The Morrison government has announced new criminal offences, tougher penalties and a mandatory reporting regime as part of a new and comprehensive Ransomware Action Plan.
The new plan is designed to better protect the community, businesses and critical infrastructure across Australia with the aim of ensuring the economy is safeguarded from ransomware attacks according to Minister for Home Affairs Karen Andrews.
“Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country.”
“Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses."
“That’s why the Morrison government is taking action to disrupt, pursue and prosecute cyber criminals." Minister Andrews said.
Under the Ransomware Action Plan the government will:
- Introduce a new stand-alone aggravated offence for all forms of cyber extortion to ensure that cyber criminals who use ransomware face increased maximum penalties, giving law enforcement a stronger basis for investigations and prosecution of ransomware criminals;
- Introduce a new stand-alone aggravated offence for cyber criminals seeking to target critical infrastructure. This will ensure cyber criminals targeting critical infrastructure face increased penalties, recognising the significant impact on assets that deliver essential services to Australians;
- Criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cyber criminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties;
- Criminalise the buying or selling of malware for the purposes of undertaking computer crimes; and
- Modernise legislation to ensure that cyber criminals won’t be able to realise and benefit from their ill-gotten gains, and law enforcement can better track and seize or freeze cyber criminals’ financial transactions in cryptocurrency.
The government will also develop a mandatory ransomware incident reporting regime to enhance our understanding of the threat and enable better support to victims of ransomware attacks. It will be designed to benefit, not burden small businesses, with businesses with a turnover over $10 million per annum expected to be subject to the regime.
The plan also makes clear that the Australian government does not condone ransom payments to cyber criminals.
There is no guarantee hackers will restore information, stop their attacks, and not leak or sell stolen data. Those impacted by ransomware attacks should visit cyber.gov.au for advice.
The plan follows the establishment of a new Australian Federal Police-led multi-agency operation which targets ransomware attacks that are linked directly to sophisticated organised crime groups operating in Australia and overseas, and shares intelligence directly with the Australian Cyber Security Centre as they utilise their disruptive capabilities offshore.
"Our tough new laws will target this online criminality and hit cyber crooks where it hurts most – their bank balances,” Minister Andrews added.
“The release of the Ransomware Action Plan is the latest in a long list of developments that have been rolled out since the government’s $1.67 billion Cyber Security Strategy commenced in August last year. It builds on the Morrison government’s strong track record fighting cyber crime,” Minister Andrews concluded.
While the new action plan is a step in the right direction, Margrith Appleby, general manager of Kaspersky Australia and New Zealand has suggested the mandate should be set by business type, not revenue.
“There is absolutely a place for government support in the fight against ransomware, however we need to understand the full advantage of mandating ransomware reporting for all businesses with $10m annual turnover to ensure this doesn’t cause additional administration and compliance pressures for thousands of businesses."
“Setting the reporting mandate by businesses type or industry, rather than revenue size, may be the right move."
"For example, if an industrial or supply chain organisation is attacked, it can have an enormous impact on our essential services such as access to electricity, water or fuel supply – this is where government can assist responsibly to ensure such organisations report a ransomware attack," Appleby said.
According to Nick Lennon, country manager, Mimecast ANZ, prevention programs for SMBs should be seen as being similar to healthcare.
"Looking at this as an SMB Cyber Health Program, there is a huge opportunity here for a partnership between the private, public and tertiary sectors to offer a service that is free for the first period of engagement."
"This will allow SMBs to have their cyber health diagnosed, gaps identified, and measures put in place for them to achieve a certain standard of SMB cyber health without having to make an upfront investment," Lennon added.
The increased penalties for cyber criminals targeting critical infrastructure outlined in the New Ransomware Action Plan has been welcomed by interested stakeholders with the government now aiming to consult further with the community, industry on the mandatory reporting regime and new criminal offences.
"I believe our focus should be on assisting business in both prevention and detection of such attacks and providing them with the tools in which to respond appropriately," Minister Andrews concluded.
The Ransomware Action Plan is available on the Department of Home Affairs website.
Nastasha is a Journalist at Momentum Media, she reports extensively across veterans issues, cyber security and geopolitics in the Indo-Pacific. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! 7 and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. She started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.