Are businesses ready to be outed for paying ransoms to cybercrooks?
This article originally appeared as an opinion piece by Alastair MacGibbon and Jordan Newnham in the Australian Financial Review on December 2 2024
The new cyber reforms passed by the federal parliament last week represent a landmark moment in government efforts to curb the proliferation of cybercrime in Australia.
New measures include improved security standards on smart devices, establishing a Cyber Incident Review Board, and requiring more organisations to report ransom payments.
Importantly, it’s not just cybersecurity or IT professionals who should be taking note.
The lasting legacy of Australia’s cyber reckoning in late 2022 – which began with the Optus hack and was accelerated by Medibank – is that cyber is not just an IT or a security problem any more. It’s as much about reputation as it is computer systems.
The new Cyber Security Act could have significant implications for how organisations navigate a hacking crisis and tell their story to stakeholders and the public – particularly if they decide to pay a ransom.
The circumstances and impact of every cyberincident is different, but one observation has continued to hold true: to our knowledge, no Australian organisation has been publicly outed for paying a ransom. Not by themselves, not by media, and not by government.
There are certainly some high-profile examples overseas. The most famous is Colonial Pipeline in the United States, who in 2021 admitted to paying hackers US$4.4 million to get fuel flowing through to the east coast of the US and avoid a full-blown energy crisis. But we are yet to see any such disclosure in Australia.
The paying of a ransom could become public knowledge, creating potentially negative reputational sentiment.
John Mullen, Chair of Qantas and former Chair of Toll, came close recently when he told the AFR Cyber Summit that he wished he’d paid up when a private maritime museum run by his Silentworld Foundation fell victim to a ransomware attack.
“It basically destroyed 35 years worth of data. In retrospect, I probably would have paid that ransom,” he said.
While most organisations don’t end up paying a ransom, it’s an open secret that a substantial proportion of victim organisations do.
Organisations generally decide to pay ransoms for two reasons: firstly, to regain access to encrypted systems and be able to continue operating; and secondly, to stop the hackers from releasing stolen data that might include commercially confidential or personal and sensitive information.
To be clear: no sensible person ever wants to pay a criminal. But the pressure and duress organisations are under should never be underestimated by people commentating from the sidelines, and there are some situations where paying a ransom is the lesser of two evils.
Encrypting systems can make it impossible to operate, and the leaking of sensitive data can result in harm to vulnerable individuals. In these circumstances, paying a ransom can be justified as an unpalatable but legitimate avenue of last resort.
To date, organisations have been able to make such payments – in bitcoin or other cryptocurrency – legally, but largely in the shadows. The new mandatory cyber reporting reforms will change this.
Now, organisations with an annual turnover of more than $3 million will be required to report ransom payments to the Australian Cyber Security Centre (ACSC) or face fines of up to $19,800.
These reforms are designed to help shed light on an opaque, murky phenomenon, and create a clearer picture for government and intelligence agencies of the visceral cyber risks affecting too many Australian organisations.
While these reforms are necessary and welcome, they also present a new risk calculus for businesses suffering a cyberattack: that the paying of a ransom could become public knowledge, creating negative reputational sentiment.
For organisations that pay but don’t report to the ACSC, the (up to) $19,800 fine may pale in comparison to the reputational damage that could result from being fined.
For those that pay and do report to the ACSC, the government has provided assurances around how they will handle this information. However, the unavoidable reality is that more external parties than ever before may become aware of an organisation’s choice to pay criminals a ransom.
As the reputational risks become more challenging to navigate, this could also result in less organisations choosing to pay a ransom, less money flowing to offshore criminal groups, and Australia earning a reputation among hackers as a more difficult place to ply their trade.
That said, there is no doubt ransoms will still be paid. Where businesses are brought to their knees financially, or there is threat of harm to individuals, there may be no other option. Armchair experts who have never had to live with that fear and make those choices will have to learn to live with the ugly reality.
Our observation that no Australian organisation has ever had to publicly discuss – let alone defend – paying a cyber ransom may not hold true for much longer.
Is Australia ready to have a mature conversation about how and when ransoms might be paid, and are justified? We are about to find out.
Alastair MacGibbon is Chief Strategy Officer at CyberCX. Jordan Newnham is Executive Director of Corporate Affairs, Brand and Policy at CyberCX.
