Australia targets ransomware with new national plan

The Australian government has signalled it is stepping up its efforts to counter ransomware, announcing its newRansomware Action Plan and comes as US President Joe Biden’s administration hosts its virtual ransomware summit, encouraging international cooperation.

This new national plan brings together legislative reforms through new, specific offences and by refreshing existing laws with a practical policy and operational response through task forces, business education, joining international joint policing operations, and even a provision to call out those who support or provide safe havens to cybercriminals.

The minister for Home Affairs, Karen Andrews, said the government intends to take action to disrupt, pursue, and prosecute cybercriminals across the board. The plan has been broadly welcomed by industry and academics speaking to CSO Australia, but they also point to some inconsistencies, more detail needed, and the real challenge of Australian law enforcement agencies unable to investigate outsider their jurisdictions.

All agree that the potential harm from ransomware is significant and widespread. “It goes much further than the targeted company and their customers. It has a knock-on effect, especially where there is a direct or indirect implication for critical infrastructure and public service. We have entered the digital age where any national defence strategy includes cyberattack and defence as a critical component,” said Dan Halpin, managing director of cyber intelligence firm Cybertrace, who summed up the view of many.

Countries are facing a global rise in ransomware attacks that has seen a 15% increase in incidents reported to the Australian Cyber Security Centre (ACSC). Globally, “ransomware payments reached more than US$400 million globally in 2020, and topped US$81 million in the first quarter of 2021,” the US government has reported.

The Ransomware Action Plan in detail

The Ransomware Action Plan includes new criminal offences, tougher penalties, a mandatory reporting regime, and new laws to limit cybercriminals turning to cryptocurrency to use the proceeds of their crimes.

New measures for a standalone aggravated offence for all forms of cyberextortion are set to come, and will include increased maximum penalties, giving policing agencies a stronger basis for investigations, and prosecution of ransomware criminals.

Additionally, a new standalone aggravated offence for cybercriminals seeking to target critical infrastructure; they will face increased penalties, recognising the significant impact on assets that deliver essential services to Australians. Again, most cybersecurity experts agree that critical infrastructure needs special provisions, including a focus on more stringent privacy regulations, said Gergana Winzer, Unisys’s industry director of cybersecurity for Asia-Pacific.

“There needs to be a yearly review of the controls currently in place within critical infrastructure providers and aim to achieve a higher maturity levels. It’s a process, and we have to fall in love with the journey as there isn’t a silver bullet. This plan is a step in the right direction,” she said.

While Winzer welcomed the new legislation and regulation as steps in the right direction, it’s still paying catchup to the bad actors and cybercriminals. “We have to learn to move faster.”

There are provisions to criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, intended to ensure that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties.

The plan also brings in penalties that criminalise the buying or selling of malware for the purposes of undertaking computer crimes. Legislation will be updated to try to prevent cybercriminals from using the proceeds of their crimes and to help law enforcement better track and seize or freeze cybercriminals’ financial transactions in cryptocurrency.

Questions on the mandatory ransomware reporting regime

As part of this plan, the government will also develop a mandatory ransomware incident reporting regime to enhance its understanding of the threat and enable better support to victims of ransomware attacks. It will only apply businesses with a turnover of more than $10 million per year to avoid creating additional burdens on small businesses. The Australian government has been moving to a mandatory reporting scheme for much of 2021.

While reporting ransomware attacks is an important first step in assessing the true extent of the problem and broadly welcomed by industry, CSO Australia has found that some people question if it goes far enough. How exactly the reporting system will work and whether the insurance industry will need to be consulted on what exactly will be covered are two open questions, said Nick Lennon, cloud cybersecurity provider Mimecast’s country manager for ANZ.

In particular, Lennon points out that, according to ABS data, the $10 million threshold only captures less than 2% of businesses. “As such, how will this new plan capture ransomware attacks on every other business? In the current climate, it’s a bit like vaccinating only 2% of the population against the COVID-19 pandemic. It’s a start, but we wouldn’t feel very safe or protected against the ongoing threat,” he told CSO Australia.

The move to set the bar at $10 million rather than $3 million as it is with the Privacy Act has surprised some in the industry because it makes the regimes inconsistent and may not send a strong-enough signal to smaller enterprises to strengthen their defences. “Keeping this level consistent would help provide clarity for Australian businesses and will also help encourage a far larger segment of the business community to prepare against the ransomware threat,” said Darren Hopkins, a partner at advisory firm McGrathNicol.

“It is also unclear if the notifications will apply to government and not just businesses. Ultimately, Australian businesses need a clearer indication of what their obligations will be and what best practice looks like before they can get behind these efforts,” he said.

Hopkins said many people across the business landscape are looking for more clarity on what businesses’ obligations will be; for example, whether a report must be made if an attack occurs or whether a ransom is paid. “It is also unclear whether notifications will be listed publicly and which government organisation will oversee this or have access to the information. Keeping notifications private, as in the OAIC notifiable breaches scheme, would be advisable,” he said.

The nature of public reporting may actually be seem by some as punishing the victim rather than the criminals, said Paul Haskell-Dowland, associate dean for Computing and Security at Edith Cowan University. “Cybercrime is now high-profile and organisations are concerned over the impact on reputation,” he said.

Haskell-Dowland also sees gaps created in the system. “It may be desirable to widen the scope and consider the impact as well as the turnover—a small company impacted by ransomware can lead to knock-on consequences through supply-chain attacks,” he said.

Putting a stop to ransom payments

In line with other governments like the US , this new plan makes clear the Australian government will not condone ransom payments to cybercriminals. The government has stressed that there is no guarantee hackers will restore information, stop their attacks, and not leak or sell stolen data when paid a ransom. It said those affected by ransomware attacks should visit cyber.gov.au for advice.

However, while no business ever wants to pay a ransom, there are times when they will. Some people in the industry are concerned that the government’s no-payments stance may leave victims with little room to move. “Victims would only [pay] if they feel they have to so they can keep their business alive so we don’t need the government to be heavy-handed,” said Greg Clarkson, CEO of IT consultancy Network Overdrive, who works alongside in former US military chiefs in developing systems to combat ransomware.

“I understand the insurance providers are extremely worried about businesses paying ransomware, but there are other things governments can do to reduce the cost to insurance providers,” Clarkson told CSO Australia. “The government should be devising strategies to either prevent these attacks in the first place or assist victims through the process,” he said.

Cybertrace’s Halpin said ransomware payments are in cryptocurrencies, making ransomware extortion a crypto-enabled crime. Australia is severely lacking in a system to deal with this element of ransomware, he said. “The Australian model for investigation and progression of cybercrime is broken, and it actively promotes the targeting of Australians by cybercriminals. This is especially the case for cryptocurrency-dependent and -enabled crime.”

National coordinated ransomware response needed

The government said the ransomware issue warrants a national response. To achieve this, it will need to work closely with its state and territory counterparts, as well as with industry stakeholders, to put this plan into action and avoid duplicating existing cybersecurity initiatives across the economy.

This latest plan comes after the recent establishment of an Australian Federal Police-led multi-agency group to target ransomware attacks linked to organised crime operating in Australia and overseas. This cross-agency ransomware task force also shares intelligence directly with the Australian Cyber Security Centre to use their disruptive capabilities offshore.

These initiatives are part of the Australian government’s 10-year $1.7 billion Cyber Security Strategy that started in 2020. The government will now also start further industry and stakeholder consultation on the mandatory reporting regime and new criminal offences.

However, Edith Cowan’s Haskell-Dowland said that while introducing new offences will help the legal processes and courts by clearly defined certain crimes, it doesn’t address the global nature of cybercrime. “Stricter processes in Australia will not help when the criminals behind the incident are located outside of Australian jurisdiction,” he said.

It’s the same with national penalties on misuse of data and dealing in malware that are global rather than national transactions. “This may help deter home-grown criminals, but will do little for the global landscape,” Haskell-Dowland said.

“Concerted, global cooperation is needed to address cybercrime—in particular addressing the challenges of jurisdiction,” he said. That’s something the US government’s 30-country summit wants to kickstart, although with the notable absence of Russia.