Businesses that make ransomware payments to hackers will be forced to report their actions to government authorities under tough landmark legislation introduced to Parliament this week.
The Cyber Security Legislative package includes mandatory ransomware reporting for certain businesses and a mandate minimum on cyber security standards for smart devices in a bid to keep cyber criminals locked out of homes and businesses.
It will also see the establishment of a Cyber Incident Review Board.
The reforms have been introduced under the Security of Critical Infrastructure Act 2018 (SOCI Act) aim to clarify existing obligations in relation to systems holding business critical data and simplify information sharing across industry and government.
The Government says the package has been developed following extensive consultation with public and private stakeholders and targeted consultation.
The new legislation brings Australia in line with international best practice.
It will require firms with a turnover of $3 million or more, as well as government entities, to report payments to the Australian Signals Directorate’s Australian Cyber Security Centre.
Fighting for victims
Government advice to businesses has been standard for years – never pay a ransom to hackers, with no guarantee you will regain access to your information or prevent it from being sold or leaked online.
A ransomware threat is one where cybercriminals demand payment in return for sensitive data removed from a company’s system, or for not releasing sensitive data online.
The new reporting requirements are designed to help the government understand how much money is being lost to ransomware, which has been notoriously difficult to track.
It will also help intelligence teams gain greater visibility over online risks, recognised as a growing national security threat.
It is likely that fines will be issued if ransomware payments are not reported.
The new laws have a strong focus on ransomware victims who have fallen foul of malicious software cyber criminals used to block access to crucial files.
Minister for Cyber Security, Tony Burke, said that the protection of the nation’s cyber security and critical infrastructure is vital to Australia’s national security and economic stability.
He said the legislation will harden the systems and legislation to keep ahead in a heightened geopolitical and cyber threat environment, adding strong laws and protections are necessary to protect every citizen and business across the digital economy.
“The creation of a Cyber Security Act is a long overdue step for our country and reflects the government’s deep concern and focus on these threats,” said Burke.
“Australians love the convenience of smart devices at home, but consumers need to know that smart devices are still safe devices.
“This legislation ensures we keep pace with emerging threats, positioning individuals and businesses better to respond to and bounce back from cyber security threats,” he said.
Online safety risks
The legislative push follows research from the Australian Cyber Collaboration Centre that reveals a pressing need to address growing concerns about attitudes towards online safety, with worrying trends particularly evident among younger people.
The research found that Australians are increasingly frustrated by online security measures.
In Australia, 52 per cent of respondents reported that online security is frustrating, with 44 per cent admitting they feel intimidated by the complexities of staying safe online.
Even more concerning is the significant decline in the perceived value of online security, with only 60 per cent of Australians believing it is worth the effort – a drop of 9 per cent since last year.
The centre says the report underscores the urgent need to address the generational disparities regarding attitudes to cyber security.
In particular, Gen Z and Millennials are becoming increasingly pessimistic about their ability to stay safe online.
Meanwhile, most younger respondents no longer believe the effort to remain secure is worthwhile, with many reducing their online activities due to these concerns.
A staggering 43 per cent of all participants assumed their devices were automatically secure, indicating a widespread complacency, especially among younger generations.
“Complacency and frustration are dangerous combinations in the fight against cybercrime in Australia,” said Matthew Salier, chief executive officer at the Australian Cyber Collaboration Centre.
“Vulnerability to cyber attacks is of particular concern across younger generations because they’re not taking adequate precautions, relying too heavily on others or assuming their devices are secure.”
The Australian Cyber Security Centre hotline can be contacted 24/7 on 1300 292 371 for cyber security assistance.