Home Source code Quad’s Pledge Against Ransomware Could Help Strengthen Regional Software Supply Chains

Quad’s Pledge Against Ransomware Could Help Strengthen Regional Software Supply Chains


The importance of the Indo-Pacific to the security of Australia and regional allies continues to dominate public discourse. Last month, the Quad Foreign Ministers of Australia, India, Japan and the United States issued a joint statement statement on ransomware, recognizing that vulnerabilities in cyberspace compromise the security of critical national infrastructure and economic continuity in the region.

This statement is an important recognition that ransomware is a transnational threat that cannot be mitigated by national policy alone. The increase in ransomware attacks on software supply chains demonstrates this. The multi-party approach highlighted by Quad’s statement is key to addressing vulnerabilities that enable this type of ransomware attack.

Ransomware is a highly profitable and disruptive cyberattack technique that serves both criminal and state actors. Companies in the information and communications technology sector are particularly at risk as they are critical infrastructure providers who also hold rich treasuries of data that can be leveraged or profitably exploited on the dark web.

Since the Covid-19 pandemic, ransomware attacks have increased dramatically around the world. The last annual report on the state of ransomwareby cybersecurity firm Sophos, reported a 78% increase in attacks worldwide between 2020 and 2021. Nearly two-thirds of organizations surveyed said they had been affected.

Australia is the most targeted ransomware victim in the Indo-Pacific region, and the third most cyberattacked nation globally. The probability of an attack is high and, as recently as September, the Australian telecommunications provider optus was successfully targeted in the largest nationwide data breach on record. Apart from critical infrastructure providers, ransomware targets are usually large organizations that have the ability to pay high ransom demands due to their extensive operations. Australian multinationals providing ICT products and services to national and regional customers that require regular software updates and installations fall into this category and are at high risk of being hit by supply chain attacks.

A software supply chain attack exploits the trust relationship between vendor and customer. A common scenario is the exploitation of a vulnerability that allows hackers to compromise vendor source code with malware. Software updates containing malicious code are then unwittingly installed by users, infecting their networks. This is also known as a downstream attack.

Effective cybersecurity programs require an assessment of third-party vulnerabilities; however, they cannot always identify or mitigate source code compromises in software because they are difficult to detect and can evade firewalls when hidden in trusted code. The detection and prevention of this type of attack is best handled at the source by the software vendor itself.

This is where the multi-stakeholder approach put forward by the Quad ministers comes in. Cyber ​​policy aimed at securing critical national infrastructure must recognize that third-party vulnerabilities, or links in the supply chain, are often the points most likely to be compromised. Governments should work collaboratively to identify linkages between critical infrastructure providers in their jurisdictions and organizations in the region. From there, each country’s national policy should reinforce the efforts of regional counterparts to ensure that baseline security standards, vulnerability reporting mechanisms, and ransomware mitigation and response practices are comparable, if not interoperable. .

The 2021 Kaseya ransomware attack is an example of how the effects of supply chain attacks can go beyond the intended victim. Kaseya was target by a Russian-based ransomware group called REvil that exploited a vulnerability in the company’s software. Kaseya provides “Virtual System Administrator” or VSA software products, remote monitoring and management products that use cloud technology to manage a range of business activities. The compromised VSA software had a high degree of reliable access to client systems. When the software was automatically updated, the ransomware infected customers in 17 countries. Customers included small businesses such as supermarkets, as well as schools and pharmacies. REvil then demanded a ransomware payment from Kaseya. While Kaseya was an American company governed by California law, the ransomware attack had downstream consequences in the supply chain globally.

A ransomware attack on an Australian company with downstream supply chain relationships like Kaseya’s would have significant ramifications for regional stability and Australia’s broader national security interests, particularly if the company were ransomed for an extended period.

State actors could easily leverage this technique for disruptive or coercive purposes, especially since sophisticated attacks can ensure that malicious code is programmed to stop working when uploaded to a network with language settings specific. This allows for more accurate and precise targeting by adversaries and mitigates the risk of cyber fratricide.

Economic productivity and supply chains will be disrupted in the region if businesses are repeatedly taken offline. Such attacks could also damage Australian vendors’ reputation for reliability and security, prompting regional companies to seek similar services from other major vendors in the region. The Australian economy would suffer and adversaries could have more control over digital commerce. Reputational damage could also extend to diplomatic partnerships.

While these concerns were framed in an Australian context, other members of the Quad are vulnerable to the same scenarios. The implications of a supply chain attack are therefore significant for Australia and regional partners. The importance of Quad’s ransomware statement should not be lost. Public pressure should be brought to bear on governments to be held accountable for the Quad’s call on states to take shared responsibility to help each other in the face of malicious cyber activity, especially when ransomware threatens infrastructure national critics.

As a starting point, the Australian Parliament should consider the proposed amendments to the Security (Critical Infrastructure) Amendment Bill 2021 in this context and use it to demonstrate Australia’s commitment to tackling regional cybersecurity risks to critical national infrastructure. Lessons learned from recent Optus and Medicare ransomware attacks can also be applied.

It is time for Canberra to strengthen its leadership in this area and help lead the formulation of robust, consistent and sustainable ransomware mitigation and response policies and practices that can be developed and emulated by regional partners. Only collaboration can manage the threat of instability posed by ransomware.