SICW Sessions: Tackling the Ransomware Scourge – Global Cooperation for a Transboundary Issue

Good afternoon and thank you to the Cyber Security Agency of Singapore for having me here today.

Singapore International Cyber Week is the Asia-Pacific's most established cyber security event, and I am honoured to represent the Australian Government at such a crucial international forum.

I also acknowledge the esteemed panel who will be discussing the threat of ransomware in more detail.

Your insights and thinking about how we can work together to tackle the shared threat of ransomware will be of interest to policymakers and business across the globe.  

One year ago – at 1 o'clock am on October 22 2021 – the government of Papua New Guinea was hit with a major cyber incident.

A ransomware attack had targeted PNG Department of Finance's Integrated Financial Management System.

The IFMS integrates PNG's budgeting and accounting systems across government.

It manages hundreds of millions of dollars of payments.

Like most nations, Papua New Guinea couldn't afford an attack of this kind on its major government payment system.

And like a lot of the world, Papua New Guinea was in the thick of trying to contain Covid-19, and manage the health and economic consequences of the pandemic.

The last thing it needed was a cyber crime group holding its payment system to ransom.

PNG was able to respond well to this incident, but the potential impact of ransomware attacks on developing countries is significant.

Ransomware attacks have become ubiquitous across the developed world in recent years.  

In Australia, the Australian Cyber Security Centre identifies ransomware as the most destructive cybercrime threat facing out nation.

We've experienced ransomware attacks targeting our hospitals, our logistics sector, our brewers, our food sector, our resources companies, our political parties and our media companies just to name a few.

Like most developed countries, in recent times we have begun to coordinate action across the public and private sector to build resilience against these attacks, to respond to them when they occur and increasingly to seek to deter them.

Australia joined the Counter Ransomware Initiative coordinated by the United States, which includes ongoing collaborative efforts to:

• Improve network resilience to prevent incidents when possible and respond effectively when incidents do occur
• Address the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable
• Disrupt the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors
• Address safe havens for ransomware criminals, and,
• Continued diplomatic engagement.

Pleasingly, we've also increasingly begun to coordinate with like minded countries in these endeavours.

But the threat that ransomware poses to developing nations is more pernicious again and requires the attention of the international community.

Digitalisation is a major economic development priority for many developing nations, especially as they start to recover from the health and economic impacts of the COVID19 pandemic.

Greater connectedness enhanced by digital adoption opens many countries in the global south to the opportunities presented by the global economy.

But economic gains offered through greater digitisation are threatened by cyber crime threats like ransomware.  

Last year's incident in PNG isn't an isolated case of ransomware groups targeting developing and middle-income economies.

Increasingly, ransomware groups have begun attacking targets in the ‘global south' – the part of the world with the least to lose.

Costa Rica's government, for example, was the target of a crippling ransomware attack earlier this year which affected government systems and web platforms.

The worst of the damage was inflicted on the Ministry of Finance, who was unable to collect taxes and other revenue.

As a result of the attack, Costa Rican President Rodrigo Chaves declared a state of national emergency.

Peru, where I was two weeks ago, was also the target of a major ransomware attack against the “National Directore of Intelligence”, the country's intelligence agency in May of this year.

India has also seen a spike in ransomware. Earlier this year, India's second largest airline was hit with a ransomware attack which prevented flights from normal operation.

In June, ransomware gang RansomHouse claimed responsibility for an attack on Africa's largest retailer Shoprite, which compromised customer data in Eswatini, Namibia and Zambia.

A recent report from the British think tank the Royal United Services Institute – RUSI - argues that rapid digitalisation of the global south has not always been matched with sophisticated cyber security practices.

RUSI argues that Covid-19 “has accelerated this trend due to efforts to create effective responses to health challenges.”

They argue that the adoption of new technologies often outpaces “the establishment of the kind of regulation and cyber security standards that could help manage new threats and vulnerabilities that arise.”

We know this to be all too often the case in developed countries, but it has been particularly true in the developing world.

In Australia, we have a dedicated Cabinet-level Minister for Cyber Security, the Honourable Claire O'Neil MP, to coordinate our efforts.

Addressing the threat of ransomware is a key priority for Minister O'Neil.

When Minister O'Neil announced Australia's new cyber security strategy, in August, she said it will take a “whole of nation approach”.

But our efforts do not end at our national borders.

Minister O'Neil and I recognise that, as with other malicious cyber activity, the threat of ransomware is not constrained by borders.

And as RUSI pointed out in their recent report:

“The increasing breadth of countries being victimised by ransomware is not an isolated problem. Its direct impacts also have ripple effects, producing aftershocks throughout global commerce and governance”.

So in Australia, we recognise that domestic cyber security is closely linked with international efforts.
It is in our common interest to support the global south with measures to boost cyber resilience.

Particularly in developing countries in our own region, in South East Asia and the Pacific Islands.  

Internationally, Australia is strengthening our cooperation with government and multi-stakeholder partners across the globe to address this shared threat.

Australia and Singapore are both active participants in the US-led Counter Ransomware Initiative, which seeks to enhance diplomatic efforts and international cooperation to combat the threat of ransomware.

In our immediate region, Australia and Malaysia jointly initiated an ASEAN Regional Forum Points of Contact Directory.

This is a simple, practical and voluntary measure to maintain clear channels of communication in the event of cyber security incidents.

The Pacific Cyber Security Operational Network – PaCSON – was established to foster regional cooperation and collaboration, and to ultimately protect the Pacific region's respective information infrastructure.

While not a CERT or CSIRT, PaCSON maintains operational cyber security points of contact, and empowers members to share cyber security threat information.

PaCSON also provides opportunities for technical experts in the Indo-Pacific to share tools, techniques and ideas.

It enables cooperation and collaboration and provides a strong foundation for further engagement to uplift cyber security across our region.  

Another example of these capacity building initiatives is the work of our neighbours - the Pacific Islands Law Officers' Network – or PILON – a regional network of senior law and justice officials from 19 Pacific Island countries.

PILON Members contribute to a safe and secure Pacific by promoting justice and the rule of law through regional cooperation, capacity building and shared expertise.

Cybercrime and cyber-enabled crime – including ransomware – are key areas of strategic focus in the Pacific Island Leaders Leaders Boe Declaration on Regional Security Action Plan.

PILON is also contributing to regional efforts to address this issue by promoting member countries to accede to the Budapest Convention.

In Australia, we also have our flagship cyber and critical technology capacity building program, the Cyber and Critical Tech Program.

Australia works with regional partners - like Indonesia, Solomon Islands, Vanuatu, Fiji, Tonga, Papua New Guinea and Samoa - to strengthen capacity to maximise the opportunities, and mitigate the risks, related to the use of cyberspace and critical technologies.

For example, through the program, Australia collaborated with the National Bank of Vanuatu to increase its defences against avoidable cyber security incidents.

The National Bank of Vanuatu is the only commercial bank operating outside of Port Vila and Luganville, having a presence in over 20 of Vanuatu's dispersed islands.

Strong cyber security for the National Bank of Vanuatu is critical for protecting the finances, data and livelihoods of thousands of its customers.

Another example is the work Australia is starting with Samoa's Meteorology Department.

Having seen devastating natural disasters impact the region in the previous 24 months, we are determined to ensure the essential services and data the Meteorology Department publishes remains available and secure during these times of need.

These examples aim to uplift baseline cyber resilience – because we know that uplifting basic cyber security goes a long way to manage many entry level commodity threats, including ransomware.

Australia is also seeking to contribute to global efforts to deter ransomware attacks through the use of autonomous sanctions.

Australia's autonomous sanctions framework contains thematic autonomous sanctions regimes, including a “significant cyber incidents” regime.

The cyber sanctions regime has three key aims:

• it signals that we are prepared to take action to deter and respond to malicious cyber actors, consistent with the principles of proportionality and sovereignty
• it will impose costs on individuals and organisations – including the organs of any state – who engage in malicious cyber activity
• it will uphold existing international law and agreed norms of responsible state behaviour in cyberspace.

This sanctions regime, which allows the Government to target cybercriminals, is a useful part of the cyber-diplomacy toolkit.

It's not easy.

Sanctions are not a trivial exercise from a technical perspective and require careful analysis.

But conceptually sanctions regimes are a useful tool for responding to and deterring malicious cyberactivity.

We recognise that deploying sanctions of this kind would not be without international precedent.

Australia's regime enables us to coordinate with like-minded partners with similar sanctions regimes including the United States, European Union and the United Kingdom, where it is in our national interest to do so.

We look forward to continuing to work with like-minded countries to consider how we can impose sanctions on ransomware gangs and their enablers.

And last month, Australia's Foreign Minister Penny Wong met with the Foreign Ministers from Japan, India and the United States at a meeting on the sidelines of the UN General Assembly.

They pledged to assist each other in the face of malicious cyber activity including ransomware and to take reasonable steps to address ransomware operations emanating from our territories.

The theme of Singapore International Cyber Week this year is “Digital Security: A Shared Responsibility.”

It is well understood that cyber security is the responsibility of businesses and governments within domestic borders. But that responsibility extends across nations too.

RUSI argues that:
“high income countries have an economic and moral interest in ensuring ransomware does not create significant disruptions in middle income and developing countries”.

RUSI is right.

It's in all of our interests that cyber threats like ransomware do not threaten the stability of the governments, economies and societies of nations in our region.

And where developing countries lack the resources, expertise and scale to respond to this threat, developed countries need to be ready to assist.

As high income countries increasingly mobilise against the threat of ransomware to their own national interests, we need to ensure that the developing world is not left behind.

The new Australian government has committed to listening to Pacific Islands voices and restoring Australia's place as the first partner of choice for our Pacific family.

We want to make a uniquely Australian contribution as a partner of choice for the countries of the Pacific - reliable, turning up, showing respect, listening, and being transparent and open.

The security of the Pacific must remain the shared responsibility of our Pacific family, of which Australia is part. The Pacific family is best placed to respond to the needs of our region.

We've heard Pacific Islanders desire to pursue economic development through greater digitisation and connectivity, and their concerns that these gains not be jeopardised by cyber threats like ransomware.

Cyber security is also integral for keeping key government systems online – including those that help manage the impacts of climate change. 

As Australia ramps up our efforts to combat the threat of ransomware to our own nation, we'll work hard to be a trusted partner for countries in our region confronting the same threats.

It's in our economic and moral interest to do so.