Australia unveils ransomware action plan

The Australian government has announced a ransomware action plan that includes mandatory reporting of ransomware incidents affecting businesses with turnovers of more than A$10m a year.

The plan calls for the establishment of Operation Orcus – a multi-agency task force led by the Australian Federal Police (AFP) – as a response to the ransomware threat, joint operations with international counterparts, and clear advice for businesses of all sizes and for the operators of critical infrastructure.

This includes A$164.9m spending on cyber crime, with almost A$90m to fund 100 extra AFP personnel targeting cyber criminals.

The proposed legislative changes do not stop at mandatory reporting. The plan also proposes specific aggravated offences covering cyber extortion and attacks on critical infrastructure, as well as measures “to ensure that cyber criminals are held to account for their actions, and law enforcement is able to track and seize or freeze their ill-gotten gains”, for example by tackling the associated cryptocurrency transactions.

It will, if the plan is carried out, be an offence to deal with data stolen in the course of committing a separate offence and to buy or sell malware for the purpose of committing computer crimes.

In the foreword to the plan, minister for home affairs Karen Andrews said: “The Australian government does not condone ransom payments being made to cyber criminals. Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk.”

Nick Lennon, Australia and New Zealand (ANZ) country manager at email and cyber resilience provider Mimecast, said his company’s recent research found that of the 54% of businesses that paid a ransom, only 76% recovered their data after paying.

The plan also calls for support for active measures to stop cyber threats reaching Australian consumers and businesses.

“Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” said Andrews.

“Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses.

“That’s why the Morrison government is taking action to disrupt, pursue and prosecute cyber criminals. Our tough new laws will target this online criminality and hit cybercrooks where it hurts most – their bank balances,” she said.

Jacqueline Jayne, security awareness advocate at KnowBe4, said the mandatory reporting of ransomware attacks was a move in the right direction.

“We need more visibility and transparency to encourage more conversations about the impact and ferocity of ransomware attacks or near misses,” she said. “The increase in discussion would bring with it an opportunity to educate all Australians about cyber security risks, and reporting can be used as a tool to share and to learn from these incidents.”

Lennon agreed that further education was needed. “While the Australian Cyber Security Centre’s ‘Act now, stay secure’ campaign is a good start, there needs to be a nationally coordinated, high-visibility awareness, training and tools campaign specifically aimed at upskilling SMEs,” he said.

Jayne added that mandatory reporting on ransomware incidents could also pave the way for collaboration and broader conversations.

“Data can be used as a learning opportunity so that we can share findings, share stories and then potentially share solutions within the cyber community. Furthermore, this brings the conversation to the broader community as cyber security is everyone’s responsibility,” she said.

The government will be consulting stakeholders including the community at large on the proposed mandatory reporting regime and the new criminal offences.

According to the Office of the Australian Information Commissioner’s (OAIC) latest Notifiable data breaches report, the number of data breaches arising out of ransomware attacks grew by 24% during the first half of 2021.