As the Waikato DHB cancels surgeries in the wake of a ransomware attack, Justice Minister Kris Faafoi has ruled out a law change to make it illegal to pay cyber-extortionists.
Cyber-security experts and tech commentators, including Emsisoft threat-assessment analyst Brett Callow and Herald commentator Juha Saarinen, say the only way to stop escalating ransomware attacks is to stop payments.
Callow notes that in the US alone, more than 400 hospitals have been hit by ransomware.
"The position at this point is untenable. Countries simply cannot permit their healthcare systems, critical infrastructure and other public and private sector organisations to be under a constant barrage of financially-motivated cyberattacks," Callow says.
"Sooner or later, people will die.
"The easiest and quickest solution is to cut off the cash by prohibiting ransom payments. If that happens, the attacks will cease."
But today, a spokesman for Justice Minister Kris Faafoi told the Herald:
"The Minister of Justice is not considering making it an offence to pay a ransom or facilitate payment of a ransom in the event of a ransomware attack."
"While the Government understands that making payments may be perceived to encourage further attacks, criminalising the victim of a ransomware demand raises issues of fairness about making a victim a criminal if they are trying to protect their business and livelihood - and, possibly, essential infrastructure - by making such a payment," Faafoi's spokesman said.
He added, turning the "no" into perhaps more of a "maybe": "The minister has asked officials to monitor overseas developments to see how other jurisdictions are dealing with this issue and whether any measures implemented in other jurisdictions are effective in reducing ransomware attacks."
This morning, the Herald criticised the Government for enabling ransomware by keeping pay-offs legal, not regulating cryptocurrencies like bitcoin (inevitably used by ransomware hackers as an easy mechanism for anonymous payments) and a cyber-defence system that has seen budget rises in the single-digit millions while Australia has spent billions to put itself on a "war footing" against cyber-threats.
The only possible change on the immediate horizon is more resources for cyber-defences with Thursday's Budget.
Ransomware victims have ranged from individuals to small business to large companies like Lion, Toll Group and Fisher & Paykel Appliances to institutions like the Reserve Bank (via a file-sharing partner) and hospitals.
While it seems cruel to hire target a healthcare provider, there can be the extra pressure to pay if lives are at risk.
"In this case [the Waikato DHB], the attackers will be hyper-aware that a government backed organisation providing critical healthcare can only be down for so long. They know the pressure is mounting publicly and that is an incentive to pay up. It's all part of a very well-rehearsed plan," NortonLifeLock cyber expert Mark Gorrie said.
And ex RAF security expert Jeremy Jones (now with Theta) told the Herald, "There are also cyber attacks involving medical facilities where the adversaries also extort the patients themselves directly. For example 'Give us some money or we'll release your mental health records on the Internet'."
Faafoi's spokesman said, "It is worth noting that the Waikato District Health Board's Chief Executive has stated that the DHB will not be paying a ransom."
But many do.
In the US, hospitals in Alabama and New Jersey have paid ransoms.
And outside the health sector, the owners of the Colonial Pipeline recently paid a multi-million ransom to restore files and get oil flowing to petrol stations again. Fitness tracker maker Garmin coughed up. So did Blackbaud, the US company that stores files about donors for organisations, including the University of Auckland.
Saarinen recently wrote that victims shouldn't be blamed. Even if you're up to speed with the latest technology, and taking all the recommended procedural precautions, authorities offer little support, and few organisations could repel a persistent, well-organised ransomware attack.
And while payments are still legal, the money will continue to flow to the hackers, incentivising further attacks, and providing them with the resources to hone their systems.
The cyberattack on the Waikato DHB makes clear that organisations must do better at futureproofing themselves against such threats, says Ferry Hassandoust, a Business Information Systems lecturer at AUT.
"According to data published by Cert (2020), there was a 65 per cent increase in cyber incident reports in 2020 vs 2019. Phishing and credential harvesting are the most common types of cyber-attacks with an upward trend throughout the year. With the number of cyberattack incidents growing across New Zealand, it's a good time to remind ourselves to better protect our computers, information, and resources."
But Jones adds that in the health sector, there's the further problem was that the Ministry of Health has little control over the 20 different DHB's various cyber-defence systems.
"The Ministry has little influence over how DHBs enforce their security, leading to varying levels of security and certainly no centralised visibility or control. We met with [deputy director-general of health] Shane Hunter and discussed this topic at length 18 months ago and his frustration was evident. If nothing else this is a good reason to break up the DHBs to protect the functioning of health services and enforcing a higher standard," Jones told the Herald.
That is one area where change is coming. The Government is on a drive to replace the DHBs with a central health agency and, in a parallel push, is in the early stages of commissioning centralised IT systems.