Labor has called on the federal government to urgently support its legislation introducing a mandatory ransomware notification scheme which “lays the foundation” for enforcement actions against cyber attacks.
Shadow assistant minister for cyber security Tim Watts on Monday morning introduced a private members’ bill to the House of Representatives which would launch a scheme requiring organisations to notify the Australian Cyber Security Centre (ACSC) if they are planning to make a ransomware payment.
This information would then be used to inform Australian authorities and policymaking in the space.
The scheme would function in a similar way to the existing mandatory data breach notification scheme, which has been in place since early 2018.
The Coalition is already reportedly considering such a scheme, with Home Affairs secretary Mike Pezzullo saying he believes it is “likely” that it would be rolled out soon.
Speaking in Parliament, Mr Watts said the legislation would mark a first step in government action to combat the growing threat of ransomware attacks.
“With this bill, Labor is showing the political leadership on cyber security policy that has been missing since the election of this Prime Minister,” Mr Watts said.
“Such a scheme would be a policy foundation for a coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy and offensive cyber operations. There is an urgent need for this bill. Mandatory reporting of ransomware payments is far from a silver bullet for this national security problem but it’s an important first step.”
The Opposition said there is “no reason” for the government to not support the bill, and called on it to list it for debate “as a matter of priority” when Parliament returns in August.
The bill would establish a mandatory reporting requirement for Commonwealth entities, state or territory agencies, and corporations or payments who are making a payment in response to a ransomware attack.
“This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups,” Mr Watts said.
“And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks. Importantly, it will give us a fuller picture of ransomware attacks in Australia and the scale of the threat.”
The legislation defines a ransomware attack as “when an unauthorised person accesses, modifies or impairs data and demands payment to repair or undo damage or prevent the publication of data”.
Small businesses with annual turnover under $10 million will be exempt from the scheme, as would sole traders, unincorporated entities and charities.
The entities will have to notify the ACSC of key details about the ransomware attack, the attacker and the payment to be made, including the cryptocurrency wallet details, the amount of the payment and the indicators of a compromise.
Failure to notify the ACSC will result in a penalty under the new regime.
The information will be held by the ACSC and shared in a de-identified way with the private sector through the threat-sharing platform, and will also be used by law enforcement and to inform policy making and track the effectiveness of policy responses.
Mr Watts said Australia has reached a “crisis point” on ransomware attacks, pointing to several recent events, including this month against JWS meats, which eventually paid an $11 million ransom payment to the attackers.
These ransomware attacks are an “intolerable burden on Australian organisations” and represent a “significant national security threat”, Mr Watts said.
“The current trajectory of these attacks, and the traditional response to them – asking organisations to implement an ever-increasing uplift in cyber resilience – is inefficient and not sustainable,” he said.
Last week the federal government launched a new public awareness campaign around the threat of ransomware, centred mostly on what companies can do to protect from these attacks and make it harder for cyber criminals.
It is also considering implementing a mandatory reporting scheme on ransomware, according to Mr Pezzullo, as an extension to the 2020 Cyber Security Strategy.
“I think we’re at a point, most advanced economies are at a point, where by some means, whether it’s mandatory reporting combined with other measures, that a much more active defence posturing is going to be required simply because of the prevalence of the attacks,” Mr Pezzullo said in a Senate Estimates hearing last month.