New regime: Mandatory reporting of ransomware incidents

Joseph Brookes
Senior Reporter

The federal government will introduce tougher penalties for ransomware criminals and a mandatory incident reporting scheme for large businesses that suffer an attack under a new ransomware action plan released Wednesday.

The plan follows a series of high-profile ransomware attacks and warnings the risks to local companies had been growing in an Australian policy vacuum.

It also clarifies the Australian government’s position that it does not condone ransomware payments.

Karen Andrews
Karen Andrews launched the Ransomware Action Plan

Labor welcomed the new ransomware strategy, which it had called for since February. The Opposition had introduced its own bill in June to establish a reporting scheme for businesses planning to make a ransomware payment.

Home Affairs Minister Karen Andrews launched the government’s Ransomware Action Plan on Wednesday.

“Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” Mrs Andrews said. “Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses.

“That’s why the Morrison Government is taking action to disrupt, pursue and prosecute cybercriminals. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances.”

Under the plan, which is still subject to industry consultation, Australian businesses with turnover of $10 million or more will be required to report ransomware attacks to the government.

According to the 10-page action plan, future legislative reforms would specifically mandate ransomware incident reporting to the Australian Government, but little detail was provided.

The government said the reporting regime would be used to better understand the ransomware threat and enable better support to victims of ransomware attacks.

Ransomware attacks were on the rise in Australia, up 15 per cent in the last year, according to the national cyber agency which now describes the extortion tactic as the “most serious cybercrime threat” in Australia.

The government resisted calls for a formal ransomware strategy earlier this year under pressure from the Opposition as attacks disrupted businesses and services.

The Australian Signals Directorate has been frustrated that it had not been notified by major companies that had experienced a ransomware attack, and in some instances had refused to cooperate with the spy agency after the breach. Home Affairs has been actively exploring a notification scheme for several months.

But until recently the government had focused on awareness and knowledge sharing with global allies.

Pressure continued this year as experts warned Australia had become a “soft target” for ransomware gangs in the absence of dedicated ransomware policy.

A multi-agency ransomware taskforce was established by the government in July to go on the offensive against ransomware gangs.

Much of the new plan needs to be legislated and with consultation still to come – and only a few sitting weeks remaining this year – it is unclear if the government will be able to establish the reporting scheme before the looming federal election.

Labor has called for a ransomware strategy since February and in June shadow assistant minister for cyber security Tim Watts introduced a private members bill which would have established a mandatory ransomware notification scheme when businesses intended to make a payment.

The bill would have also laid “the foundation” for enforcement actions, according to Mr Watts, but it was never brought on for debate by the government.

“Nine months since those first calls, and many major ransomware attacks later, it’s good to finally see some movement from the government to address this urgent threat,” Mr Watts said Wednesday in a joint statement with shadow minister for Home Affairs Kristina Keneally.

“But it’s always too little, too late from this government. It’s failed to act for months despite an onslaught of attacks against Australian organisations this year including multiple health and hospital networks, the Nine network, and JBS Meats, our biggest meat supplier.

“Instead, it’s simply blamed the victims, telling businesses it’s up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals.”

Labor said it would examine the details of the plan closely, but is worried the tight timeframe means it ultimately becomes “another announcement with no delivery.”

In addition to the mandatory reporting scheme, the ransomware plan promises the introduction of new standalone aggravated offences for all forms of cyber extortion, and for when cyber criminals target critical infrastructure.

The act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence and buying or selling of malware for the purposes of undertaking computer crimes will also both be criminalised to increase potential penalties for the offences.

Tasmanian Liberal Senator Eric Abetz, who is chair of the Senate’s Foreign Affairs, Defence and Trade Committee and a member of the Parliamentary Intelligence and Security Committee, backed the plan and said the reporting scheme would be a useful tool for cyber and security agencies.

“At a time when our critical infrastructure is a growing target, the new mandatory reporting mechanism will be an important tool so we can better understand and prevent ransomware, for example, in the case of the logistics company Toll which suffered two major ransomware attacks from foreign actors last year.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories