We saw last year how low hackers are willing to stoop to shame companies into paying ransoms, including leaking sensitive information aimed at embarrassing individuals affected by data breaches. As a result we also saw prominent calls for ransom payments to be ‘banned’, to reduce the financial incentives for hackers to target Australians’ personal information.
We are now hearing the flipside to that argument, with AGL Energy warning that a government-imposed ban on companies paying cyber ransoms to hackers could cause “catastrophic damage”.
In AGL’s 2023-2030 Australian Cyber Security Strategy Discussion Paper submitted to the Department of Home Affairs in relation to reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), AGL stressed that while prohibiting ransoms may reduce the volume of attacks, it could also result in “potentially avoidable catastrophic damage, harm to community, loss of life, disruption of essential services or disclosure of sensitive information”, as in some circumstances and for some organisations, “the payment of a ransom demand may be the only path to achieving acceptable outcomes”.
In the alternative, AGL proposes that the government should strongly discourage ransoms and consider imposing a ban only when Australia has more robust cyber security capabilities in force.
This position notably contrasts with recent public positions from the Australian Federal Police and government for high-profile data breaches, but illustrates the difficult decisions and practical concerns that businesses must weigh up when faced with a ransomware scenario. Paying a ransom is never a guarantee that an organisation will get their data back, regain access to its systems, or prevent further disclosures, but AGL makes the case for leaving the option open as a last resort. The decision is clearly fraught, and organisations are well advised to consider their position before faced with the need to make a choice