The Albanese government will introduce a mandatory ransomware reporting scheme for businesses as part of its update to the national cybersecurity strategy, ruling out an outright ban on the payment of ransom demands.
Cybersecurity minister Clare O’Neil unveiled the proposed notification scheme on Monday, as one of the country’s biggest port operators continues to battle a ransomware attack that suspended operations at ports in several states.
It comes just weeks after the government formally pledged not to pay cyber ransom demands itself, a result of a US government push for a non-ransom-payments pledge between Counter Ransomware Initiative members.
An evolution of a scheme proposed by Labor while in Opposition, the no-fault, no-liability ransomware reporting obligations have been designed as an early warning system to help get businesses the support they need. It will require business to report all ransomware incidents, ransom demands and payments.
According to the Australian Signals Directorate, ransomware attacks currently cost the Australian economy $2.95 billion each year, a figure that is continuing to increase, with the ransomware attack on port operator DP World one of the recent high-profile examples.
In the first half of the year, global ransomware attacks grew 45 per cent, according to US deputy national security advisor for cyber and emerging technology, Anne Neuberger. Ransomware payments have also increased 120 per cent this year in the US.
Despite the growing number of payments globally, Ms O’Neil said it was clear from consultation with industry on the 2023-2030 Australian Cyber Security Strategy that an outright ban was not supported, with some arguing that it would complicate matters future.
“Over the last 12 months, I have engaged with hundreds of business leaders across the country and some of the best cyber thinkers in the world, and what we have heard consistently is that Australia is not yet ready for an outright ban of ransomware payments,” she said.
While ruling out a ban, the government will continue to strongly discourage businesses from paying ransoms and will instead step-up support for businesses, including through the creation of a new ransomware ‘playbook’.
“Our first step must be getting the right supports in place for businesses and citizens so that it can become an easy decision to not pay ransoms. And, to build a picture of what’s really going on so we can tackle it head on,” she said.
“The problem today is effectively hidden. We know tens of millions of cyber-attacks are attempted every year. We don’t have that picture of which companies and industries are targeted and when, and how many ransom demands are actually paid.”
The reporting obligation is expected to be co-designed with industry following the release of the updated cybersecurity strategy, which is expected as early as next week, with the consultation also to consider streamlining and coordination other cyber reporting obligations, which remains a bugbear for the sector.
The Australian Federal Police and ASD are also expected to ramp up work to investigate and disrupt the perpetrators of ransomware attacks, with the potential for sanctions to be used against nation states that are found to have a connection.
In addition to new ransomware reporting obligations, the government is planning to fast-track changes to Australia’s critical infrastructure laws that bring the telecommunications sector under the Security of Critical Infrastructure (SOCI) Act.
It follows calls from the Australian Telecommunications Security Refence Group earlier this year for reduced duplication and complexity in national security legislation, with the government committing to work with the sector on the proposed changes.
In classifying telecommunications as one of the sectors under the SOCI Act for the first time, telco providers will be held to the same high standard as other critical infrastructure sectors like energy, data storage and processing, and financial services.
“Our cyber security depends on properly regulated telcos, and that’s why today we’re moving to both strengthen and simplify the rules,” Ms O’Neil said, adding that last week’s Optus outage was another reminder that “nothing much works in the 2020s without reliable internet”.
“Telcos should be held to at least the same standards as other critical infrastructure. Our telcos must be prepared for major vulnerabilities, have risk management plans in place, and build backups to maintain essential services when things go wrong.”
Do you know more? Contact James Riley via Email.