The government should establish a mandatory ransomware notification scheme similar to the existing data breach requirements, shadow cybersecurity spokesperson Tim Watts says.
Speaking on a webinar hosted by CyberCX chief strategy officer and former Australian Cyber Security Centre (ACSC) head Alastair MacGibbon, Mr Watts called on the federal government to play a bigger role in combating the growing threat of ransomware.
While not recommending that making ransom payments to cyber attacks be made illegal, Mr Watts did say there should be a “price of entry regulatory regime” where companies or individuals who are subject to a ransomware attack should have to report it to authorities.
“The mandatory data breach legislation is about telling individuals their information has been compromised. I think we need a parallel regime that says if you’re going to make a ransomware payment, we’re not going to ban you from doing that but we are going to require that before doing that you call up the ACSC, and we’re going to give you a standard form you have to fill out,” Mr Watts said.
This form will include actionable threat intelligence about the ransomware threat, including who may be behind it, the cryptocurrency wallet used to receive the ransomware payment and the evidence of the compromise.
“That’ll make sure that it is available to government, but that also through the system people can protect themselves too. If you move quickly enough there’s the possibility law enforcement could take action against crypto-exchanges before the money is pulled out of them,” Mr Watts said.
“That’s the world we should be aiming to get to in terms of the law enforcement response.”
Earlier this year Labor released a discussion paper urging the federal government to launch a national ransomware strategy with an aim of making Australia a less attractive target for cyber attackers.
In March the government’s cyber advisory group released a ransomware report calling on Australian businesses to implement basic cybersecurity practices to mitigate the risk, but Mr Watts labelled this a “missed opportunity”.
The shadow cybersecurity minister said there needs to be a mindset change within Australian agencies and law enforcement to combat the “age of impunity” around ransomware attacks.
“Law enforcement is not doing enough. We’ve got some great talent within our law enforcement agencies but if you look at the institutional arrangements in Australia, the AFP have told us that in response to ransomware they’ll get involved only if it involves a Commonwealth entity, a piece of critical infrastructure or it is affecting the national economy,” Mr Watts said.
“We should be ambitious, we should want to be a part of those international posses that are going after these crews. I want us to be at the top of those press releases, I want to send a signal to these people that if you come after Australian organisations, we’re going to keep chasing you.”
These calls were backed by Mr MacGibbon, who said law enforcement should be looking to “throw sands in the gears of ransomware gangs” with a similar approach to its tactics against the international drugs trade.
“I’m critical of them in this space. I often think it’s not dissimilar to trying to disrupt the international drug trade, where police post people to the countries that are either transit countries or the nations that are the source of these drugs,” Mr MacGibbon said.
“Australian police post staff there in order to throw sand in the gears. We’re not trying to get rid of them but we’re trying to make it harder for them.”