How should the authorities best respond to cybercrimes?

Cascading data breaches and murky cyber mechanisms have prompted the parliament to seek expert recommendations regarding the role of Australian law enforcement in responding to cybercrime.

Senators forming the Parliamentary Joint Committee on Law Enforcement (the Committee) are footing an inquiry into the capability of law enforcement to respond to cybercrime, drawing some 38 submissions from industry experts on topics from law enforcement and police upskilling to ransom payments and youth intervention.

Helen Polley, Tasmanian Labor senator and Chair of the Committee, said cybercrime remains a serious issue that demands an immediate response from government.

“On average, one cybercrime is reported every six minutes, with ransomware alone causing up to $3 billion in damages to the Australian economy every year,” she said. “In order for governments globally to tackle cybercrime, they must work with the community and industry to confront this global fight.”

During a 23 May public hearing, Reece Corbett-Wilkins, partner at global law firm Clyde & Co, called for clarification of existing laws around ransom payments. Corbett-Wilkins advocated for decriminalisation of ransom payments, suggesting some circumstances — such as when a critical infrastructure operator is attacked and needs to restore its services — warrant a payout.

“These decisions are always made through gritted teeth, and it is one of the most unenviable positions to be in as a board director,” Corbett-Wilkins told the Committee.

He described the stifling effect a ransom ban or punitive action could have on post-incident information exchanges with law enforcement.

“Organisations are deterred from sharing that information because of the risk of prosecution,” he said. “Decriminalisation of ransom payments will encourage information sharing with law enforcement from victims of ransomware attacks and those that pay. This will result in more disruption, takedowns and hopefully, arrests.”

Failing decriminalisation, Corbett-Wilkins called for law enforcement to make it “abundantly clear on the public record” that victims will not face prosecution for making a ransom payment, while fellow Clyde & Co partner Avryl Lattin pitched that government could provide safe harbour to companies that cooperate with law enforcement prior to making a ransomware payment and demonstrate having performed due diligence to avoid paying a sanctioned person.

Clyde & Co — which advises companies on incident response and deals with 100 to 150 ransomware incidents per year — has already observed a significant downturn in organisations paying ransoms, from 89% in 2019 to approximately 30% of Australian organisations now.

Early intervention for youth hackers

Debi Ashenden, cybersecurity professor and director at University of New South Wales (UNSW) Institute for Cyber Security, spoke to concerns of tech-savvy youth being drawn to cybercrime at an early age.

“A lot of under-16-year-olds get into cybercrime quite early — largely through cheating at online gaming, which is not illegal,” Ashenden said. “They inadvertently, in a lot of instances, slip into cybercrime because they want to find out how to do more online.”

Ashenden suggested a range of law enforcement intervention options to the Committee, from making their presence known in criminal forums, utilising ad-words to warn youth when they conduct criminal searches and having police carrying out cease-and-desist visits to the homes of at-risk youth.

Ashenden further raised the notion of upskilling the police by collaborating with external specialists — such as psychologists — so they can adequately perform intervention work and behaviour-change programs themselves.

“It’s not about always relying on external people,” she said. “It’s also about finding ways to upskill the police in some of these areas, and it can be done.”

The professor noted such intervention work could help convert cybercriminals to cyber professionals — maintaining their interest in the field while ultimately helping to close Australia’s cybersecurity skills gap.

Make crime reporting matter

A consistent issue raised throughout the hearing was the handling of cybercrime reports, which Ken Gamble, co-founder of cybercrime investigation unit IFW Global, said often don’t make it to the right place.

“It doesn’t matter how much they’ve lost, whether it’s $10 million or $100 million… it doesn’t get investigated,” Gamble told the Committee.

Gamble noted while outfits such as Australia’s Joint Policing Cybercrime Coordination Centre have the mandate to look at cybercrime cases, the number of reports is simply overwhelming.

Gamble recommended a triaging approach for the “hundreds, if not thousands, of complaints” which arrive through the Australian Signals Directorate’s cyber.gov.au, suggesting many are from victims of the same overseas criminal syndicates and need to be assessed by similarity.

“There’s no ability to identify the characteristics of that complaint as being identical to the next one and the next one,” Gamble said. “They’re being treated as individual complaints, and that’s the biggest gap in the system.

“There’s only really a handful of major syndicates that have been targeting Australia for the past decade.”

Gamble further suggested domestic authorities should investigate and prosecute cybercriminals outside of domestic borders — drawing reference to successful international initiatives out of the US and Germany — before further pointing out a lapse in state and territory police collaboration.

“We know that the New South Wales police and the Victorian police are not aware of some of the cases that the South Australian police and the Western Australian police are investigating,” Gamble said. “There’s no central ability to link these cases together.”

A government response is due within three months after the Committee tables its report on the inquiry, though there is currently no due date for the report.

Image credit: iStock.com/XtockImages