Ransomware Action Plan: Another new cyber security law for Australia?

In mid-October 2021, Australia’s new Ransomware Action Plan was released by the Department of Home Affairs.  The new plan  announces the introduction of standalone criminal offences for people who use ransomware plus mandatory reporting requirements.

Legislation is to be introduced to implement the plan, which will be in addition to other planned cyber security laws.

According to the forward from Minister Karen Andrews, the Ransomware Action Plan sets out the Government’s immediate strategic approach to tackle the threat posed by ransomware, and builds on the overarching cyber security architecture instigated in the 2016 and 2020 Cyber Security Strategies, and is designed around the framework of the National Strategy to Fight Transnational, Serious and Organised Crime.

The Plan confirms the Australian approach to ransomware: ‘Put simply – Australia takes a zero-tolerance approach to ransomware.’

Good to know.

So, what is included in the new Ransomware Action Plan?

Ransomware Action Plan: New criminal offences

The Plan will create a series of ransomware related criminal offences including offences for those who:

  • Use ransomware to conduct cyber extortion;
  • Buy or sell malware for the purposes of undertaking computer crimes;
  • Target critical infrastructure with ransomware (which will be an aggravated criminal offence); and
  • Deal with stolen data knowingly obtained in the course of committing a separate criminal offence.

The new plan will also see government work to introduce additional legislative reforms that potentially allow law enforcement to track, seize or freeze ransomware gangs’ proceeds of crime.

To support the enforcement of these news cyber-crimes, the Australian Federal Police will get an additional 100 personnel to identify and target cybercriminals.

To help with the fight against cybercrime, the remit of the Australian Cyber Security Centre within the Australian Signals Directorate will also be expanded.

$6.1 million will be provided for support services through IDCARE to support Australians online, if they have been a victim of cybercrime (although this is part of the $1.67 billion previously allocated to the 2020 Cybersecurity Strategy).

The Plan outlines activities to disrupt and deter ransomware attacks, recognizing that many ransomware attacks come from overseas and that deterrence lies in international co-operation and disrupting payments. These initiatives include:

  • joint operations with international counterparts to strengthen shared capabilities to detect, investigate, disrupt and prosecute malicious cyber actors that engage in ransomware;
  • actively calling out states who support or provide safe havens to cybercriminals; and
  • tackling cryptocurrency transactions associated with the proceeds of ransomware crimes.

Ransomware Action Plan: Mandatory reporting of ransomware payments

Alongside the new criminal offences, the plan will also roll out a new mandatory ransomware incident reporting regime. Under this regime, organisations with a turnover of over $10 million per year will be required to formally notify the government if they experience a cyber attack.

The Ransomware Action Plan takes a decisive stance — the Australian Government does not condone ransom payments being made to cybercriminals. Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk,” Minister for Home Affairs Karen Andrews said in the Plan’s forward.

It is not clear whether the mandatory notification obligation is meant to dissuade payments or to put ‘sand in the gears’ (slowing down the decision making process).   It is also not clear who will be notified. Possibly the ACSC but at the moment this has not been specified.

The new Ransomware Action Plan makes no mention of the private members’ bill introduced to the House of Representatives on 21 June 2021, by Labor’s Tim Watts introduced: Ransomware Payments Bill 2021. This Bill also proposed a scheme requiring certain organisations to notify the Australian Cyber Security Centre (ACSC) if they make a ransomware payment.[1]  We covered that proposal in a previous blog post.

Another new cyber security law?

The new measures to be introduced as part of the Ransomware Action Plan will be in new legislation.  The obligations, including the mandatory reporting obligations, will not be included in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently being considered by Parliament.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 already contain provisions for mandatory reporting by organisations that suffer a cyber attack and provide more powers for government to undertake action against cyber attacks.

We have covered the Critical Infrastructure Bill in more detail in our previous blog.

Conclusion

The Ransomware Action Plan makes it very clear that the Australian Government’s policy is that it does not condone paying ransoms to cybercriminals.   As stated, there is no guarantee that the payment will lead to your data being recovered, that the data won’t be on-sold, or that you will not be attacked again. No-one disagrees with this.

One wonders however if the threat of new criminal offences in Australia will effectively deter ransomware attacks, the vast majority of which come from overseas.  Similarly, when businesses are faced with an existential threat from a ransomware attack, one wonders if the mandatory notification provision will be top of mind in their decision making.

The plan itself is somewhat light on detail.

It remains to be seen how this plan will be legislated and how different that might be to the existing bill before parliament.  And where this additional new notification obligation sits with those already existing or under consideration.

Ransomware Action Plan

November 2021