On 13 October 2021, the Minister for Home Affairs Karen Andrews announced the Ransomware Action Plan which is intended to support Australian individuals, businesses, and critical infrastructure.
The plan responds to significant public concern around rising losses to business and the community caused by malicious cyber extortion attacks and the worrying increase in financial and identity frauds perpetrated following ransomware attacks. It also provides key insights into the Australian Government’s wider cyber security objectives.
Under the plan, the government has committed to passing a mandatory ransomware incident reporting regime to enhance its understanding of the threat environment. This will capture organisations with a turnover over $10 million a year, with small business to be exempt.
The regime will also introduce a series of new criminal offences for all forms of cyber extortion, and a specific aggravated offence for cybercriminals seeking to target critical infrastructure. Further criminal offences will be added to capture the malicious action taken by attackers following data exfiltration, and acts taken to deprive a victim of their data, or publicly release a victim’s sensitive data. New provisions will also be created to criminalise the buying or selling of malware for the purposes of undertaking computer crimes.
The plan will also see the progression of legislation to uplift the security and resilience of Australia’s critical infrastructure and follows the recent announcement by the Parliamentary Joint Committee on Intelligence and Security which recommended that the Security Legislation Amendment (Critical Infrastructure) Bill 2020 be split into two separate bills. This split is intended to allow for the more urgent assistance, information gathering and intervention measures to pass quickly while other elements of the regulatory and compliance-related obligations be delayed allowing for greater industry consultation.
The plan is also aligned to the establishment of a new Australian Federal Police-led multi-agency operation targeting ransomware attacks, that will share intelligence directly with the Australian Cyber Security Centre as they utilise their disruptive capabilities offshore.
Finally, the plan will seek to modernise legislation to ensure that cybercriminals will not be able to realise and benefit from ill-gotten gains and allow law enforcement to better track and seize extortion cryptocurrency transactions.
There has been significant debate this year around the benefits of a ransomware reporting regime, with the federal opposition previously introducing a ransomware notification bill in June 2021. Proponents of the law have indicated it is critical for the government and cyber security agencies to have better visibility of ransom attacks against Australian organisations to develop a coordinated government response to the threat, to effectively protect the community and inform law enforcement.
Significant concerns have been expressed around the sensitivity of data which would be collected under the regime, and the need to ensure effective de-identification occurs before any reported incidents are incorporated into threat-sharing efforts or other policy objectives. The prescribed timelines for notification under the reporting regime will also attract significant interest, given the variety of other critical dilemmas that must also be managed during a cyber crisis.
While efforts taken to modernise how ransomware is addressed under Australia’s criminal laws is welcome, there remain real doubts as to whether these will be enforceable, given most ransomware attacks are perpetrated by malicious actors overseas. Criminal provisions will also need to be carefully drafted in light of supply chain and social engineering attacks, which result in acts of compromise appearing to come from an innocent, trusted third party.
Care will also need to be taken regarding laws targeting individuals dealing with stolen data obtained from third party compromises. If framed too widely, these provisions risk capturing the valuable work undertaken by risk researchers, as well the actions of cyber security firms who monitor and interact through the dark web with malicious actors for the purposes of information gathering.
In announcing the plan, the Minster also stressed that the Australian Government does not condone ransom payments to cyber criminals, saying there is no guarantee that hackers will restore information or preserve stolen data when the extortion payment is made. This may point to the most contentious issue arising from the plan which seems designed to create a cultural change and discourage compromised organisations from payment of cyber ransoms.
While there are reasonable policy reasons for the government to encourage this change in behaviour, the fact remains that malicious extortions are often the result of complex attack chains that deliberately remove any ability for the impacted organisation to recover through backups or technology processes. Particularly for smaller organisations, the decision to pay is often done solely because unless data is decrypted the organisation may be unable to continue as a going concern, due to the catastrophic impact of the loss of its IT environment. This, ultimately, is the moral and economic grey area with which the government and community at large will need to grapple as the plan is implemented.
It is possible that the element of the plan that will have the greatest impact will be the enhanced powers provided to law enforcement to track and seize extortion cryptocurrency transactions. As was seen in the Colonial Pipeline breach in the US, the ability for law enforcement to seize the digital wallets holding ransom payments collected by the malicious actor, provides a direct means to interfere with the financial motivation underpinning ransom attacks.
As with many things in cyber security, the devil will be in the detail and the compliance burden placed on organisations will ultimately turn on the specific of the legislative changes proposed.
Willis Towers Watson is uniquely placed to help our clients navigate the challenges caused by the changing cyber and regulatory environment. Our team is ready to assist you and early engagement with us will help your organisation enhance its cyber resilience and maximise the benefit of critical risk and insurance investments.
Anthony is a Senior Associate in our Cyber and Technology Risk Practice based in Melbourne. He manages large and complex cyber risks along with financial and executive risk placements for clients.
