RB U-turn a win against hackers
The U-turn that saw the Reserve Bank finally confirm last week that it did not pay a ransom after it was hacked in 2020 amounts to a small but encouraging step forward in the fight against cyber crime.
The bank had previously strived to avoid revealing whether it had paid a ransom to dissuade the criminals who hacked into its Accellion file transfer system from dumping a vast amount of confidential information online. But that battle came to a sudden end on Wednesday when Stuff effectively forced a disclosure by highlighting the bank’s desire for secrecy in a front page news story.
Had the bank paid a ransom, then its past desire for secrecy would have been more than understandable, if unreasonable.
But there was only one plausible motive for the bank not wanting to disclose the non-payment of a ransom long after the original attack.
That would be to avoid setting the precedent that state-owned organisations should reveal such information in order to preserve ‘‘optionality’’, in the event that it or some other state-sector organisation did feel the need to secretly pay a ransom in future.
That optionality has now been significantly diminished, which is a big advance.
Ransomware has become a growing scourge and more IT professionals have been coming around to the view that the only way to tackle it is to make it harder or illegal for victims to pay up.
Reserve Bank governor Adrian Orr gave a disjointed account as to why the bank had caved after previously blocking an Official Information Act request on whether it paid a ransom and then attempting to persuade the Ombudsman not to uphold a complaint against that decision. ‘‘We’ve been following advice that we received from the Government on whether we do or don’t talk about paying a ransom. That advice has changed. The Government advice now is ‘do not pay a ransom’.’’
There doesn’t, in fact, appear to have been any published change in the Government’s advice about ‘‘talking’’ about paying a ransom, or indeed any public advice on that specific issue at all.
Instead, as the second half of Orr’s explanation suggested, he appears to have been referring to what could be viewed as a change in the Government’s stance on the actual payment of ransoms.
The Department of Prime Minister and Cabinet (DPMC) released what it described as ‘‘new guidance on ransomware for public service agencies’’ on April 28. It stated among other things that ‘‘it is the Government’s expectation that public service agencies will not pay cyber ransoms’’.
Its guidance also included a more strongly-worded statement that ‘‘Cabinet has agreed that government agencies should not pay cyber ransoms’’.
Whether, and if so to what degree, that represents a toughening-up of the Government’s previous stance remains a moot point.
Communications Minister Ginny Andersen noted on Thursday the Government ‘‘has continually strongly discouraged the payment of ransoms to cybercriminals’’.
All of the statements, including the DPMC’s latest one, arguably left a tiny bit of wriggle room, though.
The Reserve Bank’s take appears to be that the Government’s stance has crossed a threshold at which it has become so unambiguous that the bank couldn’t justify preserving agencies’ optionality. It will be that much harder for other agencies to claim a need for secrecy on paying ransoms from now on.
That can only reduce the possibility of any pay-outs to hackers, who should now know almost for sure if they didn’t already that attacks on New Zealand government agencies, at least, will go unrewarded.