Government plans mandatory reporting, new offences for ransomware crackdown

The federal government is set to stand up a mandatory ransomware incident reporting regime for business as part of a suite of legislative reforms to crack down on cybercrime

It will also introduce a suite of new offences for cyber extortion aimed at criminals that target critical infrastructure, as well as criminalise dealing in stolen data and the buying or selling of malware.

The new measures are part of a comprehensive ransomware action plan [pdf] released by the federal government on Wednesday aimed at countering the rise in ransomware incidents.

It follows persistent calls for action by both industry leaders and Labor, which has already moved legislation in both house of Parliament for a mandatory ransomware reporting scheme.

The number of ransomware cybercrime reports to the Australian Cyber Security Centre climbed 15 percent between 2019-20 and 2020-21, with incidents becoming increasingly high-profile.

The measures, planned for the “immediate and mid-term”, would be delivered through additional legislative reforms, and be supported by existing policy and operational response mechanisms.

A “specific mandatory ransomware incident reporting” regime is at the top of the government’s list, though the exact scope of the scheme is unclear in the plan itself.

Home Affairs Minister Karen Andrews said separately in a statement, however, that the reporting regime would apply to businesses with a turnover of $10 million or more per year.

She said the scheme – which appears to go further than Labor’s proposal – would enhance the government’s “understanding of the threat and enable better support to victims”.

It is not clear whether the ransomware reporting regime would extend to government agencies like Labor’s proposal does.

The government is also planning to introduce “standalone offence for all forms of cyber extortion” to ensure criminals who use ransomware face increased maximum penalties.

A similar “standalone aggravated offence for cybercriminals seeking to target critical infrastructure” is planned as part of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.

The act of “dealing with stolen data obtained in the course of committing a separate offence” will similarly be criminalised, as will the buying and selling of malware.

Legislation will also be modernised to allow law enforcement to “track and seize or freeze” financial transactions in cryptocurrency.

The plan also clarifies the government’s position on ransomware, which is not to pay a ransom as there is no guarantee the lost information will be restored.

Home Affairs Minister Karen Andrews said the planned reforms would ensure that individuals and businesses, particularly, critical infrastructure providers, are better protected from ransomware.

“Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” she said.

“Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses.

“That’s why the [government] is taking action to disrupt, pursue and prosecute cybercriminals.

“Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances.”

The government is now planning to consult with industry and the broader community on the reporting regime and new criminal offences.

Shadow Assistant Minister for Cyber Security Tim Watts welcomed the plan, which he said Labor has been calling for since February.

"Nine months later, and many major ransomware attacks later, we finally see some movement from the government to address this urgent threat," he said in a statement.

Watts added that with only a few Parliamentary sitting weeks left this year and the need for more consultation, it would be some time before the reforms come to pass.

"This looks like yet another announcement with no delivery from the [government]," he said.