Quad’s ransomware commitment could help shore up regional software supply chains 

The Indo-Pacific’s importance to the security of Australia and regional allies continues to dominate public discourse. Last month, the Quad foreign ministers from Australia, India, Japan and the United States released a joint statement on ransomware, recognising that vulnerabilities in cyberspace are compromising the security of critical national infrastructure and economic continuity in the region.

The statement is an important acknowledgement that ransomware is a transnational threat that can’t be mitigated purely through domestic policy. The rise of ransomware attacks on software supply chains demonstrates this much. The multistakeholder approach that the Quad statement highlights is key to addressing the vulnerabilities that enable this type of ransomware attack.

Ransomware is a highly profitable and disruptive cyberattack technique that serves both criminal and state actors alike. Companies in the information and communication technology sector are at particular risk because they are critical infrastructure providers that also hold rich data troves that can be exploited as leverage or for profit on the dark web.

Since the Covid-19 pandemic, ransomware attacks have increased dramatically worldwide. The latest annual report on the state of ransomware, by cybersecurity firm Sophos, indicated a 78% rise in attacks globally between 2020 and 2021. Nearly two-thirds of the organisations surveyed reported having been affected.

Australia is the most targeted ransomware victim in the Indo-Pacific region, and the third most cyberattacked nation globally. The likelihood of an attack is high and, as recently as September, Australian telecoms provider Optus was successfully targeted in the largest ever national data breach. Outside of critical-infrastructure providers, ransomware targets are typically large organisations that have the capacity to pay high ransom demands due to their extensive operations. Australian-owned multinationals providing ICT products and services to domestic and regional clients that require regular software updates and installations fall into this category and have a high chance of being hit by supply-chain attacks.

A software supply-chain attack exploits the trust relationship between the vendor and client. A common scenario is when a vulnerability is exploited that enables hackers to compromise the provider’s source code with malicious malware. Software updates containing malicious code are then unwittingly installed by users, infecting their networks. This is also known as a downstream attack.

Effective cybersecurity programs require assessment of third-party vulnerabilities; however, they can’t always identify or mitigate source code compromises in software because they’re hard to detect and can evade firewalls when disguised within trusted code. Detection and prevention of this type of attack are best managed at the source by the software vendor itself.

This is where the multistakeholder approach emphasised by Quad ministers comes into play. Cyber policy that aims to secure critical national infrastructure needs to recognise that third-party vulnerabilities—or links in the supply chain—are often the points most prone to compromise. Governments need to work collaboratively to identify the links between critical-infrastructure providers in their jurisdictions and organisations in the region. From there, domestic policy in each nation needs to reinforce the efforts of regional counterparts to ensure that baseline security standards, vulnerability reporting mechanisms and ransomware mitigation and response practices are comparable, if not interoperable.

The Kaseya ransomware attack in 2021 is an example of how the effects of supply-chain attacks can go beyond the intended victim. Kaseya was targeted by a Russia-based ransomware group called REvil that leveraged a vulnerability in the company’s software. Kaseya provides ‘virtual system administrator’, or VSA, software products—remote monitoring and management products that use cloud technology to handle a range of activities for businesses. The VSA software that was compromised had a high degree of trusted access to client systems. When the software was automatically updated, the ransomware infected clients in 17 countries. Customers included small businesses such as supermarkets, as well as schools and pharmacies. REvil then demanded a ransomware payment from Kaseya. While Kaseya was a US company operating under California law, the ransomware attack had downstream supply-chain consequences globally.

A ransomware attack on an Australian business with downstream supply-chain relationships like Kaseya’s would have significant ramifications for regional stability and Australia’s broader national security interests, particularly if the business were held to ransom for an extended period.

State actors could easily leverage this technique for disruptive or coercive purposes, particularly since sophisticated attacks can ensure that malicious code is programmed to stop operating when it is uploaded to a network with specific language settings. This enables more refined and accurate targeting by adversaries and mitigates the risk of cyber fratricide.

Economic productivity and supply chains will be disrupted in the region if businesses are repeatedly taken offline. Such attacks could also damage Australian providers’ reputation for reliability and security, resulting in regional business seeking similar services from other major providers in the region. Australia’s economy would suffer, and adversaries could be given more control of digital trade. The reputational damage could also extend to diplomatic partnerships.

While these concerns have been framed in an Australian context, other Quad members are vulnerable to the same scenarios. The implications of a supply-chain attack are therefore significant for both Australia and regional partners. The importance of the Quad’s ransomware statement shouldn’t be lost. Public pressure should be placed on governments to keep them accountable to the Quad’s call for states to uphold the shared responsibility of assisting each other when faced with malicious cyber activity, particularly when ransomware threatens critical national infrastructure.

As a starting point, the Australian parliament should review the proposed amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2021 in this context and take it as an opportunity to demonstrate Australia’s commitment to combating regional cybersecurity risks to critical national infrastructure. There is also an opportunity to apply the lessons learned from the recent Optus and Medicare ransomware attacks.

It’s time for Canberra to step up its leadership in this area and help spearhead the formulation of robust, consistent and enduring ransomware mitigation and response policies and practices that can be developed and emulated by regional partners. Only through collaboration can the threat of instability that ransomware poses be managed.