The federal government is actively considering implementing global cryptocurrency data-sharing rules and a mandatory ransomware notification scheme.
At appearances at Senate Estimates hearings this week, Department of Home Affairs representatives confirmed there is work being conducted behind the scenes to implement the global travel rule around cryptocurrency, which would require exchanges and digital wallets to store and pass on information about the customers following a transaction.
It was also confirmed that the government is looking at introducing a mandatory reporting scheme following a ransomware attack, similarly to the data breach notification scheme, with Home Affairs secretary Mike Pezzullo saying it’s “likely” such a scheme will be introduced.
At an Estimates hearing on Tuesday, AUSTRAC CEO Nicole Rose said the introduction of the global travel rule in Australia would help the agency track the use of cryptocurrency for money-laundering.
The global travel rule, developed by the Financial Action Taskforce, requires cryptocurrency exchanges and digital wallet providers handling crypto assets to obtain customer data and disclose and transfer this with counterparts as part of a transaction.
Introducing such a requirement will require legislative changes, Ms Rose said.
“It’s a policy issue for the department but we can absolutely see the benefits to the development of intelligence. The Department is looking at a number of legislative changes to keep up with technological advancements in this space,” Ms Rose told the Senators.
“It gives us visibility of the payer and the payee primarily, which at the moment we don’t have.”
At an earlier Estimates hearing, Mr Pezzullo also confirmed that the government is looking at introducing a mandatory reporting scheme for companies and individuals impacted by ransomware cyber attacks.
“It’s currently considering that matter as an extension of the 2020 Cyber Security Strategy that was released last year. I’ve flagged with the Minister that it’s one of the issues I haven’t yet given her advice on that question and it’s something that I wish to consult with the director-general of the ASD, given the close working partnership that we necessarily need to have,” Mr Pezzullo said.
“I’m also in the process of consulting with law enforcement and other colleagues because of the need to balance the burden of reporting and the efficacy of that reporting. My inclination, and I’m not going to state it as an opinion, is that it’s likely a regime of that character will be proposed.
“I think we’re at a point, most advanced economies are at a point, where by some means, whether it’s mandatory reporting combined with other measures, that a much more active defence posturing is going to be required simply because of the prevalence of the attacks.”
This scheme will likely have the support of Labor, with shadow cybersecurity minister Tim Watts calling for the implementation of such a program last week.
This would be part of a “price of entry regulatory regime” around cybersecurity, Mr Watts said.
“The mandatory data breach legislation is about telling individuals their information has been compromised. I think we need a parallel regime that says if you’re going to make a ransomware payment, we’re not going to ban you from doing that but we are going to require that before doing that you call up the Australian Cyber Security Centre and we’re going to give you a standard form you have to fill out,” Mr Watts said.
Such information collected would include who may be behind the ransomware attack, the cryptocurrency wallet used to receive the ransom payment and any evidence of a compromise.
“That’ll make sure that it is available to government, but that also through the system people can protect themselves too. If you move quickly enough there’s the possibility law enforcement could take action against cryptocurrency exchanges before the money is pulled out of them,” Mr Watts said.
“That’s the world we should be aiming to get to in terms of the law enforcement response.”