response.
To promote increased collaboration between the Commonwealth and private sector incident responders, we should be exploring an Australian equivalent of this scheme led by ACSC.
I also want to find ways to better normalise the involvement of the cyber security community outside of government in the Commonwealth’s cyber security mission.
Even the best internal cyber security team in the world won’t catch all security vulnerabilities in its systems.
Vulnerabilities in organisations’ systems are regularly identified by cyber security researchers working outside the organisation — professional security researchers, altruistically motivated public interest researchers and academic researchers.
Sometimes these vulnerabilities are identified inadvertently during unrelated work, sometimes they are identified as part of concerted scrutiny of an organisation’s systems by independent, external researchers.
The world’s most cyber resilient organisations, in both the public and private sector, now actively incentivise collaboration between internal security teams and these independent security researchers.
The two principal mechanisms that have emerged for doing so are Vulnerability Disclosure Processes (VDPs) and Bug Bounty schemes.
VDPs set out a clear process through which people outside an organisation can report security vulnerabilities including a contact point, a statement that disclosed vulnerabilities will be accepted in good faith (and not met with legal threats as was once common), and an indication of the timeline that the organisation intends to respond to disclosures.
A good VDP incentivises engagement by independent security researchers by giving them confidence that issues raised will be taken seriously and their contributions will be valued.
As the UK National Cyber Security Centre has said:
“Security vulnerabilities are discovered all the time and people want to be able to report them directly to the organisation responsible. These reports can provide you with valuable information that you can use to improve the security of your systems. It really is in your best interest to encourage vulnerability disclosure.”
On this basis, the UK government requires the owners of all UK government online services to operate a vulnerability disclosure process and the National Cyber Security Centre (NCSC) has published a best practice vulnerability disclosure toolkit showing how to do so.
I’m pleased that after I began raising this issue in Parliament, VDPs became a recommended cyber security control in the ACSC’s Information Security Manual in August 2020.
Similarly, ACSC’s IoT Code of Practice recommends manufacturers implement a VDP for their products and the guidance note for the code goes so far as to say that:
“the Australian Government recommends industry prioritise … vulnerability disclosure (as it)… will bring the largest security benefits in the short term.”
ASD has told the Senate in response to questions on notice that
“Implementing a vulnerability disclosure program, based on responsible/coordinated disclosure, can assist organisations, vendors and service providers to improve the security of their products and services as it provides a way for security researchers, customers and members of the public to responsibly notify them of potential security vulnerabilities in a coordinated manner”
Despite this, there’s no central policy mandate for the use of VDPs by Commonwealth entities.
As a result, implementation of VDPs across the Commonwealth is patchy at best.
The saga of the covidSAFE app highlights the missed opportunity to harness the contributions of independent security researchers to lift the Commonwealth’s cyber resilience.
As a high profile product release, the covidSAFE app attracted significant attention from public interest technologists reviewing the functionality and security of the app.
One researcher identified what he believed were security issues with the app shortly after it was released.
He received no response to the issues he raised for eight days.
It was only when the issue began to attract media attention that he received a one-line acknowledgement via email.
An update to the app released the day he received this response did not address the issue he raised.
No one won from this saga.
The government was embarrassed by adverse media coverage.
Public confidence in the app was undermined by the government’s secretive and defensive response.
Potential security vulnerabilities in the app were not transparently addressed.
And the voluntary contributions of independent security researchers, that could have been harnessed to lift Commonwealth cyber security were squandered.
Everyone’s a winner when Commonwealth agencies implement VDPs and we should see more of it across government.
The UK government believes so strongly in the importance of VDPs for lifting its own cyber resilience that since 2019, it has operated a Vulnerability Disclosure Policy of last resort on the HackerOne platform for the submission of vulnerabilities where the VDP operated by the owner of the service fails to produce an outcome for whatever reason.
When I’ve asked the Australian government why it doesn’t have an equivalent vulnerability disclosure policy of last resort the answer I have received from agencies via questions on notice is that vulnerabilities can be reported to the ACSC at any time via https://www.cyber.gov.au/acsc/report.
Unfortunately, this isn’t a VDP portal.
It’s the ACSC’s cyber-crime reporting portal that directs user reports of cyber-crimes to relevant law enforcement authorities.
There’s no information to inform a researcher about the timelines in which their report will be handled, or the types of responses they may receive — all basic information a VDP should provide.
It didn’t inspire confidence and is another easy win that the Commonwealth could remedy to improve its collaboration with independent security researchers.
Bug Bounties take VDPs a step further and offer financial rewards for specific categories of vulnerabilities as an incentive for researchers to review their networks.
The US have actively engaged security researchers through bug bounty programs, which is a financial reward for finding security vulnerabilities. Since 2016 the Hack the Pentagon program has contributed to more than 10,000 vulnerabilities being discovered by researchers attempting to breach the Pentagon, Army, Air Force, Marine Corp and Defence Travel System.
In Australia, the NSW government has recently deployed its first bug bounty program in conjunction with its development of a digital drivers licence.
Bug bounties have also been adopted by the private sector. BugCrowd is a platform founded in Sydney which provides private firms with access to a pool of security researchers who look for vulnerabilities for payment with clients including Telsa, Altassian, Fitbit, Square, Mastercard and others.
Thousands of security researchers around the world now make their living from identifying vulnerabilities to earn bug bounties.
Despite this, when I’ve asked the government about the potential use of bug bounties to lift Commonwealth cyber resilience, I’ve been told that the Morrison government has never even considered using bug bounty programs.
I should be clear — bug bounties are no silver bullet.
They aren’t an answer for every situation, and are a supplement to a good security posture, not a replacement for it.
But there are plenty of situations where more eyes — particularly financially incentivised eyes — can help make a system more secure.
The fact that Commonwealth has never even considered their use to improve the Commonwealth’s cyber posture is disappointing.
It’s another area where there are potentially significant gains that can be realised by the promotion of a Commonwealth cyber security culture that is more open to collaboration with researchers outside of government.
Since taking this portfolio, I’ve regularly spoken about the need for the government to change its relationship to Independent Security Researchers
Independent security researchers play an invaluable role in lifting overall levels of cyber security.
Unfortunately this role sometimes isn’t recognised by individual organisations, governments or existing legal frameworks.
I’ve heard from many independent security researchers that this situation is creating legal uncertainty for their work.
The Cybersecurity Advisors Network (CyAN), an international professional body for the sector, has launched an advocacy campaign for legislation that protects researchers that notify vendors of vulnerabilities in their products and services.
According to CyAN, researchers are often hit with legal threats after disclosing vulnerabilities to the product or service provider.
This is a complex area of law with many potentially relevant legislative frameworks across multiple levels of government.
Government should be listening to independent security researchers about the challenges they face in undertaking public interest work and ensuring legislation that affects their work is fit for purpose.
A government that wanted to harness the endeavours of independent researchers to improve our posture could take a number of steps.
It could initiate a process to reconcile conflicting and confusing state and territory laws that are potentially applicable to aspects of security researchers’ work.
Looking closely at potential legislative obstacles to the work of independent security researchers would be another way the government could demonstrate good faith collaboration with the broader cyber security ecosystem.
It’s been a tough time to be in infosec — wherever you’re working.
Unfortunately, it doesn’t look like the challenges we face are going to become easier any time soon.
But the harder things get, the more important it is that everyone who shares the same mission — uplifting Australia’s national cyber resilience — is working as closely together as possible to achieve that end.
Working with people and organisations from different cultural contexts is hard.
We’ve got to work at it to make it work.
It’s not an insurmountable challenge.
I know that the people working on cyber security inside government want to collaborate with the people in the private sector, civil society and academia who share their goals.
We just need the political leadership that will allow them to do it.
I hope to get the opportunity to provide it.