Image / Getty Creative
OPINION:
As the wave of cyber attacks against banks and other targets dragged on and on last week (and indeed continues for Kiwibank this morning), three experts independently told the Herald the same theory.
New Zealand has a worldwide reputation for being tightly locked down - and thus more reliant on online services, which in turn generates the perception we're more likely to pay a ransom to hackers to avoid losing access to them.
A second, more disturbing theory was also reiterated: That while the US has tightened its defences, and Australia recently ramped up spending on defences against hackers, NZ has a reputation as a soft touch - whether they're demanding a ransom to return stolen files, or to ceases a DDoS attack that overwhelms a site with connection requests, effectively forcing it offline.
We need to shake up how hackers around the world think of us:
And we could do that by making it illegal to pay a cyber-ransom.
(While there's nothing black-and-white about ransomware on our statute books, Auckland University Law Faculty professor Bill Hodge told the Herald, "The Crimes Act was written in an age when a ransom was only demanded for a person, not data. But my reading is that it would not be illegal to succumb to a hacker's demands and pay a ransom. It would be almost impossible for police to mount a prosecution.")
Various governments around the world are grappling with this issue. NZ could take a leadership position, and grab global headlines, by being among the first to ban ransom payments.
Police, and our Government, already discourage the payment of cyber-ransoms, which experts say incentivise further offending. There are also ethical considerations, given groups involved could be using profit from cyber heists to fund anything from human trafficking to terror.
Now we should take the next step and bar them outright.
Some would still find workarounds, of course, but we would change our image from the soft touch to the country that's fighting back.
There are other things were can do, such as following Australia's lead on better-funded, and much better co-ordinated efforts to combat cybercrime.
But making paying a cyber-ransom illegal would be a good start, and one guaranteed to make waves that cyber-extortionists around the world would notice.
I but this to Justice Minister Kris Faafoi in May, as the Waikato DHB was grappling with a ransomware attack.
"While the Government understands that making payments may be perceived to encourage further attacks, criminalising the victim of a ransomware demand raises issues of fairness about making a victim a criminal if they are trying to protect their business and livelihood (and, possibly, essential infrastructure) by making such a payment," Faafoi said.
Nevertheless, he had asked officials to monitor overseas developments to see how other jurisdictions are dealing with this issue and whether any measures implemented in other jurisdictions are effective in reducing ransomware attacks.
This morning, I wondered if this monitoring, or the public running out of patience with endless bank outages, had seen any change to the Justice Minister's thinking.
I put in a request for comment, but was told that Digiital Economy and Communications Minister David Clark is now responsible for the ransom payment issue. Clark has been asked for comment [UPDATE: Clark said, "The government's position has not changed since the response from Minister Faafoi in May."]
In the meantime, I should note that Faafoi is far from the only one to be cautious about the idea.
There's no shortage of case studies of organisations who have paid millions to regain access to their data, from the recent Colonial Oil Pipeline shakedown in the US to satnav and wearable maker Garmin and Nasdaq-listed Blackbaud, which stores data from non-profits - and retrieved files for Auckland University, Otago University and other clients by forking over an undisclosed ransom (both universities stress they had no part in the decision to pay or not to pay).
And an EY article on ransomware notes the FBI's official advisory on the topic, which says, "The FBI does not advocate paying a ransom, in part because it does not guarantee an organisation will regain access to its data [and] paying ransoms emboldens criminals to target other organisations.
"However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers."
And earlier, Wellington lawyer Michael Wigley said that in some circumstances, a firm might even have a fiduciary duty-of-care to do everything it can to retrieve its clients' data.
To this, I'd say while you might have protected your clients, or shareholders, by buying off one group of hackers, there are dozens of others of ransomware gangs out there - and you've just sent them a big fat signal that you're an organisation that is willing to pay up.
Then there's the argument that a cyber-ransom ban would have unintended consequences.
Talking to the BBC earlier this year, Jen Ellis, public affairs head for cyber-security company Rapid7 said that in an ideal world, we would not fund organised crime by paying cyber-ransoms.
"The problem is, we don't live in an ideal world," she added.
"In the world we do live in, banning payments would almost certainly result in a pretty horrific game of 'chicken', whereby criminals would shift all their focus towards organisations which are least likely to be able to deal with downtime - for example hospitals, water-treatment plants, energy providers, and schools."
But schools have no money and utility plants run on specialised software - often not even connected to the internet - that is not worth cyber-criminals time and effort to school up on then somehow manually attack (if still of interest to bad actors).
And unfortunately, health organisations are already under attack, as we've seen local with the Waikato DHB - whose ransomware episode followed numerous similar attacks in Europe and North America.
Emsisoft threat-assessment analyst Brett Callow told the Herald that in the US alone, more than 400 hospitals have been hit by ransomware attacks.
"The position at this point is untenable. Countries simply cannot permit their healthcare systems, critical infrastructure and other public and private sector organisations to be under a constant barrage of financially-motivated cyberattacks," Callow says.
"Sooner or later, people will die.
"The easiest and quickest solution is to cut off the cash by prohibiting ransom payments.
"If that happens, the attacks will cease."
'I can imagine people being outraged that TVNZ signed a deal with me.'