Ransomware continues to be the biggest threat to Five Eyes collation nations and it is getting worse, with financial gains no longer the sole motivation for threat actors today.
While speaking about how essential coalitions are to the fight against ransomware, Felicity Oswald, COO at the UK’s National Cyber Security Centre (NCSC), said that in the UK ransomware is getting worse because threat actors no longer need to be skilled to hire a ransomware attack surface or methodology.
Oswald also highlighted how financial motivation is not the only driver for cyber-criminals today and some ransomware attacks are being activated by nation-states.
Representatives from the US, Canada and Australia concurred with the assessment that for them, ransomware is of huge concern to most technologically advanced countries. The Five Eyes nations are Australia, Canada, New Zealand, the UK and US, who share a broad range of intelligence with one another.
Rita Erfurt, threat intelligence senior executive at the Australian Cyber Security Centre (ACSC), noted that large incidents affecting Australian organizations have had the effect of eroding trust and confidence in the nation’s digital economy.
“Ransomware is the most destructive form of cybercrime facing Australia,” she noted.
Healthcare, education and other essential public services have become lucrative targets in recent years highlighting the indiscriminate nature of ransomware threat actors.
Sami Khoury, head of the Canadian Centre for Cyber Security, noted an incident in Canada in which a Children’s hospital was hit by a cyber-attack, causing several network systems to go down.
Cybersecurity Strategies
All of the national representatives speaking at the panel noted that their cybersecurity strategies are either under review or have recently been published.
In Australia, a new strategy is under development and will set out the nation’s cybersecurity priorities from 2023 to 2030.
For Canada, the current cybersecurity strategy dates back to 2018 so it is currently under review, with Khoury expecting that the document will be completed in the summer of 2023.
Meanwhile the UK’s NCSC published its cybersecurity strategy in December 2022 and the US Government’s National Cybersecurity Strategy was published by the White House in March 2023.
On ransomware, Rob Joyce, director of cybersecurity at the National Security Agency, highlighted the US strategy’s approach to ransomware.
“The first is we will investigate ransomware crimes using law enforcement and other authorities to disrupt the ransomware infrastructure. A second, big area of focus is, improving critical infrastructure to withstand those ransomware attacks. The third is addressing the abuses of virtual currency to launder ransomware payments and the fourth is leveraging the international operation to disrupt the ransomware ecosystem,” Joyce outlined.
Mandatory Reporting
While the group was keen to emphasize the need for organizations to share breach data with government bodies, the approaches to mandatory reporting vary.
“Information sharing continues to be our number one challenge,” Khoury noted, speaking about how there is a need for breached organizations to share their information with national agencies. At the moment, Canada does not have any mandatory reporting powers.
In the US, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires critical infrastructure organizations to report malicious activity to the CISA.
In the UK, certain organizations are legally required to report a cyber breach to the Information Commissioners Office (ICO) within 72 hours of the incident. The NCSC is not a regulator but does work closely with the ICO.
This is similar in Australia where there are no overarching regulations but mandatory reporting is required for critical national infrastructure organizations.
“I think we need a balance and the challenge for all of us is balancing things that are mandatory with things that are encouraged. We have to work with our regulators but also our private sector and public sector and CNI,” Oswald said.
“From an ACSC perspective it is vital that we have as many organizations volunteer their own personal reports as much as possible because it allows us to pull together a really comprehensive threat picture,” Erhart said. “The more we can encourage people to report through to us on the things that they are experiencing then the better we can turn that information around and advise the Australian community.”
The Canadian government has recently presented a bill to parliament in support of making some of its own mandatory reporting requirements for federally regulated sectors.