Clive Palmer’s Political Parties and their Exemption from the Privacy Act: Time for a Change?
Australia’s Privacy Act treats political information od... ...
In mid-October 2021, Australia’s new Ransomware Action Plan was released by the Department of Home Affairs. The new plan announces the introduction of standalone criminal offences for people who use ransomware plus mandatory reporting requirements.
Legislation is to be introduced to implement the plan, which will be in addition to other planned cyber security laws.
According to the forward from Minister Karen Andrews, the Ransomware Action Plan sets out the Government’s immediate strategic approach to tackle the threat posed by ransomware, and builds on the overarching cyber security architecture instigated in the 2016 and 2020 Cyber Security Strategies, and is designed around the framework of the National Strategy to Fight Transnational, Serious and Organised Crime.
The Plan confirms the Australian approach to ransomware: ‘Put simply – Australia takes a zero-tolerance approach to ransomware.’
Good to know.
So, what is included in the new Ransomware Action Plan?
The Plan will create a series of ransomware related criminal offences including offences for those who:
The new plan will also see government work to introduce additional legislative reforms that potentially allow law enforcement to track, seize or freeze ransomware gangs’ proceeds of crime.
To support the enforcement of these news cyber-crimes, the Australian Federal Police will get an additional 100 personnel to identify and target cybercriminals.
To help with the fight against cybercrime, the remit of the Australian Cyber Security Centre within the Australian Signals Directorate will also be expanded.
$6.1 million will be provided for support services through IDCARE to support Australians online, if they have been a victim of cybercrime (although this is part of the $1.67 billion previously allocated to the 2020 Cybersecurity Strategy).
The Plan outlines activities to disrupt and deter ransomware attacks, recognizing that many ransomware attacks come from overseas and that deterrence lies in international co-operation and disrupting payments. These initiatives include:
Alongside the new criminal offences, the plan will also roll out a new mandatory ransomware incident reporting regime. Under this regime, organisations with a turnover of over $10 million per year will be required to formally notify the government if they experience a cyber attack.
“The Ransomware Action Plan takes a decisive stance — the Australian Government does not condone ransom payments being made to cybercriminals. Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk,” Minister for Home Affairs Karen Andrews said in the Plan’s forward.
It is not clear whether the mandatory notification obligation is meant to dissuade payments or to put ‘sand in the gears’ (slowing down the decision making process). It is also not clear who will be notified. Possibly the ACSC but at the moment this has not been specified.
The new Ransomware Action Plan makes no mention of the private members’ bill introduced to the House of Representatives on 21 June 2021, by Labor’s Tim Watts introduced: Ransomware Payments Bill 2021. This Bill also proposed a scheme requiring certain organisations to notify the Australian Cyber Security Centre (ACSC) if they make a ransomware payment.[1] We covered that proposal in a previous blog post.
The new measures to be introduced as part of the Ransomware Action Plan will be in new legislation. The obligations, including the mandatory reporting obligations, will not be included in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently being considered by Parliament.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 already contain provisions for mandatory reporting by organisations that suffer a cyber attack and provide more powers for government to undertake action against cyber attacks.
We have covered the Critical Infrastructure Bill in more detail in our previous blog.
The Ransomware Action Plan makes it very clear that the Australian Government’s policy is that it does not condone paying ransoms to cybercriminals. As stated, there is no guarantee that the payment will lead to your data being recovered, that the data won’t be on-sold, or that you will not be attacked again. No-one disagrees with this.
One wonders however if the threat of new criminal offences in Australia will effectively deter ransomware attacks, the vast majority of which come from overseas. Similarly, when businesses are faced with an existential threat from a ransomware attack, one wonders if the mandatory notification provision will be top of mind in their decision making.
The plan itself is somewhat light on detail.
It remains to be seen how this plan will be legislated and how different that might be to the existing bill before parliament. And where this additional new notification obligation sits with those already existing or under consideration.
November 2021
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.