It remains legal - in many circumstances - to pay a cyber ransom.
But thanks to Vladimir Putin, there’s a new wrinkle that could see Kiwis who cave in to hackers hit with a big fine.
A visiting UK cybersecurity expert says we’ve struck the right stance on whether to pay a cyber ransom.
“The New Zealand Government has just issued some very strong guidance on not paying to the general population and essentially ruling it out for government. The latter point is really, really welcome,” says Ciaran Martin, the founding CEO of the UK’s National Cyber Security Centre, who now chairs CyberCX’s UK operation.
“There’s something in my gut that hates paying a ransom, but my gut doesn’t make good public policy.
“Cabinet has agreed that government agencies should not pay cyber ransoms,” the guidance reads.
It also says: “The New Zealand Government strongly discourages the payment of ransoms to cybercriminals, and urges all victims to report any cyber ransom incidents to the relevant agencies, regardless of whether a ransom is paid.”
Law enforcement agencies have long recommended a victim not pay a cyber ransom on the basis it incentivises further offending, there’s no guarantee you’ll get your data back (or that copies of stolen won’t be used to blackmail you or your customers) and that revenue from cybercrime helps fund offending in areas like drugs and human trafficking.
But the new guidelines highlight a more recent wrinkle, involving the Russia Sanctions Act 2022, passed by our Parliament in reaction to the invasion of Ukraine.
Many major ransomware gangs are based in Russia, according to analysis by Palo Alto Networks and other security firms who have noted groups using Russian in communications, among other pointers. And Russian nationals have featured strongly in the handful of arrests related to ransomware attacks.
That means paying a cyber ransom could now constitute breaking the new sanctions legislation. And the Government’s new guidelines highlight that could result in criminal penalties of:
- Up to both seven years in prison and/or a fine of $100,000 for individuals; and
- A fine of up to $1 million for organisations.
There’s a big qualifier, however. Ransomware gangs use a lot of tricks to mask the origin of any given attack, and demands are always made in bitcoin, the cryptocurrency not tied to any country. So proving a payment had been made to a party in Russia would be difficult to prove.
There have been calls by some tech commentators, including Herald contributor Juha Saarinen, to make it illegal to pay a cyber ransom to any party - a move billed as a circuit breaker as NZ faces ever-escalating cybercrime.
But shortly before she exited stage left, outgoing Justice Minister Kiri Allan reiterated the Government’s long-time opposition to making it illegal to pay a cyber ransom.
“While the Government understands making payments for cyber ransoms may be perceived as encouraging further attacks, taking criminal action against the victim raises issues of fairness in regard to making a victim a criminal when they are attempting to protect their business and livelihoods by making the payment. As such, there aren’t any current plans to criminalise those who pay cyber ransoms,” Allan said.
CyberCX’s Martin, who also served as director of security and Intelligence at the Cabinet Office, said, “I would, in principle, favour a ban - if a way could be found of making it work.
“If you look at what happened to the Irish health system in 2021, it was completely wiped out. There was serious disruption. It was one of the worse cyber-attacks there’s ever been.
“And the Irish state didn’t pay.
“They got lots of top-of-the-range companies in to help them. They got the army in and they got loads of help. And they found a way around that. But most organisations - particularly the smaller ones - can’t do that. They don’t have the resources of a government.”
“A ransom payment ban could only be extended beyond government organisations once the private sector had access to better support resources and the likes of insurance backstops. The best path was for a government ban, then to slowly extend that to private organisations. Otherwise there will be serious unintended consequences.”
Our Government has this week sought to improve support for cybercrime victims by folding Cert NZ into the GCSB’s National Cyber Security Centre (NCSC).
Was it the right way to go? Martin, who worked closely with NCSC head Lisa Fong during his time heading the UK equivalent, said: “This is a decision for the New Zealand Government. However, it is something we in the United Kingdom and Australia have both done successfully.”
A contrary take on AI
The rise of artificial intelligence has stoked fears about AI-assisted hacking from voice-cloning to orchestrating automated attacks that are more creative, and less likely to raise suspicion.
“AI allows you to generate lots of bad [as in malicious] code more quickly and effectively
“But luckily, AI also allows you to create good code to counter that bad code at the same sort of scale and volume. AI could be at worse neutral and at best positive.”
But his broader point is that most cyber attacks today, from ransomware to crude DDoS bot swarms that overwhelm a service, rendering it inaccessible, rely on victims using creaky systems that are about as far from AI as you can get (and one of many examples would be the Reserve Bank’s recent use of an antiquated file transfer system).
“We have legacy tech that we can’t fix. We can detect threats against it, and we can mitigate them, but you can’t fix a system that was not built with security in mind.”
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.