Aussie businesses may be forced to disclose ransom payments under new cyber legislation aimed at clarifying precisely how much hackers are raking in from attacks.
Former Minister for Cyber Security, Clare O'Neil, told ABC the government will soon unveil a major cyber security bill which would force Australian businesses and government entities to disclose ransom payments.
If brought into law, the Cyber Security Act would threaten fines of $15,000 or more for failure to disclose such payments.
"It is believed that in the Five Eyes countries alone [Australia, Canada, New Zealand, United Kingdom and United States] literally billions of dollars in ransoms is being paid, and criminal gangs are reinvesting that money … to attack us again," said O’Neil.
According to new research commissioned by information technology company Cohesity, the majority of Australians are willing to simply pay a ransom if it means getting their systems back online.
The research – which polled some 502 Australian IT and security decision-makers – showed fully 60 per cent of respondents had been “the victim of a ransomware attack” within the prior six months of being surveyed.
Over half of these respondents said their organisation had paid a ransom in the last year – despite 72 per cent saying their company had a “do not pay” policy – while 60 per cent said they’d “be willing to pay over US$1 million in ransoms” to recover data and restore business processes.
Considering the threat of systems being perpetually encrypted, hackers releasing sensitive customer data to the dark web, and potential punishment from regulators for any lax cyber security measures uncovered during an attack, businesses often choose to quietly pay out hackers in hopes of brushing the incident under the rug.
The resulting climate is one where government and industry are left to speculate on the true scale of ransom attacks and ransom payments – creating a crucial blindspot which the government hopes to address in the forthcoming bill.
“People are paying criminals money and it is happening in the darkness,” O’Neil told ABC.
“This is not a sustainable situation, and businesses understand that.”
No ransom ban, for now
First forecasted in the 2023-2030 Cyber Security Strategy – which sought input from industry to co-design options for a “mandatory no-fault, no-liability ransomware reporting obligation” – the bill signals a softening in the government’s historically firm stance against ransom payments.
In the wake of landmark data breaches at Optus, Latitude and Medibank, O’Neil famously said paying hackers “only fuels the ransomware business model”, leading many experts to anticipate an inevitable ban on ransom payments.
Instead, the government appears to have responded to industry calls for a softer, more collaborative approach.
During a recent hearing for an inquiry into the capability of law enforcement to respond to cyber crime, law firm Clyde & Co’s Reece Corbett-Wilkins said “decriminalisation of ransom payments” would encourage information sharing with law enforcement.
“[This] will result in more disruption, takedowns, and hopefully arrests,” said Corbett-Wilkins.
Of the 220 submissions given to the most recent Australian Cyber Security Strategy Discussion Paper, many either directly opposed a ransom ban or at least called for government to offer support to victimised businesses.
“The Government should follow the position of many other nations in seeking to bring ransomware attackers to justice and to recover from such attackers all extorted funds, but not prohibit ransom payments by victim entities except in situations where the payment would be made to a known sanctioned entity,” read a submission from the Information Technology Industry Council.
O’Neil meanwhile pushed back against criticisms of a ban – stating Australians can’t just “continue undertaking a practice where private companies and private citizens are paying criminals”.
“I do believe that we’re inevitably we’re going to have to ban the practice, it’s just the time is not now,” she said.
Will small businesses suffer?
The legislation would apply to businesses with an annual turnover of $3 million or more – a threshold which has drawn criticism from industry and business groups for introducing a potentially harmful reporting obligation and penalty for smaller operators.
Cyber security expert Troy Hunt meanwhile argued the bill is not as harsh as some pundits suggest.
“Approximately 90% of Aussies businesses have turnover [of less than] $3m/y, so the scope is still very small,” said Hunt.
“Whilst breached orgs are victims themselves, they have to wear the accountability.
“That's the cost of business in the digital era and we should increasingly hold them accountable when they try to conceal incidents at the expense of the individual victims and the community.”
O’Neil clarified to ABC that cyber authorities won’t dob those who follow reporting obligations into regulators.
"This is a no-fault scheme,” O’Neil said.
“We're not blaming businesses … they're victims of a crime.”
Matt Old, Cohesity’s director of cloud alliances in the Asia-Pacific and Japan, told Information Age, “it will be essential that any new legislation balances, complements, and dovetails with existing legislation and regulations”, before emphasising the importance of resilience in the face of ransom threats.
“Our strong recommendation to organisations is to prioritise cyber resilience because that is vital to your business continuity objectives and your compliance with legislative and regulatory requirements,” said Old.
“Organisations should view legislation and regulation as 'the floor' and not 'the ceiling' because malicious actors have a constant incentive, a lucrative incentive, to innovate.
“This means you're only as cyber resilient as the capabilities, best practices, and processes you have in place.”
The Cyber Security Act is expected to be brought before parliament in the next sitting.
It comes shortly after Tony Burke was announced the new cyber security minister in a major Cabinet reshuffle last Sunday, replacing O’Neil.