The federal opposition has introduced a Bill to Parliament that, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment is made to a criminal organisation in response to a ransomware attack.
The Ransomware Payments Bill 2021 was introduced in the House of Representatives on Monday by Shadow Assistant Minister for Cyber Security Tim Watts.
According to Watts, such a scheme would be a policy foundation for a “coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy, and offensive cyber operations”.
The ransom payment notification scheme created by the Bill, Watts said, would be the starting point for a comprehensive plan to tackle ransomware. It follows his party in February calling for a national ransomware strategy focused on reducing the number of such attacks on Australian targets.
At the time, Watts, alongside Shadow Minister for Home Affairs Kristina Keneally, declared that due to ransomware being the biggest threat facing Australia, it was time for a strategy to thwart it.
The Bill introduced by Watts would require large businesses and government entities that choose to make ransomware payments to notify the ACSC before they make the payment.
“This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups,” Watts said. “And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks.”
As laid out in the Bill’s explanatory memorandum [PDF], if an entity makes a ransomware payment, they must provide ACSC with their details, the details of the attacker, and information about the attack to the extent that it is known.
Information about the attack includes cryptocurrency wallet details, the amount of the payment, and indicators of compromise. Failure to notify the ACSC would attract a penalty.
The ACSC would be required to de-identify the information for the purpose of informing the public and private sector about the current threat environment and disclosing information to Commonwealth, state, or territory agencies for the purpose of law enforcement.
Under the Bill, it would be an offence to disclose personal information except for use by law enforcement.
“We should be clear … ransoms should not be paid. Ever,” Watts said. “Paying a ransom does not guarantee you’ll be able to quickly bring your systems back online or prevent further disruption, it does not guarantee your data won’t be leaked.
“What it does do is provide further resources to the criminal organisations mounting these attacks and create an incentivise for them to carry out more attacks.
“But where organisations feel compelled to make these payments, government should be involved.”
Using the claim that there has been a 200% increase in ransomware attacks on Australian organisations, Watts pointed to the likes of JBS Foods, UnitingCare Queensland, the Eastern Health hospital network in Victoria, Lion brewers, the NSW Labor Party, Toll logistics — which copped two attacks, Bluescope, PRP Diagnostics, Regis Healthcare, Law In Order, Carnegie Clean Energy, coffee roaster Segafredo Zanetti, and Taylors Wine as examples of why such a Bill is required.
JBS paid $11 million in ransom.
“Talking to the incident responders combatting this tidal wave of attacks, it’s clear to me that for every ransomware incident you read about in the papers, there are a dozen happening outside public view,” he told the House of Representatives. “These attacks are an intolerable burden on Australian organisations.”
According to Watts, the current trajectory of these attacks and the traditional response of asking organisations to implement an “ever-increasing uplift in cyber resilience” was inefficient and not sustainable.
“A hospital shouldn’t be forced to use more and more of its scarce resources fighting cybercriminals, it should be using its resources to make sick people better,” he said. “The boards and executive teams of our nation should be able to focus on making investments in its core business that create new jobs and increase shareholder returns, rather than constantly ratcheting cybersecurity investments.
“Tackling ransomware may begin with organisational security, but that is not the end of the conversation.
“Unfortunately, that’s the state of the policy response to ransomware under the Morrison Government — blaming the victims.”
The federal government in March provided advice on how to counter ransomware in Australia, encouraging the use of multifactor authentication and urging businesses to keep software up to date, archive data and back-up, build in security features to systems, and train employees on good cyber hygiene.
At the time, Watts called the ransomware paper a missed opportunity. To Watts, it’s not good enough to tell businesses to defend themselves by “locking their doors to cyber-criminal gangs”.
“Mandating reporting of ransom payments is far from a silver bullet for this national security problem, but it’s an important first step,” he said on Monday.