Don’t ban paying cyber ransoms, ex-US spy chief warns Australia
Melbourne, Australia – 6 August, 2023
A former US National Security Agency director says Australia should not impose a blanket ban on paying cyber ransoms but instead adopt a risk-based approach that considers a set of key criteria.
Retired admiral Michael Rogers, who headed the NSA and led United States Cyber Command from 2014 to 2018 under presidents Barack Obama and Donald Trump, also called for a shift in thinking on cyberattacks.
“This is what I used to tell the two presidents, ‘Sir, if the metric you’re going to use is anytime we have a significant penetration that is a failure, then you are going to be incredibly frustrated’,” Mr Rogers told The Australian Financial Review.
Instead, he called for businesses and policymakers to shift their perspective to measure success by how well attacks are responded to after they occur.
“How quickly are you recovering? How much are you able to mitigate this and stop it from spreading: both how quickly and how well? How well are you able to ensure you have appropriate control and knowledge over data?” he said.
“That’s a very different way of looking at the cybersecurity problem.”
Mr Rogers said that after decades working in both offensive and defence cyber capability in the US government, he had one clear takeaway.
“With a determined adversary who is focused on you as a target and who was prepared to commit resources, it is very difficult to ensure 100 per cent that they will not penetrate your system.”
The comments come ahead of the Albanese government’s much anticipated cybersecurity strategy, expected from Home Affairs Minister Clare O’Neil around mid- to late October after the Voice referendum.
Guidelines for appropriate payments
The strategy is expected to be wide-ranging and will set out how all areas of government will work together to protect against cyber threats, “with the aim of uplifting Australia’s cybersecurity capability to become the world’s most cyber secure nation by 2030”.
As part of the strategy, Ms O’Neil has been consulting industry on a legal framework for ransom payments and, while strongly opposed, it is understood her views have evolved to reflect the complexity of the issue.
Mr Rogers said he was wary of outlawing all ransom payments and a one-size-fits-all approach. He suggested a set of criteria should be adopted by government and industry for when a payment might be appropriate.
“I think we need to make this risk-based,” he told the Financial Review, suggesting factors such as loss of life, health, national security and economic stability being weighed against the risk of payment.
The weighing exercise should be done in co-operation with government rather than left to firms, which could face penalties for a wrong call.
“A partnership is a much better way to look at this,” he said, a view that was formed during the Colonial Pipeline ransomware attack in 2021 when a major US oil pipeline system was hit by hackers.
“The company was making significant decisions and not really talking to the government about it.”
The corporate watchdog earlier this year warned it would seek record penalties for breaches of market disclosure amid new findings that listed companies were acting illegally by failing to disclose material cyberattacks.
Mr Rogers, who is in Australia as a member of the global advisory board of cybersecurity firm CyberCX, said Australia was well-placed to play a leading role in cyber globally due to its government-forward approach.
“Australia has been very aggressive about the use of legislation, regulatory oversight, particularly in the form of critical infrastructure,” he said, an approach he acknowledged was not being followed by the regulation-shy US.
“Australia is very well-positioned to have a significant global role in cybersecurity. Australia can really help raise the level of capability, awareness, focus, and help create better strategies for nations.”
Abigail Bradshaw, the head of the Australian Cyber Security Centre, in November said reports of cyberattacks in financial year 2021-22 increased nearly 13 per cent to 76,000, one attack every seven minutes.
Recent high-profile breaches in Australia include Optus, Medibank Private, Meriton, Commonwealth Bank, IPH Limited and Latitude.