The disruption of the LockBit ransomware gang earlier this year has been used to galvanise countries, including Australia, to create mechanisms that lead to earlier sharing of incident response (IR) intelligence.
Michelle McGuinness and Hamish Hansford at senate estimates.
Home Affairs’ cyber and infrastructure security group deputy secretary Hamish Hansford told senate estimates yesterday that the UK-led takeover of LockBit’s infrastructure and services had been positioned as a case study for earlier intelligence sharing at a counter-ransomware initiative (CRI) meeting “a couple of weeks ago”.
“One of the key lessons [from LockBit] that was shared by the UK was around the fact that if IR [incident response] firms and people had reported much earlier there might have been an earlier interdiction of that particular group,” Hansford said.
“Certainly, that’s an example that we’ve all be seized [on] to come back to our own countries and say, ‘Early reporting is gold’.
“It’s absolutely essential in understanding what criminals and other actors are doing and how we can get on top of things much earlier in a way that other jurisdictions are thinking of.”
Hansford said that Australia’s intended mechanism to do that is a so-called limited-use obligation, an idea floated in last year’s federal cyber security strategy that could encourage cyber incident disclosure to the ASD and the national cyber security coordinator.
A mechanism is required that lays some ground rules around how shared information gets used, and in particular that the intelligence would not be used against industry as the basis of regulatory action.
Hansford said that currently people “are reporting [only] what they have to report”, such as under incident disclosure rules applying to critical infrastructure operators.
“What we’re trying to do is get early engagement from industry to assist particularly ASD and the [cyber security] coordinator,” he said.
“Every country I spoke to is grappling with how you do that through a formal reporting regime.
“[The limited-use obligation] is an attempt to say, actually collaboration with intelligence, with early information, things that won’t be used by a regulator for an investigation, that’s separate to all of this work, and what we’re trying here is effectively something that countries are grappling with around the world.
“So, we’re trying to legislate – assuming the parliament considers the legislation – a limited-use requirement to deal with that really early engagement to try and build a much more resilient country and get onto things much quicker.”
Cyber security coordinator Lieutenant General Michelle McGuinness noted that sharing of incident response information or intelligence from “entities in crisis” had been a barrier “in the past”.
“Whether it be cultural or something that is uncertain of how or who or why they might,” she said.
“I’ve certainly spoken to some entities who still ask the question, ‘Well, why would I talk to government and what could you do for us?
“The limited-use legislation will provide greater clarity on and trust on how myself and ASD will use that information, which in the first instance we often talk about an emergency response or the fire brigade – we’re here to put out the fire, contain the damage.
“The immediate actions and focus is on reducing the harm and minimising the consequences and containing it from both an operational and technical perspective and then from a consequence management perspective.
“We know that time is of the essence in both the consequence management and on the technical remediation or identification of what the threat is to ensure that it’s not sector-wide, it’s not a vulnerability that impacts many, that it’s being contained, and the consequences are identified rapidly, and we put immediate measures in place to minimise harm.”