[LINK] Proposal to mandate reporting ransoms

Karl Auer kauer at biplane.com.au
Mon Jun 28 21:17:49 AEST 2021 

On Mon, 2021-06-28 at 07:44 +0000, Stephen Loosley wrote:
> Proposed Bill would force Aussie organisations to disclose when they
> pay ransoms

Interesting article - mucho bullshit though, as we have come to expect
from our political classes whenever they play with things they don't
understand.

> At the time, Watts, alongside Shadow Minister for Home Affairs
> Kristina Keneally, declared that due to ransomware being the biggest
> threat facing Australia, it was time for a strategy to thwart it.

Presumably she meant the biggest digital threat? This is about
equivalent to saying burglary is the biggest threat to households,
without mentioning that 90% of households have no locks or are not
locked if they do have locks. And that 85% of houses are built by the
same builders, who actively mitigate against the easy installation of
locks, and indeed deliver the houses with most of the locks disabled. 

What is the real problem here? Or more to the point, where can the most
impact be achieved? I mean - burglary should still be a crime, but
watch how fast people will lock up when their insurance policy doesn't
cover an unlocked house...

> The Bill introduced by Watts would require large businesses and
> government entities that choose to make ransomware payments to notify
> the ACSC before they make the payment.

Why only large businesses? There is no serious compliance cost here,
and why would you want to cause criminals to focus on small business?

> Watts said. "And it will help others in the private sector by
> providing de-identified actionable threat intelligence that they can
> use to defend their networks."

No such thing as de-identified. I wonder when they will start listening
to the serried ranks of people who actually know what they are talking
about in this regard?

> Information about the attack includes cryptocurrency wallet details,
> the amount of the payment, and indicators of compromise. Failure to
> notify the ACSC would attract a penalty.

Aaaaand if the penalty is not at least as large as the ransom paid,
then it is no penalty at all and will not discourage the payment of
ransoms, and might not even be worth people's while to even report
attacks.

> The ACSC would be required to de-identify the information for the
> purpose of informing the public and private sector about the current
> threat environment and disclosing information to Commonwealth, state,
> or territory agencies for the purpose of law enforcement.

See above.

> Under the Bill, it would be an offence to disclose personal
> information except for use by law enforcement.

Ah yes - good old trustworthy law enforcement, from whom no personal
fact should ever be kept, because they are trustworthy! How do we know?
Because they tell us so!

> "We should be clear … ransoms should not be paid. Ever," Watts said.
> "Paying a ransom does not guarantee you'll be able to quickly bring
> your systems back online or prevent further disruption, it does not
> guarantee your data won't be leaked.

So why not make it illegal to PAY the ransom? Or at least illegal to
pay it without permission. Why this weird side game about requiring
that companies tell you?

> According to Watts, the current trajectory of these attacks and the
> traditional response of asking organisations to implement an "ever-
> increasing uplift in cyber resilience" was inefficient and not
> sustainable.

Far from being unsustainable, it is the ONLY sustainable approach.
Leaving all the doors and windows open makes no sense at all.

> "A hospital shouldn't be forced to use more and more of its scarce
> resources fighting cybercriminals, it should be using its resources
> to make sick people better," he said. "The boards and executive teams
> of our nation should be able to focus on making investments in its
> core business that create new jobs and increase shareholder returns,
> rather than constantly ratcheting cybersecurity investments.

It's hard to know where to start with this daftness. Security -
physical, digital, whatever, is just part and parcel of doing business
- ANY business.

> "Unfortunately, that's the state of the policy response to ransomware
> under the Morrison Government -- blaming the victims."

Yes. When a hospital gets hacked and is offline for more than 24 hours,
I blame that hospital's management. Because the bigger you are the more
you should bloody well know about this stuff, and the more you should
be dealing with it. And that is especially the case when the data you
are protecting is of high value or particular sensitivity.

> "Mandating reporting of ransom payments is far from a silver bullet
> for this national security problem, but it's an important first
> step," he said on Monday.

I wonder what wonder-boy thinks the next step is?

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D

More information about the Link mailing list