Just a recap - Trustwave in no way endorses ransom payments. We believe the best way to deal with a ransomware situation is to:
A: Create a strong defensive posture that will deter, if not stop, an attack.
B: Have in place a solid and well-practiced incident response plan that includes backups so an organization can quickly recover from any attack.
With that noted, discussing the usefulness of current and proposed legislation that would require organizations to report to their government when a payment is made can be insightful. Please read the Part 1 overview and Ed Williams is VP, SpiderLabs at Trustwave, viewpoint.
This is a challenging question. I must be clear, I do not condone making a payment, but overall, I think the approach of forcing mandatory ransom payment reporting makes no real sense.
In Australia, paying a ransom is technically not illegal in and of itself, BUT…and it’s a big but…it could be considered illegal if, for instance, it could be proven that the payment effectively became terrorist financing or money laundering. Those would be a big stretch, but still technically possible.
Assuming for a moment there are no self-incrimination issues, then I think it is logical for a reporting entity to ask the obvious What's In It For Me question.
Right now, the answer is pretty weak. Longer term the government hopes to develop some data-driven insights into the payments, including how reliably they resolve the breach and likely if it means the victim is re-targeted.
However, getting sufficient data to draw those insights is likely to take several years… and so again I think the rationale behind the legislation is pretty weak.
I would guess that the government’s secondary, but unstated, motive is to actively dissuade ransom payments in lieu of making them illegal. People are far less likely to actually make the payment if they know they have to then ‘confess’ to the government.
As to whether or not this can build a better defense, I would say that really depends on the quality of reporting the government receives.
Let’s set up a hypothetical. If the rule is implemented and the government gathers data showing that 50% of organizations that pay ransoms are attacked again within six months, or that paying a ransom leads to a successful outcome only 25% of the time, this information could be used to launch a public awareness campaign. Over time, such a campaign might help reduce the number of ransom payments.
However, this is a long-term strategy in a fast-moving industry and would require consistent government policy over an extended period to be effective.
That is not a strong assumption in the Australian political climate.
I will suggest one possible alternative approach to reporting payments in Australia would for insurers to provide data to the government on the rate of claims against cyber insurance policies and the basis of those claims.
That way it keeps the claimants anonymous, and you have a more reliable and centralised data source. The downside, however, is the extent to which the market is currently covered by cyber insurance. It’s a small sample set of the entire market, at best.
