On 13 October 2021, the Minister for Homes Affairs released the Australian Government's Ransomware Action Plan (Plan), which outlines a range of proposals intended to combat the threat of ransomware. This includes new notification obligations and criminal offences for cybercrimes.
The Plan identifies three overarching objectives:
- prepare for and prevent attacks by building cyber resilience;
- assist with the response to and recovery from attacks by providing greater support to victims;
- disrupt and deter cybercriminals by strengthening Australia's legislative framework and taking greater offensive action to increase the risk of capture for criminals.
The initiatives in the Plan are intended to assist Australian individuals, businesses and critical infrastructure, complement measures currently in place to improve cybersecurity and build on the 2020 Cyber Security Strategy.
The Key initiatives of the Plan include:
- raising public awareness around ransomware via various programs, campaigns and publications (including through the release of the Cyber Security Industry Advisory Committee's public paper Locked Out: Tackling Australia's ransomware threat)
- uplifting Australia's cyber security posture, including for critical infrastructure, through regulatory reforms;
- establishing "Operation Orcus", a multi-agency taskforce led by the Australian Federal Police targeting ransomware threats locally and overseas, which is described as "Australia's strongest response to the surging ransomware threat";
- improving the government's situational awareness of ransomware threats and providing advice for critical infrastructure, large businesses and small to medium enterprises on ransomware payments;
- introducing specific mandatory ransomware incident reporting for businesses with an annual turnover of more than $10 million to the Australian Government (we considered Labor's proposed Ransomware Payments Bill in a previous Limebite article);
- enacting legislative reform to ensure law enforcement agencies can investigate and seize ransomware payments, including cryptocurrency;
- legislating a stand-alone offence for all forms of cyber extortion;
- introducing stand-alone aggravated offences to hold cybercriminals accountable, with greater penalties where critical infrastructure is targeted (as proposed to be regulated by the Security Legislation Amendment (Critical Infrastructure) Bill 2020); and
- collaborating with states and territories to develop the next National Plan to Combat Cybercrime to build a stronger operational response to cybercrime harming Australia and Australians.
The Plan also highlights an intention to work with international counterparts to:
- coordinate international disruption efforts and strengthen shared capabilities to detect, investigate, disrupt and prosecute malicious cyber actors when engaging in ransomware;
- utilise the Australian Signals Directorate's offshore offensive cyber capabilities to disrupt foreign cybercriminals targeting Australian households and businesses; and
- actively call out states who support, facilitate or provide safe havens to cybercriminals.
The Australian Government has stated that it does not condone ransom payments and that any payment fuels the ransomware business model, putting other Australians at risk.
In this context, the initiatives in the Plan propose to crack down on ransomware to assist businesses. It will also place additional burden on entities to comply with more stringent cyber security and notification obligations, while navigating more extensive powers being afforded to regulatory agencies.
It is important that businesses stay abreast of any proposed reforms, as the devil will be in the detail. The scope and implications of any proposed reforms will need to be carefully considered.
A more difficult question, especially in the short to medium term, is how businesses, which can currently decide to pay a ransom as a last resort to remain in business, will fare if ransom payments are outlawed entirely.
If you need help to gauge or improve your cyber resilience, or to deal with a cyber incident, we can assist with a range of services and expertise. We also assist businesses identify their regulatory and contractual system and data security obligations.
The Ransomware Action Plan can be accessed here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.