Key issue
The ransomware threat is the most serious cybercrime threat to Australia, creating significant risks for both governments, businesses and individuals. During the 46th Parliament, both major parties released their respective strategies and introduced relevant law reforms to tackle this threat. The 47th Parliament is likely to see continued legislative and policy actions to address the problem, given the evolving nature of ransomware, the cost inflicted on its victims, and the practical difficulties involved in combating it. In particular, law enforcement agencies and businesses alike face shortages of qualified staff, while investigation and prosecution of offenders who can be based anywhere in the world, can have low prospects of success.
Cybercrime
takes many forms, including identity crime, computer hacking, phishing,
botnet activity, computer-facilitated crime, and cyber intrusion directed at
private and national infrastructure. However, in 2021, the Australian Cyber
Security Centre (ACSC) labelled ransomware as the most serious of the cybercrime threats to Australia due to its high
financial impact and other disruptive impacts to victims and the broader
community (p. 16).
Ransomware is malicious software used by
threat actors to look for vulnerabilities in the IT systems of individuals or
organisations and deny them access to their files or devices (by locking up, encrypting
or exfiltrating data) until a ransom is paid. If a ransom demand is not met
within the designated timeframe, then the threat actors may sell, publish or
delete the exfiltrated data. This makes the threat of ransomware attacks both a
national security and personal privacy issue.
The Morrison Government introduced a number of policy
and law reform initiatives during the latter part of the 46th Parliament, some
of which lapsed on prorogation. The Albanese Government’s appointment of the first
dedicated Minister for Cyber Security, and its commitment to a ransomware
strategy while in Opposition, suggest that this issue may again be on the
agenda in the early months of the new Parliament.
Recent trends
The 2022
Verizon data breach investigations report found that the number of
ransomware attacks worldwide increased by 13% over 2020–21, which represented a
larger increase than the past 5 years combined (p. 7). Meanwhile, CrowdStrike
Intelligence, apparently using a different methodology, observed an 82%
increase in ‘ransomware-related data leaks’ from 1,474 instances in 2020 to 2,686
instances in 2021.
According to a survey
conducted by Sophos, 66% of organisations worldwide were affected by
ransomware attacks in 2021, which was up from 37% in 2020 and represented a 78%
increase over a year (p. 3). This trend suggested that threat actors had become
more adept at executing the most significant attacks at scale and likely reflected
that the Ransomware-as-a-Service (RaaS) model was gaining traction (p. 3). With
ransomware having evolved into a subscription service, the RaaS
model allows ordinary criminals to purchase ransomware from skilled ransomware
developers and conduct attacks without significant technical expertise.
Consistent with these global trends, ransomware
attacks have also proliferated in Australia. The ACSC received almost
500 ransomware-related cybercrime reports in the 2020–21 financial year,
which represented an increase of nearly 15% on the previous financial year. The
ACSC attributed this increase to threat actors being more willing to extort
money from particularly vulnerable and critical elements of society. Australia’s
health sector has been a major target of ransomware attacks during the
COVID-19 pandemic, as threat actors take advantage of the perceived willingness
of health service providers to pay ransoms due to the health and safety risks to
their patients.
Further, Cybersecurity
Ventures predicted 5 years ago that the global cost of ransomware would be US$20 billion in 2021
and expects that number to increase to US$265 billion annually by 2031. In
Australia, it has been said that ransomware incidents cost the Australian
economy as much as $2.59
billion annually, with organisations reportedly paying on average $250,000
per incident.
Coalition Government’s Ransomware Action Plan
In October 2021, the Morrison Government published its
Ransomware
action plan (RAP), which outlined its strategic approach to combating
the threat posed by ransomware. The RAP stated that the Morrison Government would:
- introduce a mandatory ransomware incident reporting scheme to the
Australian Government
- introduce a new stand-alone offence for all forms of cyber extortion
- introduce a new stand-alone aggravated offence for cybercriminals
seeking to target critical infrastructure (proposed in the Security
Legislation Amendment (Critical Infrastructure) Bill 2020 [2021])
- modernise legislation to ensure that cybercriminals can be
prosecuted, and that law enforcement can track, seize or freeze their illegal
profits.
Home Affairs Minister Karen Andrews also announced
in a related media release that as part of the RAP, the Morrison Government
would criminalise the act of dealing with stolen data knowingly obtained in the
course of committing a separate criminal offence, as well as the buying or
selling of malware to commit computer crimes.
The RAP also proposed a range of policy and
operational responses to the ransomware threat including:
- establishing the multi-agency taskforce, Operation Orcus, led by the
Australian Federal Police to combat the ransomware threat
- awareness training and clear advice for critical infrastructure,
large businesses and small to medium enterprises on ransomware payments
- joint operations with international counterparts to strengthen
shared capabilities to detect, investigate, disrupt and prosecute malicious
cyber actors who engage in ransomware
- actively calling out states that support or provide safe havens to
cybercriminals.
To implement some of the law reforms proposed in
the RAP, in February 2022 the Morrison Government introduced the Crimes
Legislation Amendment (Ransomware Action Plan) Bill 2022 (the Coalition’s
2022 Bill). The Bill did not introduce a mandatory ransomware incident reporting
scheme as proposed in the RAP. It lapsed on prorogation of the 46th Parliament.
Labor’s National Ransomware Strategy discussion
paper
In February 2021 the Labor Party in Opposition released a
discussion paper calling for a National
Ransomware Strategy (NRS) to reduce the attractiveness of Australian
targets to cybercriminals (p. 6). It envisaged that the strategy would contain a
range of initiatives to increase the costs of mounting campaigns against
Australian entities and to reduce the returns realised from such campaigns by (pp.
8–19):
- closing the ‘cyber enforcement gap’ by:
- bolstering cybercrime data collection and
publication to better inform policymakers and the public of the scale of the
ransomware threat and the effectiveness of the law enforcement response in
Australia
- pushing for greater diplomatic and international
cooperation to target ransomware threat actors. This would include through
aggressive participation in joint international law enforcement operations and through
regional cooperation in the Indo-Pacific to prevent the emergence of new countries
that play host to ransomware
affiliates (who pay for access to RaaS platforms from ransomware
developers)
- imposing sanctions on ransomware threat actors where enforcement is
not possible
- implementing a clear policy framework on offensive cyber operations that
aims to impose costs on ransomware threat actors
- reducing the returns on investments of ransomware attacks on
Australian entities through:
- imposing controls on ransomware payments
-
targeting rogue cryptocurrency exchanges that
enable ransomware payments
-
hardening network security of Australia-based
entities
- introducing strategies to help both public and private sector
entities in Australia improve their cyber resilience against the ransomware
threat
- appointing a dedicated minister with responsibility for
cybersecurity to signal to adversaries that the Australian Government takes
cybersecurity seriously.
In relation to the NRS’s proposal to impose
sanctions on ransomware threat actors, it should be noted that the Autonomous
Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Act 2021
was enacted in December 2021. The Australian Government can now impose thematic
sanctions to address ‘malicious cyber activity’ and ‘threats to
international peace and security’, among other things. Of relevance is that in
September 2021, the US Government imposed for the first time sanctions against a
virtual currency exchange, SUEX, which was found to be responsible for
facilitating ransomware payments to cybercriminals associated with at least 8 ransomware
variants.
In June 2021, the Shadow Assistant Minister
for Cyber Security, Tim Watts, introduced the Ransomware
Payments Bill 2021 (Labor’s 2021 Bill), which proposed implementing a
mandatory reporting scheme for ransomware payments. Labor’s
2021 Bill would require Commonwealth entities, state or territory agencies,
and specified private sector entities who make ransomware payments to notify
the ACSC of key details of the attack, the attacker and the payment. This
information would be held by the ACSC and used to:
- share de-identified information to the private sector through the
ACSC threat-sharing platform
- collect and share information that may be used by law enforcement
- collect and share information to inform policymaking and to track
the effectiveness of policy responses.
In August 2021, the Shadow Minister for Home Affairs,
Kristina Keneally, introduced an identical Bill into the Senate as the Ransomware
Payments Bill 2021 (No. 2). Both Bills lapsed on prorogation.
Key issues arising from the Ransomware Action Plan
and the proposed National Ransomware Strategy
The then Shadow Assistant Minister for Cyber
Security, who co-authored Labor’s NRS discussion paper, stated that the RAP ‘is
totally different from’ the NRS. However, he also said that the RAP ‘has
picked up many of the policy ideas’ from the NRS, which suggests there is
some degree of similarity between both strategies and possibly some degree of
bipartisanship on the ransomware threat. In any event, direct comparisons
between the RAP and the proposed NRS should be made with caution, given that
the RAP was a formal Australian Government plan while the NRS was an Opposition
policy.
One of the key features of the RAP was its proposal
to further criminalise ransomware-related conduct. In February 2022, the Coalition’s
2022 Bill sought to create new or aggravated offences as proposed in the RAP
and increase the maximum penalty for some existing computer offences, among other
things. The Parliamentary
Library’s Bills Digest on the Coalition’s 2022 Bill notes that these
proposed changes ‘represent an increase in the breadth and severity of
computer-based offences in Part 10.7 of the Criminal Code [Criminal Code Act
1995] generally, rather than just those related to ransomware activity’ (p.
6).
Meanwhile, noting that prosecutions of ransomware
cybercrimes under Commonwealth legislation are rare, Labor’s proposed NRS acknowledged
the transnational nature of these crimes and that ‘the likelihood for law
enforcement action is so low that it would have little impact on a ransomware
crew’s decision to target an Australian organisation’ (p. 8). This might be why
the NRS makes no mention of any proposals to create further offences or expand
existing offences as proposed by the RAP.
Both the RAP and the proposed NRS had some similar
features. Both policy initiatives advocated for increased participation in law
enforcement operations with international counterparts to combat the ransomware
threat. Both also shared a concern about threat actors’ use of cryptocurrency
exchanges that enable ransomware payments. While the NRS proposed to explore
with the US Department of Treasury ways of cooperating on international
efforts in this regard (p. 17), the RAP sought to modernise
legislation to allow law enforcement to tackle cryptocurrency transactions associated
with the proceeds of ransomware crimes (p. 6). The Coalition’s 2022 Bill proposed
expanding the application of various elements of the framework under the Proceeds
of Crime Act 2002 to cryptocurrency exchanges, in addition to financial
institutions (pp. 25–26).
Further, the mandatory ransomware incident
reporting schemes proposed by the Coalition and Labor shared a notable feature
that raised some media
attention. Both the
Coalition and Labor
indicated that to reduce the compliance burdens for small businesses, the regime under either government would not be expected to apply to
private sector organisations with an aggregate turnover of less than $10
million. However, this proposed reporting threshold may have implications for
achieving the intended purposes of a reporting scheme.
In his second reading speech on Labor’s 2021 Bill, the Shadow Assistant Minister for
Cyber Security said that ‘large businesses and government entities’ reporting
their intentions to make ransomware payments would:
- allow the signals intelligence and law enforcement agencies to
collect actionable intelligence on where this money is going, so they could
track and target the responsible criminal groups
- help others in the private sector by providing de-identified
actionable threat intelligence that they could use to defend their networks.
The Explanatory Memorandum for Labor’s 2021 Bill also
stated that the purpose of excluding small businesses was to ‘ensure that ACSC
has access to high-quality actionable intelligence from the mandatory
disclosures’. However, as at June 2021, businesses with an aggregate turnover
of $10 million or more comprised only 1.58% of all businesses actively trading in
Australia, and therefore, 98.42% were ‘small business entities’ with a turnover
of less than $10 million (as defined in section 328-110 of the Income Tax Assessment Act 1997).
While those businesses with a $10 million or more turnover represent a high proportion
of overall business activity, the exclusion of 98% of Australian businesses
from the reporting scheme could mean that aggregated intelligence on the
remaining fraction of the private sector would not necessarily give ‘a fuller picture of ransomware attacks in Australia’.
Further, as the law
firm Clyde & Co has posited:
It’s also a fallacy to assume that small
businesses can’t afford to pay ransom demands (and therefore don’t) and so this
won’t apply to them. Often – small businesses of this size have cyber insurance
which typically covers ransom demands.
Indeed, both major parties acknowledge the
ransomware threat to small businesses. In the RAP, the
Coalition Government cited ‘taking from small businesses’ as an example of
‘cybercriminals [using] ransomware to do Australians real and long-lasting
harm’ (p. 6). It then proposed ‘awareness training and clear advice for … small
to medium enterprises on ransomware payments’ as part of its policy and
operational response to the threat (p .6). Meanwhile, in the NRS discussion
paper, Labor criticised
the ‘lack of engagement’ by small (and medium) businesses with the
importance of building cyber resilience against the ransomware threat- based on
their low usage of the ACSC’s online guidance (pp. 17–18). Labor attributed
this lack of engagement to the Coalition Government ‘not effectively
communicating cyber security messages to the private sector entities’ (p. 18).
Mandating small businesses to report ransomware
payments would be a rather indirect way of addressing any systemic lack of
cyber resilience awareness in the private sector, especially where its root
cause relates to education and government communication of cybersecurity
messages. Even so, it may well be a missed opportunity for the Australian
Government to expand the threat intelligence base that would better inform
law enforcement, diplomacy and offensive cyber operations if it decided to exclude
those ‘disengaged’ small businesses from a ransomware incident reporting scheme
due to anticipated regulatory burdens. However, for the scheme to be an
effective source of threat intelligence, resourcing of the ACSC as the
scheme’s regulator would also be a relevant consideration – regardless of the
reporting threshold.
A similar issue is being explored in the ongoing
review of the Privacy Act 1988, which contains a mandatory data
breach notification scheme and generally
does not apply to businesses with an annual turnover of less than $3
million, which comprised about 95.26% of all Australian businesses as at December 2021 (p. 48). According to the Privacy
Act review – discussion paper (pp. 40–49), there was a high level of
interest from a diverse range of stakeholders who provided submissions on the
small business exemption issue. Submitters who opposed removal of the exemption
raised the issue of compliance costs for and the regulatory burden on small
businesses, while submitters who supported removal of the exemption pointed to
consumer expectations, the outdated nature of the exemption due to
technological changes and the increased cybersecurity threat to small
businesses. It is likely that these arguments will be replicated during any
future consultations or debates on the reporting threshold of a mandatory
ransomware incident reporting scheme.
Further, pursuant to clause 5 of Labor’s
2021 Bill, private hospitals, medical practitioners or private aged care
facilities with an annual turnover of less than $10 million would not be
subject to the ransomware incident reporting scheme under that Bill. This might
lead to a situation where a private
health service provider holding sensitive health information about its
patients would be subject to the data breach notification scheme under the
Privacy Act, but would not be regulated by the ransomware incident reporting
scheme, even though the entity belongs to an industry sector that has been a major
target of ransomware attacks – as recognised by both Labor
(p. 4) and the
Coalition (p. 4). The same goes for all other types of private
sector organisations with a turnover of over $3 million but less than $10
million, which are regulated by the Privacy Act but would not be
subject to the proposed regime under Labor’s 2021 Bill.