“When we have an ecosystem where people are constantly paying ransoms then it makes it look like Australia is a soft target,and we are not a soft target,” said Home Affairs Minister Clare O’Neil. “There are many Australian companies that do not pay ransoms and certainly the advice with the Australian government is we would ask you not to do that.”
But paying ransoms is not illegal and a survey conducted by pollster YouGov for the advisory firm McGrathNicol,which is often brought in to deal with cyberattacks,found last year that about 80 per cent of Australian businesses hit by a cyberattack pay a ransom averaging $1 million. In that scenario,the criminals render a company’s network inoperable or steal information and say they will undo the damage only if a payment is made,typically in cryptocurrencies that are hard to trace.
Medibankrefused to pay the hackers’ ransom last year and the criminal group made good on its threat of releasing the sensitive data of the insurer’s customers.
O’Neil said the government was open to a range of changes,from banning ransoms altogether to banning most but having limited exceptions or compulsory reporting of payments. “These are all on the table at the moment,” O’Neil said. “What I do know is that we can’t continue as we are today.”
Penn,who led Australia’s largest telecommunications company Telstra until August last year,said companies should only contemplate a ransom in the most extreme circumstances.
“It’s a complex area,” Penn said. “I certainly would be an advocate for saying we should avoid paying ransoms,and we certainly wouldn’t recommend paying ransoms. There are potentially limited circumstances where there are life-threatening situations where maybe a complete ban is not appropriate.”