The federal government has been accused of blocking a Coalition bill that would introduce tougher penalties for ransomware gangs and give additional powers to authorities at a time when threats are continuing to grow.
Liberal MP Andrew Hastie on Monday revealed that the private members bill is unlikely to progress after being stonewalled by the Parliamentary committee tasked with referring proposed legislation for review.
The bill – a carbon copy of a former government bill that lapsed with the dissolution of Parliament in April – was introduced by shadow home affairs minister Karen Andrews in late September, just days after the Optus data breach was disclosed.
It forms part of the broader former Coalition government’s ransomware action plan, which also consists of a mandatory ransomware incident reporting scheme for large businesses, and is designed to deter ransomware gangs.
Under the reforms, cyber criminals would face up to 10 years jail for extorting a computer offence victim, regardless of whether they accessed, modified or impaired the data themselves. A penalty of up to 25 years jail would also be imposed if critical infrastructure was deliberately targeted.
The bill also proposed giving Australian Federal Police “clear legal authority” to involve and prosecute ransomware gangs operating offshore, and the ability to seize cryptocurrency and other digital assets involved in a ransomware incident.
While Labor supported the intentions of the action plan while in Opposition, it has been less forthcoming in government, with Mr Hastie criticising the government’s legislative response since May.
“A private members’ bill recently introduced by the opposition…would specifically reform criminal law and secure tougher penalties for all forms of cyber-extortion in the event of the exact cybersecurity issues we’ve been seeing,” he told Parliament.
“Disappointingly, in the week after we introduced the bill, Labor members on the Selection of Bills Committee blocked it from progressing for further evaluation, despite failing to provide any of their own legislation to deter cyber criminals.
“While Labor stalls on legislation the opposition is handing to them on a platter, Australians are continuing to fall victim to data breaches. I ask the government: what are they waiting for? The proof that the cyber domain is getting more dangerous is right in front of them in the ACSC report.”
Mr Hastie acknowledged that while the legislation is “not a silver bullet”, ensuring there are stronger penalties in place for cybercriminals that seek to use ransomware is a “helpful start”, particularly as attacks grow.
As shown by the Australian Cyber Security Centre in its annual threat report last week, ransomware remains the “most destructive cybercrime threat” facing the country, with 447 reports from victims last financial year.
“I’m calling on the Labor government to support the swift passage of the coalition’s bill, which increases penalties for a range of cybercrimes in order to give law enforcement, working in conjunction with our intelligence agencies, another tool to pursue cybercriminals,” he said.
Calls for the government to adopt the “ready to go” legislation came on the same day as Medibank revealed the full extent of last month’s ransomware attack, with the data more than 9.7 million current and former customers now believe to have been accessed.
The figure includes around 5.1 million Medibank customers, around 2.8 million customers of subsidiary ahm and around 1.8 million international customers. Data accessed includes names, dates of birth, addresses, phone numbers and email addresses.
Around 160,000 Medibank customers, around 300,000 ahm customers and around 200,000 international customers also had their health claims data accessed. All 2.8 million ahm customers also had their Medicare numbers accessed.
Medibank has ruled out paying any ransom demands for the theft of data and, as such, urged customers to “remain vigilant as the criminal may publish customer data online or attempt to contact customers directly”.
In a statement on Monday evening, Minister for Cyber Security Clare O’Neil said the government recognises the “urgent need to address the conditions that have allowed the two largest cyber attacks in hour history to occur within the space of two months”.
“The Australian government, after a wasted decade for digital reform, is stepping up on cyber security and ransomware,” she said, highlighting plans for a new cybersecurity strategy and a global ransomware taskforce to be led by Australia.
Do you know more? Contact James Riley via Email.