August 20, 2021

Australia’s Ransomware Crisis

Cybercrime has long been the stuff of the Internet’s collective cultural imagination; a well-worn stereotype of the outcast loner – the hooded figure hunched over a keyboard who’s living off cold pizza and hacking the Pentagon from his mum’s basement.

Although entertaining  as a meme, it’s far less so when cultural inventions come to life.

It might sound dramatic but make no mistake; the explosion in ransomware attacks is symptomatic of a major cyber and national security crisis. One that has grown in scale and frequency to a point where it now threatens the safety and wellbeing of all Australians.

Our shared reality is that we all rely on an intricate web of interdependent networked technologies and services to survive. Unfortunately for us, it’s all too easy for someone with less than good intentions to take control of near everything we hold dear.

There is no meme counterpart to that hooded figure; no one is coming to save us. So, what can we do?

I’ve written this series to look at some of the issues and put forward some of the ways we can fight back against the very real threat of ransomware attacks. But first, let’s cover the basics.

What is Ransomware?

Ransomware is a form of malware that infects computer systems by infiltrating and encrypting all data connected to the point at which it gained access. Once everything is made completely inaccessible, the attacker demands a ransom in exchange for a key to decrypt whatever it is that they have managed to take hostage.

Until recently, the threats presented by ransomware were mostly restricted to private industry (not exactly a good thing), but we’re now seeing successful ransomware attacks executed on Critical Infrastructure, both in Australia and overseas.

Obviously, this is a very serious problem that is relevant to literally everyone in Australia – but we’ll get to that later.

They’re aiming to hurt us and to kill us

Critical infrastructure assets are the indispensable service providers (and their associated facilities and property) Australia depends on to function.

Think about the absolute bare essentials humans need for survival: food, water, shelter and oxygen. Excluding oxygen, the things that fulfil those needs, facilitates their delivery and/or preserves their integrity are all governed by something big and networked.

Therefore, the ransomware crisis can be understood as a threat to our survival, but the Australian Government has presented this rather dire diagnosis through a slightly different lens.

They’ve defined critical infrastructure assets in the Security of Critical Infrastructure Act of 2018 as “…asset[s]… critical to”:

  1. The social or economic stability of Australia or its people.
  2. The defence of Australia.
  3. Australia’s national security.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 that is currently making its way through parliament is extending the list of things we consider to be critical infrastructure to include an additional eleven categories that build on the already established primary 4 critical infrastructure sectors (electricity, gas, water and ports). That means we have a lot of businesses and government departments, services, facilities, assets and stuff that, if damaged, disabled or made unavailable, risks triggering a national crisis/catastrophe.

Connectivity propelled us into a new era, but it can just as easily be used to tear us down

The defining characteristic of late modern societies is hyper/interconnectivity. Everything and everyone is connected via networked technologies to everything and everyone else.

It might help to think about this via the power of mnemonics, in this case the song Dem Bones.

The IT Service Provider is connected to the Power Plant;
The Power Plant is connected to the Power Supplier;
The Power Supplier is connected to the Energy Retailer;
the Energy Retailer is connected to its customer base;
the customer base is connected to the…

Well… we all understand how social networks work, right?

So, if practically everything on that list of things we call critical infrastructure (and I assure you, it’s everything) is governed by or dependent on a networked technology, then it’s even more vulnerable to becoming yet another victim of a ransomware attack than ever before.

There’s a reason we refer to malware as a ‘virus’

As we have learnt, so painfully, time and time again during every epidemic, the combination of close proximity with clear routes of transmission creates the perfect environment for viruses to spread.

Malware spreads in almost exactly the same way. And, because we live in a hyperconnected world, if one critical infrastructure asset is infected with ransomware, then there’s a strong chance it will end up infecting multiple other assets to which it is connected.

Still think it’s not such a big deal? Well, consider this: say a critical Australian food supplier, like JBS meats, was hit with ransomware. What if JBS meats – which is connected to large retailers like Coles and Woolworths, as well as at least one energy provider – became the epicentre for the launch of simultaneous attacks that would (for an impossible to predict period of time) take away:

  1. Everything you buy from a supermarket.
  2. Your electricity (no refrigeration, no Internet connection, no heat, no light etc).
  3. Your communications (landlines and mobile phones all need a power source).
  4. Potentially your access to emergency services.

We’re not just talking about a steak shortage here; we need to understand these attacks are signs of major risks to the safety and security of Australia and Australians as a whole.

Sure, you might be thinking, but don’t we have loads of technology to defend ourselves against these types of attacks?

In theory and on paper? Sure…! But if all that technology was as effective as so many wish it were, then we would not have the problems we have today, would we?

To get to the core of the issue and make tangible progress, we are going to have to talk about things that technologists really don’t want to hear…

I’ll cover that (and more) next time.

 


 

This is the first in a series of four articles tackling ransomware. You can view the other articles in this series here:

Article Two: Ransomware: what technologists don’t want to hear

Article Three: Techno-Centric Cybersecurity and HCCS: Can’t we all just be friends?

Other articles you may find interesting...