The government will introduce a new mandatory ransomware reporting scheme as it looks to crackdown on cybercriminals targeting Australians.
Sparse details about the scheme were announced alongside the Department of Home Affairs’ Ransomware Action Plan, released on Wednesday, but the government said it will likely affect businesses with an annual turnover greater than $10 million.
The announcement came as a surprise to the office of Labor’s Shadow Minister for Cyber Security, Tim Watts, who introduced a similar private member’s bill to parliament earlier this year.
His scheme would have required businesses to notify the Australian Cyber Security Centre (ACSC) before making ransomware payments, or else face a fine.
Watt’s office was bemused by the timing of Andrews’s announcement – which comes near the end of the parliamentary year and on the eve of an election – and was disappointed that the government didn’t reach across the aisle on this bipartisan issue to expedite the process of enacting ransomware reporting legislation.
In a joint statement from Watts and Shadow Home Affairs Mininster, Senator Kristina Kenneally, the opposition said it was “too little, too late” for this change to cyber security reporting.
“[The government] failed to act for months despite an onslaught of attacks against Australian organisations this year including multiple health and hospital networks, the Nine network, and JBS Meats, our biggest meat supplier,” Kenneally and Watts said.
“Instead, it’s simply blamed the victims, telling businesses it’s up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals.”
Along with the ransomware reporting scheme, the government’s Ransomware Action Plan will see it introduce new aggravated criminal offenses for ransomware-related crimes and for bad actors who target critical infrastructure.
Buying and selling malware for criminal purposes – as opposed to research purposes – will be criminalised, along with dealing in stolen data.
The government also wants to give law enforcement stronger powers to “track and seize or freeze” ill-gotten cryptocurrency.
“Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances,” Home Affairs Minister, Karen Andrews, said in the Action Plan announcement.
Despite the laws sounding tough on paper, it’s unsure exactly who will be prosecuted by them given ransomware is typically perpetrated from offshore and ransomware criminals are notoriously hard to pin down.
In answers to a question on notice from Senate Estimates late last year, the Australian Federal Police (AFP) said it had charged only one person with ransomware-related criminal offenses in 2020.
Industry welcomes changes
The cyber security industry has welcomed the government’s attempts at confronting the ransomware scourge.
Jacqueline Jayne, a security awareness advocate at KnowBe4, called the mandatory reporting scheme a “move in the right direction”.
“We need more visibility and transparency to encourage more conversations about the impact and ferocity of ransomware attacks or near misses,” she said.
“The increase in discussion would bring with it an opportunity to educate all Australians about cybersecurity risks and reporting can be used as a tool to share and to learn from these incidents.”
Nick Lennon, country manager for Mimecast Australia, said the scheme may force businesses to make decisions about cyber security that align more closely with best practice.
“An argument can be made that in the absence of regulation – such as mandatory reporting – a business impacted by ransomware will make fiduciary decisions that represent the best outcome and best value for shareholders,” he said.
“This may not be in the best interests of its supply chain, its customers, or the community at large, because secrecy about ransomware disclosures hides the true extent and cost of the problem and limits greater understanding of the techniques and perpetrators.”