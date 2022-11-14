The Albanese government has ratcheted up the rhetorical fervour in its stoush with allegedly Russian-based cybercriminals unsuccessfully extorting Medibank, although it is still unclear whether there has been a material shift in posture beyond the creation of a new task force.

“This is a really difficult and stressful time for Australians. You’re entitled to keep information about your health, whatever it is, completely private. It doesn’t matter who you are or what the information might be, that is your right and it’s been stolen from you by Russian thugs,” Home Affairs minister Clare O’Neil said on Saturday, vowing Australia will now “hack the hackers”.

The official line is that a new 100-strong unit drawing on both the “Australian Federal Police and the Australian Signals Directorate will initiate an ongoing, joint standing operation to investigate, target and disrupt cyber-criminal syndicates with a priority on ransomware threat groups.”

Peel that back one layer and the rhetoric goes to Australia using its now-declared offensive cyber capabilities made public by former prime minister Malcolm Turnbull.

At the time they were revealed it was made clear that privateer hacker groups and criminal syndicates could be painted-up and hit if determined to pose a sufficient threat to Australia’s national security, and that the AFP would feed into this.

The tightrope now being walked is to what degree that offensive capability is publicly paraded by the government because it starts to veer into the territory of state-sponsored cyber operations that have the potential to escalate.

Cyber doctrine between military protagonists has been well settled for decades, with espionage, exfiltration and theft regarded as routine tradecraft, as distinct from delivering the equivalent of a kinetic effect, like shutting down transport and logistics infrastructure (air, roads, rail), energy assets or other civilian infrastructure like hospitals, water and supermarkets.

Parts of the financial services industry have been bellyaching that they are under persistent siege from hackers, but in reality institutions and payment schemes have been playing a constant game of catch-up because of fast and loose online security for transactions that has built a robust fraud industry.

That fraud goldmine, which in Australia clips the ticket to the tune of circa $450 million per year is now being challenged not by better bank and card security, but by the migration of transactions away from Microsoft-based personal computers to mobile handsets with built-in biometrics linked to mobile wallets like Apple Pay.

It’s a figure that will not budge, despite much handwringing. Banks also offload this fraud to merchants, losses that get fed back into higher prices.

The Australian Payments Network released its annual payment fraud statistics today and the losses came in like clockwork with ‘card not present’ fraud (online card fraud) rising 2.9% to $454 million for the financial year ending 30 June 2022.

Banks are now worried that the spate of recent hacks could be preparation for Australia’s planned activation of authorised push payments, which allow funds to be released by clicking on an authorisation in a request sent to a payee.

The capability has gone off the rails in the UK and push payments fraud is now bigger than card fraud there, with consumers eating the losses.

Despite clear bank concerns here about the dangers of launching such a system here in the present environment communicated in a recent submission to Treasury, there are few outward signs that lessons from the UK will be heeded by policymakers.

So far the ransomware hits and data spills from Medibank and Optus have been fairly low impact, despite the giddy rhetoric, with no immediate consumer financial losses or payment credentials swept up.

Attributed to Russian crew REvil, the ransomware hits also did not encrypt and lock owners out of their systems, as has been customary to extract payments in the past.

O’Neil, meanwhile, is talking up her new anti-ransomware squad.

“They will show up to work every day with the goal of bringing down these gangs and thugs. This is the formalisation of a partnership, a standing body in the Australian Government, which will day in, day out, hunt down the scumbags who are responsible for these malicious crimes against innocent people,” O’Neil said.

The question the government still hasn’t answered is what a successful perp-walk or bust looks like.

With the war grinding on in Ukraine, and sanctions biting Russia, a little extra hard currency cash flow exfiltrated from a lippy middle power must look more appealing every day.