The hacking of Medibank customers' data has been labelled a "dog act" on Q+A, but the national cybersecurity advisor to former prime minister Malcolm Turnbull says sometimes companies should consider paying ransoms to hackers to protect customer information.
The hackers said they have demanded $15.09 million in ransom not to release stolen customer information including sensitive information of customers' medical procedures, including data related to hundreds of customers who had a pregnancy terminated.
Medibank is currently refusing to pay the ransom, but Alastair MacGibbon, the chief strategy officer at CyberCX, and former advisor to Mr Turnbull said companies should not rule out payment as a blanket response to such demands.
"I'll echo what the minister for home affairs and the minister for cybersecurity have said: it's a dog act," Mr MacGibbon told Q+A host David Speers. "There's no good answer to whether or not an organisation should pay an extortion threat," he said.
"Medibank clearly has made a decision not to pay and that has largely been applauded in the media and by the public. But that's done, I'm sure ... as you've said, with a heavy heart.
"Paying is a legitimate option. It's not illegal, but how do you trust a criminal to return or delete information that has already proven they're a criminal and can't be trusted?"
Asked by Speers if his advice was always "just don't pay the ransom", Mr MacGibbon — whose firm has been engaged by Medibank as a strategic advisor — said "absolutely not".
"I believe you want to give organisations the most options kept on the table as long as possible," he said.
"You have to engage with the criminals online and ask them what it is they've got," he said. "You need to find out what their intentions are and you need to understand the groups they are affiliated with.
"It's never an easy decision to suggest to pay.
"The reason why it's still a viable option is we live in a horrendously permissive threat environment.
"Criminals come up to the door of your house, all of your houses and all of our businesses every day. They don't just rattle the door knob to see if the door is locked - they'll break into that door, if that was happening offline ... you would say it's unacceptable.
"But online we accept the fact that criminals can come up and victimise us."
The suggestion that companies should consider paying ransoms rankled both Minister for Early Childhood Education Anne Aly and Shadow Minister for Immigration and Citizenship Dan Tehan.
"I think the operative word here is criminal, and there's no such thing as an honest criminal, so even paying the ransom doesn't necessarily guarantee that the data that they have is going to be released, whether it's on the black market, on the dark web, or elsewhere," Ms Aly said.
It was a statement that saw some rare bipartisan support from the Coalition member on the panel, but Mr Tehan, Australia's first cybersecurity minister, also said there are cases where paying a ransom could be the right thing to do.
"In the first instance you shouldn't pay the ransom because you can't trust the crooks," he said.
"If you pay the ransom, they can then get almost a double ransom because then they can go and monetise the data and so they actually get double the reward for what you're doing.
"But you can never say absolutely never, that's why, to make it outright illegal to pay the ransom I think would be cutting off your nose to spite yourself, because there might be a very rare instance where it is the right thing to do."
Several audience members said they were victims of the Medibank and Optus hacks and were concerned about what would be done with their data, leading to calls for companies to be able to ask for less vital information.
'Punish the hell out of these people'
There is currently a new government bill proposing harsher financial penalties for privacy breaches on the table but the other question raised was why cyber hacks were suddenly becoming more prevalent.
Professor of political history and international security at Curtin University Joe Siracusa said it was because people did not take cyber criminals seriously enough, and called for harsher penalties for those involved.
"We have to think of some way to punish the hell out of these people," Professor Siracusa said.
"We've talked about you do not criminalise paying, and you always have a back channel, and officially the deal is we don't deal with terrorists or anything like that ... but I think when you catch somebody, you ought to send them to jail for a long time.
"We treat people on the internet who steal things like they were characters in a Walt Disney movie.
"We think it's funny that it's some 16-year-old kid or whatever, maybe some 22-year-old kid, hanging around somewhere in some coffee shop in Prague.
"We ought to throw the book at these people and we should make it very clear that we're going to go after them.
He then called for governments to properly compensate victims of cybercrime before attention turned to data capture and storage and Mr MacGibbon said less needed to be captured.
"Data is an important part of business, the question is, have you collected too much data, you know, that's not necessary," he said.
"Why do you need to give an email address to get a receipt in the business these days? It's just shocking.
Ms Aly said it is something she refuses to do, and implored Australians not to share theirs.
Elon Musk's 'cesspool'
The conversation on cybersecurity and online safety then turned to Twitter, which has been officially under the control of billionaire Elon Musk for a week.
The Tesla CEO has cut staffing, said verified users will have to pay to keep their blue tick, encouraged Americans to vote Republican at the US midterms and banned people making fun of him, despite claiming he would make the social media platform more open to free speech.
Twitter, though, was critiqued by audience member Melissa Keller-Tuberg for being a place where the vulnerable in society are "punched-down" upon, and while the panel agreed, they also took aim at Mr Musk for likely making it less safe.
"I know what is being said about Muslims and migrants and other people (on Twitter) and it's nothing new," author Kamila Shamsie said.
"This isn't starting with Elon Musk."
Asked for his thoughts on Mr Musk, Professor Siracusda came for the new CEO.
"I don't like Elon Musk, I think he is a fruitcake," he said.
"He plays us from day one. He knew he wanted to become a US citizen, but he knew that coming from South Africa that was going to be harder so he became a Canadian citizen first and worked his way into America.
"You can't put someone like him in charge of a network that allows hundreds of millions of people to say or not say what they want to say, and you are in charge of moderating or what goes forward and what goes back."
He then called Twitter the "Wild West" and unregulated, which led to Mr MacGibbon saying that staffing issues were likely to make it worse.
"Twitter and all those other social media platforms have become a really important communications tool for all of us, Mr MacGibbon said.
"Twitter is the world's newsroom ... like it or not.
"The unwinding of Twitter by Musk and the sacking of staff at Meta ... the people doing the horrendous job of sifting through the sewage of the internet trying to keep us marginally safe.
"That is a dangerous place to be."
That led to Ms Aly calling for harmful content on social media platforms to be more regulated.
"Some research that was done by Reset Australia showed that 41 per cent of 16- and 17-year-olds were exposed to content that underlines the incel discourse and that could lead to a violent act," she said.
"This is something that should worry everybody — that young people — through the algorithms that are set through these social media platforms, are viewing and are being exposed to disinformation and misinformation.
"Anti-Semitic content, far-right content, and incel content ... particularly young white men are being exposed to this content."
Asked about his thoughts on Twitter Mr Tehan called it a "gutter" and said if people don't like it they can leave it.
He then admitted he was still active on the platform, before Ms Aly implored him to take his own advice.
"Get out of the gutter Dan," Ms Aly said.
"I got out of it a long time ago, I call it a festering cesspool."
Watch the full episode of Q+A on iview.
Editor’s note (11/11/22): An earlier version of this story incorrectly suggested Alastair MacGibbon told Q+A Medibank should have considered paying ransom demands to the cyber criminals behind the attack. Mr MacGibbon said, in some instances, ransom payments are a viable option for organisations to protect customer information. The story has been updated and the ABC apologises to Mr MacGibbon.
