Decoding Quad’s agenda and focus on cybersecurity
In late-September, Quad foreign ministers released a joint statement on cyberattacks that represents a significant development to tackle the rising spate of online threats. Can Quad prevent increasing cyberattacks in the Indo-Pacific?
In June, Quad unveiled an expanded agenda where Australia, India, Japan and the United States (US) could cooperate on issues such as the climate crisis, health, and critical technologies. The impetus to drive momentum and achieve greater convergence appears imminent on technology issues. In late-September, Quad foreign ministers released a joint statement on cyberattacks that represents a significant development to tackle the rising spate of online threats.
Can Quad prevent increasing cyberattacks in the Indo-Pacific?
First, it’s important to grasp Quad’s focus. The joint statement on ransomware targets malicious cyber activities from China, Russia, and Iran that target critical infrastructures across Quad and other countries. The statement identifies and singles out ransomware attacks, where the attacker locks and encrypts the victim’s data, critical files, and demands payment to unlock and decrypt data.
For Quad countries, ransomware attacks have increased. Several small, medium and large companies are experiencing such strikes, raising the cost of doing business. In addition, ransomware attacks have proliferated as reliance on the cloud increases, allowing hackers to target cloud-based networks.
One of Covid-19’s most significant effects is the accelerated adoption of digital technologies to deliver health care, personal finance, and education services. For instance, nearly 40% of adults in low and middle-income economies (excluding China) made their first online payments after the start of the pandemic. Unfortunately, as digital transactions exploded, so did ransomware threats. Three sectors — energy, health care services and finance — have borne nearly 45% of all ransomware attacks.
Quad countries have seen several cyberattacks since 2020. In the US, the Colonial Pipeline hack and the attack on JBS Foods are recent high-profile cases. The Australian Cybersecurity Centre notes a 15% increase in ransomware attacks in Australia in 2020-21. Indian entities, such as Oil India and SpiceJet, have been attacked since 2020. Japan witnessed 114 ransomware attacks in 2022, with almost 60% targeting small and medium enterprises. To be sure, ransomware attacks are not solely a Quad phenomenon; other countries have also been hit.
Quad’s interest and focus on ransomware are connected to the alleged sources of such malicious attacks. A BBC report earlier this year suggested that nearly 75% of revenues derived through ransomware attacks went to criminals and groups linked to Russia and China. Chinese hackers are using ransomware attacks for economic purposes, most recently to obtain vaccine research secrets.
Ransomware perpetrators can also be a part of State-backed cyber groups that conduct cyber espionage. One recent attack found that the Chinese state actor, APT 41, “has siphoned off an estimated trillions in intellectual property theft from approximately 30 multinational companies within the manufacturing, energy and pharmaceutical sectors”.
Undoubtedly, Chinese cyber operations pose serious national security challenges for Indo-Pacific countries and this, alongside other factors, appears to have given Quad enough reasons to kickstart cyber discussions. Quad discussions on ransomware can facilitate domestic policy changes that could better prepare each country to confront and constrain attacks.
First, Quad countries benefit from sharing information and experiences on the nature, type, and frequency of such disruptions that could lead to tighter domestic cybersecurity rules, especially punitive, and by strengthening policies such as cyber insurance that protect firms. Quad’s value as a flexible, issues-based coalition appears particularly apposite to discuss shared asymmetric threats such as ransomware that affect all partners.
Second, Quad discussions could strengthen domestic cyber capabilities through joint training exercises that could be further institutionalised; so far, Quad has regularised interactions between its members’ national Computer Emergency Response Teams. India and the United Kingdom recently conducted a simulated ransomware attack on the energy sector to test counter-ransomware responses. Discussing counter-ransomware protocols helps Quad countries bolster cyber defences.
Third, Quad discussions can flag and highlight best practices to track and deter ransomware attacks through the “implementation of baseline software security standards.” One specific area Quad is looking to leverage is government procurement. Codifying robust standards in government procurement processes will help develop software products with security protocols built in by design to ensure a secure and bug-free software supply chain. Such measures, Quad hopes, can drive market change in software security that compels private sector firms to take cybersecurity seriously. The long-term desire will be to extend these standards to industry procurement processes.
One big challenge, however, is each Quad member’s domestic cybersecurity situation. That India lags on cyber defence and preparedness with poor cyber hygiene standards does not spell doom, but it could constrain the speed at which Quad collectively responds.
Training aside, it’s vital that Quad discussions identify how to best quantify progress on ransomware defence and deterrence. In other words, it needs to determine what practical measures can be taken not only to counter ransomware but also prevent specific countries from becoming safe havens for ransomware actors. Strengthening cyber resilience across the Indo-Pacific will hinge on this objective.
Karthik Nachiappan is research fellow, Institute of South Asian Studies at the National University of Singapore. Nishant Rajeev is senior analyst South Asia Program, S Rajaratnam School of International Studies, Nanyang Technological University in Singapore
The views expressed are personal