Waikato DHB cyber attack: It isn’t illegal to pay cybercriminals – that must change


You can only have disgust for the hackers targeting hospitals around the world with ransomware cyber attacks.

To cripple essential health services in the midst of a pandemic, as the recent attack on the systems of the Waikato District Health Board did, is morally reprehensible and illegal.

Malware infected the computers running the DHB’s operations, causing major disruption to surgery and medical appointments. Doctors and nurses were frozen out of their IT systems and the records they rely on to treat their patients were placed in a digital vault by the hackers. Only a payment in cryptocurrency, which is hard to trace, would see the data unlocked and the machines able to be accessed once again.

Thankfully, the DHB rejected the demand. Our Government strongly advises companies hit with ransom demands not to pay up. But it isn’t illegal to do so and New Zealand companies have paid.

That needs to change. As one IT security expert pointed out to me last week, by paying the ransom, you could be supporting a terrorist group or rogue state or aiding in money laundering: “What do you put on the expenses statement: a payment for extortion?”

Ransomware attacks rose in prominence nearly a decade ago when individual users with insecure computers began having their data locked, with a message appearing on their screen demanding payment of a few hundred dollars worth of bitcoin to have it released.

But criminal groups have since gone after bigger prizes, seeking massive ransoms from large companies. When the Colonial Pipeline that sends three million barrels of fuel from Texas to New York each day was crippled in a ransomware attack in May, the pipeline owner paid a nearly US$5 million ransom to have its systems unlocked.

In 2019, when the city of Baltimore experienced a similar attack, it took a different approach.”We’re not going to pay criminals for bad deeds,” Mayor Bernard “Jack” Young declared. “That’s not going to happen.”

The hackers wanted US$76,000 to restore the city administration’s systems. Instead, it cost more than US$18 million to rebuild them and recover the data. Still, Young did the right thing. As long ascompanies and public agencies pay ransoms, the attacks will continue and grow in sophistication.

The other immediate answer to ransomware is for authorities to demand more visibility into cryptocurrency transactions. The anonymous nature of bitcoin, ethereum and other coins makes them the currency of choice for criminals making extortion demands.

The argument against criminalising the paying of ransoms is that it penalises the victim who is just desperate to get their IT systems back online. It would also be hard to police. But ruling out payment as an option will also provide the incentive for businesses and our public agencies to finally take cybersecurity seriously and invest in the defences required to keep the hackers out.

The Waikato DHB was probably brought down by something as simple as an employee clicking on a link in a so-called “phishing” email or opening an attachment that contained malicious code designed to exploit a network-security vulnerability.

We need a more cyber-literate workforce to reduce the risk of people being manipulated into welcoming the hackers in. We need creaking legacy technology systems to be updated and moved to cloud-computing platforms where they are better protected.

But if we resolve not to pay, we also need our critical infrastructure providers – hospitals, power stations, transport networks – to have a decent plan B to stay operational when the worst happens.

We face a continuing risk of our sensitive financial, medical and other personal data being traded and used against us by hackers. But the only way to stop that is to stop the flow of money that makes it such a lucrative business.

Source: Read Full Article