Quad leaders must take direct action to combat ransomware

Tech experts from The Australian National University (ANU) have created a blueprint so Australia and other Quad nations – India, Japan and the United States – aren’t held hostage to ransomware attacks.

The new research report by the ANU Tech Policy Design Centre urges the Albanese government to lead a recalibrated approach to combat ransomware globally and break its business model.
 
The report, which comes in advance of the forthcoming Quad Leaders’ Summit in Sydney, makes seven policy recommendations, informed by independent research and analysis, and consultation with 44 executives from industry, government and academia.
 
“The recent spate of high-profile cyber incidents on Optus, Medibank, and Latitude Financial catapulted ransomware into the headlines and the public conscience of Australia,” lead author and Director of the ANU Tech Policy Design Centre, Professor Johanna Weaver, said.
 
“Demand for the government to act to combat ransomware has never been stronger. Our report responds to that demand with specific actionable recommendations to government.
 
“The Quad Leaders meeting in Sydney on 24 May provides an opportunity for Australia to secure commitments from the United States, India and Japan to act together to break the business model of ransomware criminal groups.”
 
The researchers found strong support for Quad leaders to take the following three specific actions:

1. Condemn ransomware criminals and articulate a joint policy position against payment of ransoms.
    
2. Introduce common mandatory disclosure requirements compelling entities that pay ransoms to confidentially notify an appropriate authority.
    
3. Harmonise cyber incident reporting requirements across Quad jurisdictions.

The researchers also found strong support for Australia to take the following four actions domestically,  either as part of its review of the Cyber Security Strategy or in concert with 37 like-minded countries under the International Counter Ransomware Taskforce:

4. Introduce annual Cyber Security Board Statements (replicating the approach with the Modern Slavery Act) for ASX-listed companies.
    
5. Establish a cyber insurance taskforce to examine means for the cyber-insurance market to incentivise improved cyber security and reduce the impact of ransomware. 
    
6. Sanction individuals and entities most prolifically conducting significant ransomware incidents, in close coordination with like-minded countries.
    
7. Step up international engagement to combat ransomware, especially vis-a-vis ‘safe haven’ states, in close coordination with like-minded countries.

The recommendations and a copy of the full paper are available online.