The federal opposition has reintroduced its ransomware payments Bill, this time to the Senate after the Bill failed to get off the ground in the House of Representatives.
The Ransomware Payments Bill 2021, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment was made to a criminal organisation in response to a ransomware attack.
The Bill was originally introduced into the lower house in June by Shadow Assistant Minister for Cyber Security Tim Watts, but in a joint statement with Shadow Minister for Home Affairs Kristina Keneally, the pair said the government failed to bring it on for debate.
“Minister Andrews says cybersecurity and ransomware are one of her highest priorities, but we’ve seen little in the way of action to reduce the onslaught of attacks against Australian organisations by foreign cyber criminals,” the statement said. “That’s why Labor has been once again forced to show the leadership on cybersecurity that’s been missing since the election of this Prime Minister by introducing this Bill in the Senate.”
According to Watts, such a scheme would be a policy foundation for a “coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy, and offensive cyber operations”.
The ransom payment notification scheme created by the Bill, Watts said previously, would be the starting point for a comprehensive plan to tackle ransomware. It follows his party in February calling for a national ransomware strategy focused on reducing the number of such attacks on Australian targets.
The Bill would require large businesses and government entities that choose to make ransomware payments to notify the ACSC before they make the payment. Watts said such a move would allow Australia’s signals intelligence and law enforcement agencies to collect actionable intelligence on where this money goes so they could track and target the responsible criminal groups.
“And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks,” he added.
When asked about the Bill shortly after it was introduced, the Home Affairs Minister said she was open to exploring it.
“From the government’s perspective, we actually would like businesses to reach out, particularly to ACSC, in the event that they have a ransomware attack or they have other threats,” Andrews said.
“[ACSC] is very well placed to be able to support them, but they rely on, in many instances, on businesses reporting or contacting them directly.
“I’ve already had some discussions about mandatory reporting of ransomware attacks and my view at this stage is that there are a range of views about that — it’s very mixed in the response — what I want to do over the coming weeks is explore that much more fully.”
Backing Labor’s approach before the Parliamentary Joint Committee on Intelligence and Security in July, cybersecurity expert and former United States CISA chief Chris Krebs said it would be useful to compel providers to disclose cybersecurity incidents, including ransomware.
“Mandatory reporting for any ransomware victim before they make a payment,” he told the committee. “For ransomware, in particular, we do not know how big this problem is, in fact, probably the only people that know how big it is, are the criminals themselves. And they’re not apparently sharing that with us.
“We have to get to the denominator of ransomware attacks and the easiest way to do that is require ransomware victims to make a notification to the government. This is not yet in determination on whether paying ransom itself is illegal, I think that’s a separate conversation, but just at a minimum, if you’re going to be engaging with the transaction, with the ransomware group, that that needs to be notified.”