New bill proposes forced ransomware payment disclosure
Australia’s Shadow Assistant Minister for Cyber Security Tim Watts has put forward a new bill making it compulsory that companies intending to pay a ransomware demand inform the Australian Cyber Security Centre.
Labor has been calling for a national ransomware strategy coordinating government action aimed at reducing the volume of attacks. Payment notification is a starting point for a comprehensive plan to tackle ransomware, it says.
“Mandating reporting of ransomware payments is far from a silver bullet for this national security problem but it is a crucial first step,” Mr Watts told parliament. “The time to act is now. This bill is the first step towards that action and I urge the government to support it.”
The scheme would be a foundation for a coordinated government response, providing actionable intelligence to inform law enforcement and cyber operations.
Australian organisations have been “menaced in an onslaught of ransomware attacks” in the last 18 months, Mr Watts says, affecting meat producer JBS Foods, media firm Nine Entertainment, UnitingCare Queensland hospitals, The Eastern Health hospital network in Victoria, brewer Lion, the NSW Labor party, Toll logistics, Bluescope, PRP Diagnostics, Regis Healthcare, Law In Order, Carnegie Clean Energy, coffee roaster Segafredo Zanetti and Taylors Wine.
“For every ransomware incident you read about in the papers there are a dozen happening outside public view,” Mr Watts said, adding that ransom payments like the $11 million in response to the JBS attack are just “the tip of the iceberg of the costs of these attacks”.
The estimated average IT system downtime caused by a ransomware attack has increased to 15-20 days – an “incredible cost” to these organisations, he says.
Security firm Emsisoft estimates the cumulative cost of ransomware to the nation at around $1 billion annually.
“Time and resources are expended fighting off Russian cybercriminals instead of on their core business or organisation's mission,” Mr Watts said.
“The current trajectory of these attacks, and the traditional response to them – asking organisations to implement an ever-increasing uplift in cyber-resilience – is inefficient and not sustainable.”
The bill requires large businesses and government entities that choose to pay ransoms to notify the ACSC beforehand, signalling agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups and also give a fuller picture of the scale of the threat.
“Where organisations feel compelled to make these payments, government should be involved,” Mr Watts said.