"Australia Is Considering a Ban on Cyber Ransom Payments, but It Could Backfire. Here's Another Idea"
In less than two months, Australia experienced two of the largest personal data breaches in its history, the first involving Optus and the second involving Medibank. In both cases, the hackers attempted and failed to extort a ransom in exchange for not disclosing personal information. So far, the Optus hackers have only released a small portion of the data and claim to have deleted the rest, whereas the Medibank hackers have released the records of over one million people and have threatened to release more data. As a result, the Australian government is looking to strengthen its cybersecurity defenses, including through the formation of a taskforce to retaliate against the Medibank hackers. Clare O'Neil, Minister for Cybersecurity, has stated that the Australian government is considering making ransom payments to cybercriminals illegal. The concept has gained traction, but the question is whether the cure will be worse than the disease. In some cases, paying a ransom may already be illegal for Australian organizations, such as if the payment funds further criminal or terrorist activity by groups sanctioned by the United Nations. However, Macquarie University researchers point out that attribution of cyberattacks is difficult, and it is only sometimes possible to know whether paying a specific group would be a crime. An organization may pay a ransom only to discover later that it violated the law. A ban on ransom payments would significantly reduce the profits amassed by criminal gangs targeting Australia. Banning ransom payments may be a good idea in cases like the recent Optus and Medibank hacks, where the ransom was demanded to "not leak" sensitive information. It could relieve the targeted organization of the burden of making a decision, as well as mitigate the public's judgment of that decision. It would also reduce the possibility of criminals receiving ransom payments, making their operations less profitable. However, unlike the Optus and Medibank breaches, many ransoms are paid to decrypt targeted computers. Some ransomware attacks involve hackers encrypting a company's computers, data, and backups. In many cases, failure to restore those data can lead to the business's demise. In such cases, prohibiting ransom payments may discourage organizations from reporting breaches. They may pay the ransom to continue doing business, even if it is illegal. If this occurs, it will reduce the overall transparency of breach reporting and may lead to hackers blackmailing victims into not disclosing the hack. This article continues to discuss the response to the Medibank hack, when banning ransom payments is effective, the problems with a ban, and an alternative solution.