Organisations and businesses should report ransomware payments to the nation’s chief cyber agency to help fight the surge in online extortion, says Labor.
Shadow Minister for Cyber Security Tim Watts introduced a private member’s bill to parliament on Monday morning that would require organisations to notify the Australian Cyber Security Centre (ACSC) before making any ransomware payments or risk incurring a $220,000 fine.
In his accompanying speech, Watts accused the government of “blaming the victims” of cyber attacks, saying too much burden was placed on organisations to fend for themselves.
“A hospital shouldn't be forced to use more and more of its scarce resources fighting cybercriminals, it should be using its resources to make sick people better,” Watts said.
“The boards and executive teams of our nation should be able to focus on making investments in its core business that create new jobs and increase shareholder returns, rather than constantly ratcheting cybersecurity investments.
“Tackling ransomware may begin with organisational security, but that is not the end of the conversation.”
Under the bill, organisations would have to provide written notice to the ACSC “as soon as practicable” about the ransomware incident including information about the attackers, a description of the attack, and technical evidence about the bad actor’s intrusions.
Organisations would not be exempt if they feared self-incrimination that arose from sharing information about the incident, though the ACSC would be restricted in how it could use notifications.
“This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups,” Watts said of the bill.
“It will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks.
“Importantly, it will give us a fuller picture of ransomware attacks in Australia and the scale of the threat.”
Ransomware resilience
There is a similar scheme in place for data breaches which requires organisations holding information about Australians to inform the Office of the Australian Information Commissioner (OAIC) when a breach has occurred.
Data compiled from the scheme showed there were 1,051 data breach notifications in Australia last year.
But whether a similar scheme for ransomware attacks will stop the threat of this increasingly disruptive force is up for debate.
Shane Bell, a cyber expert and partner with consultancy firm McGrathNicol, said there is a broader set of security problems Australia needs to address before ransomware can be kicked out of the country.
“I’m not convinced a majority of organisations in Australia plan for this to occur and have tested themselves under stress,” he told Information Age.
“Part of the reason I think there is so much talk around payments is because people see it as the easiest path to take in the middle of a ransomware event, even if it isn’t necessarily the right path to take.
“But unfortunately making the payment creates an economy that perpetuates the action – if you pay the ransom, that funds more ransomware attacks, and it’s a tough cycle to end.”
Bell thinks organisations ought to be better prepared for worst-case scenarios like ransomware attacks so they can respond when the time finally comes.
“I was in Navy, so if I think about sailing a warship from the ports in Sydney, it would be ludicrous to me to take it out to sea without contemplating all that could go wrong and testing your response to it,” he said.
“I’m not convinced we encourage businesses to think about cyber security in the same way and I think government has a role to play in providing timely, clear guidance to businesses.
“It’s not just about a regulatory framework – the stick – but also about providing meaningful advice and setting the standards Australian businesses need to live up to.”