Labor reintroduces ransomware bill in the senate

Labor has reintroduced legislation to the federal parliament that would create a mandatory ransomware notification scheme for business and government after the bill failed to progress the first time round.

Opposition whip senator Anne Urquhart on Thursday morning moved the Ransomware Payments Bill 2021 in the Senate on behalf of shadow home affairs minister senator Kristina Keneally.

If passed, the private members bill would require businesses and government agencies to notify the Australian Cyber Security Centre (ACSC) before making a ransomware payment in response to a cyber attack.

Entities would be expected to disclose key details of the attack, including the attacker and their cryptocurrency wallet details, which the ACSC could then share with other entities in de-identified form.

The bill was first introduced in the House of Representatives by shadow assistant minister for cyber security Tim Watts in June, but it has not been debated in the two months since, despite the prevalence of ransomware attacks.

In a statement, shadow home affairs minister Kristina Keneally said Labor had reintroduced the bill in the Senate as the government has “failed to bring [the bill] on for debate” since it was introduced.

“[Home affairs minister Karen] Andrews says cyber security and ransomware are one of her highest priorities, but we’ve seen little in the way of action to reduce the onslaught of attacks,” she said.

“That’s why Labor has been once again forced to show the leadership on cyber security that’s been missing since the election of this prime minister by introducing this bill in the senate.”

Keneally said Labor would seek to work with the crossbench to secure support for the bill in the senate.

Such a notification scheme comes recommended by US-based thinktank the Institute for Security and Technology and by former director of the US Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs.

Home Affairs minister Karen Andrews is reportedly “already exploring” a mandatory reporting scheme, but believes that any scheme should be preceded by awareness raising.

Home Affairs boss Mike Pezzullo first raised the prospect of mandatory reporting requirements for organisations that are attacked or extorted by cyber criminals at senate estimates in May.

Last month, the government’s own Cyber Security Advisory Committee, chaired by Telstra CEO Andrew Penn, recommended a clearer policy position on ransomware payments be developed.

The committee also asked that the government review cyber insurance regimes to understand their efficacy in mitigating cyber attacks.