The federal opposition has introduced a bill that would require businesses and government agencies to notify the Australian Cyber Security Centre before paying a ransomware gang.
Shadow Assistant Minister for Cyber Security Tim Watts introduced the private member’s bill in federal parliament on Monday following a spate of high-profile ransomware incidents that have resulted in payments being made.
ACSC advice is not to pay a ransom. “There is no guarantee paying the ransom will fix your devices,” the centre advises. “It can also make you vulnerable to future attacks.”
Watts cited more than a dozen attacks in the last 18 months, including against meat processor JBS Foods – which forked out $14 million earlier this month, Nine Entertainment and UnitingCare Queensland.
Organisations often decline to answer questions about whether or not a payment was made.
The Ransomware Payments Bill 2021 would create a “ransomware payment notification scheme” that extends to corporations, all federal government entities and state and territory government agencies.
“It will require large businesses and government entities that choose to make ransomware payments to notify the ACSC before they make the payment,” Watts said, introducing the bill on Monday.
Entities would be required to disclose key details of the attack, including the attacker and their cryptocurrency wallet details, which the ACSC could then share in de-identified form through its threat sharing platform.
“This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups,” Watts said.
“And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks. Importantly, it will give us a fuller picture of ransomware attacks in Australia and the scale of the threat.”
Watts said that such a notification scheme was recommended in a report by US-based think tank the Institute for Security and Technology and by former US Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs.
“We should be clear at this point. Ransoms should not be paid. Ever,” Watts said.
“Paying a ransom does not guarantee you’ll be able to quickly bring your systems back online or prevent further disruption, it does not guarantee your data won’t be leaked.
“What it does do is provide further resources to the criminal organisations mounting these attacks and create an incentive for them to carry out more attacks.
“But where organisations feel compelled to make these payments, government should be involved.”
Watts said the bill, if passed, would act as a “policy foundation for a coordinated government response to the threat of ransomware” and the “starting point for… a comprehensive plan to tackle ransomware”.
Labor has been pushing for a national ransomware strategy since February to help reduce the frequency of attacks.
The government has so far resisted calls, though it has released a series of guides providing advice to businesses.
“Mandating reporting of ransom payments is far from a silver bullet for this national security problem, but it’s an important first step,” Watts said.
Watts added that the government had “gone missing when called on to act on the biggest cyber threat facing Australian organisations” at a time when the US government is stepping up, including by elevating ransomware investigations by assigning them a similar priority to terrorism.
According to Home Affairs boss Mike Pezzullo, the government is currently weighing the merits of a mandatory reporting requirement on organisations that are attacked or extorted by cyber criminals, though it is not clear what form this will take.
Earlier this month, Australia’s spy agency chief Rachel Noble cited an unnamed company’s refusal to work with the government when responding to a cyber attack as evidence of the need for laws that would compel some form of cooperation.
