The Australian government has signalled it is stepping up its efforts to counter ransomware, announcing its newRansomware Action Plan and comes as US President Joe Biden\u2019s administration hosts its virtual ransomware summit, encouraging international cooperation.This new national plan brings together legislative reforms through new, specific offences and by refreshing existing laws with a practical policy and operational response through task forces, business education, joining international joint policing operations, and even a provision to call out those who support or provide safe havens to cybercriminals.The minister for Home Affairs, Karen Andrews, said the government intends to take action to disrupt, pursue, and prosecute cybercriminals across the board. The plan has been broadly welcomed by industry and academics speaking to CSO Australia, but they also point to some inconsistencies, more detail needed, and the real challenge of Australian law enforcement agencies unable to investigate outsider their jurisdictions.All agree that the potential harm from ransomware is significant and widespread. \u201cIt goes much further than the targeted company and their customers. It has a knock-on effect, especially where there is a direct or indirect implication for critical infrastructure and public service. We have entered the digital age where any national defence strategy includes cyberattack and defence as a critical component,\u201d said Dan Halpin, managing director of cyber intelligence firm Cybertrace, who summed up the view of many.Countries are facing a global rise in ransomware attacks that has seen a 15% increase in incidents reported to the Australian Cyber Security Centre (ACSC). Globally, \u201cransomware payments reached more than US$400 million globally in 2020, and topped US$81 million in the first quarter of 2021,\u201d the US government has reported.The Ransomware Action Plan in detailThe Ransomware Action Plan includes new criminal offences, tougher penalties, a mandatory reporting regime, and new laws to limit cybercriminals turning to cryptocurrency to use the proceeds of their crimes.New measures for a standalone aggravated offence for all forms of cyberextortion are set to come, and will include increased maximum penalties, giving policing agencies a stronger basis for investigations, and prosecution of ransomware criminals.Additionally, a new standalone aggravated offence for cybercriminals seeking to target critical infrastructure; they will face increased penalties, recognising the significant impact on assets that deliver essential services to Australians. Again, most cybersecurity experts agree that critical infrastructure needs special provisions, including a focus on more stringent privacy regulations, said Gergana Winzer, Unisys\u2019s industry director of cybersecurity for Asia-Pacific.\u201cThere needs to be a yearly review of the controls currently in place within critical infrastructure providers and aim to achieve a higher maturity levels. It\u2019s a process, and we have to fall in love with the journey as there isn\u2019t a silver bullet. This plan is a step in the right direction,\u201d she said.While Winzer welcomed the new legislation and regulation as steps in the right direction, it\u2019s still paying catchup to the bad actors and cybercriminals. \u201cWe have to learn to move faster.\u201dThere are provisions to criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, intended to ensure that cybercriminals who deprive a victim of their data, or publicly release a victim\u2019s sensitive data, face increased penalties.The plan also brings in penalties that criminalise the buying or selling of malware for the purposes of undertaking computer crimes. Legislation will be updated to try to prevent cybercriminals from using the proceeds of their crimes and to help law enforcement better track and seize or freeze cybercriminals\u2019 financial transactions in cryptocurrency.Questions on the mandatory ransomware reporting regimeAs part of this plan, the government will also develop a mandatory ransomware incident reporting regime to enhance its understanding of the threat and enable better support to victims of ransomware attacks. It will only apply businesses with a turnover of more than $10 million per year to avoid creating additional burdens on small businesses. The Australian government has been moving to a mandatory reporting scheme for much of 2021.While reporting ransomware attacks is an important first step in assessing the true extent of the problem and broadly welcomed by industry, CSO Australia has found that some people question if it goes far enough. How exactly the reporting system will work and whether the insurance industry will need to be consulted on what exactly will be covered are two open questions, said Nick Lennon, cloud cybersecurity provider Mimecast\u2019s country manager for ANZ.In particular, Lennon points out that, according to ABS data, the $10 million threshold only captures less than 2% of businesses. \u201cAs such, how will this new plan capture ransomware attacks on every other business? In the current climate, it\u2019s a bit like vaccinating only 2% of the population against the COVID-19 pandemic. It\u2019s a start, but we wouldn\u2019t feel very safe or protected against the ongoing threat,\u201d he told CSO Australia.The move to set the bar at $10 million rather than $3 million as it is with the Privacy Act has surprised some in the industry because it makes the regimes inconsistent and may not send a strong-enough signal to smaller enterprises to strengthen their defences. \u201cKeeping this level consistent would help provide clarity for Australian businesses and will also help encourage a far larger segment of the business community to prepare against the ransomware threat,\u201d said Darren Hopkins, a partner at advisory firm McGrathNicol.\u201cIt is also unclear if the notifications will apply to government and not just businesses. Ultimately, Australian businesses need a clearer indication of what their obligations will be and what best practice looks like before they can get behind these efforts,\u201d he said.Hopkins said many people across the business landscape are looking for more clarity on what businesses\u2019 obligations will be; for example, whether a report must be made if an attack occurs or whether a ransom is paid. \u201cIt is also unclear whether notifications will be listed publicly and which government organisation will oversee this or have access to the information. Keeping notifications private, as in the OAIC notifiable breaches scheme, would be advisable,\u201d he said.The nature of public reporting may actually be seem by some as punishing the victim rather than the criminals, said Paul Haskell-Dowland, associate dean for Computing and Security at Edith Cowan University. \u201cCybercrime is now high-profile and organisations are concerned over the impact on reputation,\u201d he said.Haskell-Dowland also sees gaps created in the system. \u201cIt may be desirable to widen the scope and consider the impact as well as the turnover\u2014a small company impacted by ransomware can lead to knock-on consequences through supply-chain attacks,\u201d he said.Putting a stop to ransom paymentsIn line with other governments like the US , this new plan makes clear the Australian government will not condone ransom payments to cybercriminals. The government has stressed that there is no guarantee hackers will restore information, stop their attacks, and not leak or sell stolen data when paid a ransom. It said those affected by ransomware attacks should visit cyber.gov.au for advice.However, while no business ever wants to pay a ransom, there are times when they will. Some people in the industry are concerned that the government\u2019s no-payments stance may leave victims with little room to move. \u201cVictims would only [pay] if they feel they have to so they can keep their business alive so we don\u2019t need the government to be heavy-handed,\u201d said Greg Clarkson, CEO of IT consultancy Network Overdrive, who works alongside in former US military chiefs in developing systems to combat ransomware.\u201cI understand the insurance providers are extremely worried about businesses paying ransomware, but there are other things governments can do to reduce the cost to insurance\u00a0providers,\u201d Clarkson told CSO Australia. \u201cThe\u00a0government should be devising strategies to either prevent these attacks in the first place or assist victims through the process,\u201d he said.Cybertrace\u2019s Halpin said ransomware payments are in cryptocurrencies, making ransomware extortion a crypto-enabled crime. Australia is severely lacking in a system to deal with this element of ransomware, he said. \u201cThe Australian model for investigation and progression of cybercrime is broken, and it actively promotes the targeting of Australians by cybercriminals. This is especially the case for cryptocurrency-dependent and -enabled crime.\u201dNational coordinated ransomware response neededThe government said the ransomware issue warrants a national response. To achieve this, it will need to work closely with its state and territory counterparts, as well as with industry stakeholders, to put this plan into action and avoid duplicating existing cybersecurity initiatives across the economy.This latest plan comes after the recent establishment of an Australian Federal Police-led multi-agency group to target ransomware attacks linked to organised crime operating in Australia and overseas. This cross-agency ransomware task force also shares intelligence directly with the Australian Cyber Security Centre to use their disruptive capabilities offshore.These initiatives are part of the Australian government\u2019s 10-year $1.7 billion Cyber Security Strategy that started in 2020. The government will now also start further industry and stakeholder consultation on the mandatory reporting regime and new criminal offences.However, Edith Cowan\u2019s Haskell-Dowland said that while introducing new offences will help the legal processes and courts by clearly defined certain crimes, it doesn\u2019t address the global nature of cybercrime.\u00a0\u201cStricter processes in Australia will not help when the criminals behind the incident are located outside of Australian jurisdiction,\u201d he said.It\u2019s the same with national penalties on misuse of data and dealing in malware that are global rather than national transactions. \u201cThis may help deter home-grown criminals, but will do little for the global landscape,\u201d Haskell-Dowland said.\u201cConcerted, global cooperation is needed to address cybercrime\u2014in particular addressing the challenges of jurisdiction,\u201d he said. That\u2019s something the US government\u2019s 30-country summit wants to kickstart, although with the notable absence of Russia.