More options than just awareness
Cyber crime could be tackled if we were willing to accept the tradeoffs, writes Tom Pullar-strecker.
OPINION: Government cybersecurity body Cert NZ says a ‘‘small number’’ of New Zealand organisations have reported being hit by the Wannacry ransomware attack. The silver lining is that the scale of the attack overseas could encourage a more serious debate about cybercrime.
Until now, governments have focused on increasing education and awareness. But there are other steps they could take.
Require people who register websites to prove their identify
Thieves wouldn’t rob a bank with a gun registered to their name, and fraudsters probably wouldn’t run a scam from a web address that was registered to them either.
Proper identity checks would make it harder to set up websites that are often used in phishing and other attacks.
Although it is possible to look up details of who runs a site, owners often do hide behind intermediaries or provide false details.
Icann, the Us-based body that administers the global internet, has considered tightening the rules around website registrations. One concern is that tough controls would make it harder for dissident groups operating under repressive regimes to disseminate information. Consider the impact on movements such as the ‘‘Arab Spring’’.
Cyber criminals could still distribute malware through hacked websites, so while more controls would make a difference they would not be a silver bullet.
Ban loosely-regulated virtual currencies such as bitcoin
Remember those 1970s’ cop shows when someone got kidnapped? The perpetrators were often nabbed when they tried to collect the ransom.
Virtual currencies such as bitcoin have made ransomware viable for fraudsters because transactions are hard to trace, even if payments are received over a period of days and weeks.
The Wannacry blackmailers are demanding payment in bitcoin, with apparent impunity.
New Zealand cyber-safety organisation Netsafe has said it wouldn’t be sad to see bitcoin disappear.
Massey University banking expert David Tripe has pointed out that New Zealand does have an alternative ‘‘virtual currency’’ that people can use to remit money online and which doesn’t have the same ransomware problem. It is called the New Zealand dollar.
Take other steps to make it harder for criminals to get paid
Before there was bitcoin, there were money transfer services such as Western Union.
The pressure has been on the banking system to speed up payments, to facilitate e-commerce.
But delaying outgoing international payments by 24 hours would make it easier for the likes of banks to spot suspicious activity, for example an accumulation of transactions by ‘‘money mules’’ siphoning off the proceeds of romance scams.
Discourage the payment of ransoms
Blackmail only works if people pay, so everyone is safer if no-one cracks.
Britain’s National Health Service won’t pay ransomware demands despite being hit hard by Wannacry. Margaret Thatcher would shout too loudly from her grave.
New Zealand doesn’t have rules or policies that would prevent public sector organisations paying ransomware demands.
It would be possible to go further and to make knowingly facilitating the payment of a ransom an offence in itself.
Make sure it costs money to phone NZ from overseas
This wouldn’t make any difference to Wannacry, but could reduce the plague of tech support phone scams from people posing as ‘‘Microsoft Windows’’ staff.
Many of those phone scams appear to be operating from India, from once-legitimate call centres that turned to the dark side.
Such scams wouldn’t have worked a few decades ago, when fraudsters would have had to pay a dollar a minute to scout for victims.
In the absence of any serious effort by the Indian Government to stamp out phone frauds, a higher termination charge for incoming overseas calls might be the next best way to tackle the problem.
Phone scammers could make free calls through hacked phone systems, but that has its own challenges.
Better rules to prevent software flaws
The Centre for International Governance Innovation called last month for G20 countries to change laws to require software vendors and internet providers to provide life-long security updates for their products.
The goal would be to ensure there were fewer flaws in older and unsupported software for hackers to exploit.
A compromise might be to remove some copyright protections on older software – such as outdated operating system Windows XP – to ensure that at least nothing stopped other companies from making a dime by supporting and patching software products, if the original vendor was no longer willing to do that itself.
New Zealand doesn't have rules or policies that would prevent public sector organisations paying ransomware demands.
Cert NZ’S response
Presented with that list last month, Declan Ingram, operations manager of Cert NZ, acknowledged there were a lot of actions that could be taken.
But he noted the new agency was not a policymaking body.
‘‘The information we will collect will help inform the decisions the Government make in those areas,’’ he said.
So the cyber-crime ball is in politicians’ court.