Following spate of high-profile attacks, the Australian federal opposition has introduced a bill, seeking to make it mandatory for businesses and government agencies to notify the Australian Cyber Security Centre before paying a ransomware gang.
Shadow Assistant Minister for Cyber Security Tim Watts moved the private member’s bill in federal parliament following a spate of high-profile ransomware attacks that resulted in payments being made.
ACSC advices not to pay a ransom. “There is no guarantee paying the ransom will fix your devices,” the centre advises. “It can also make you vulnerable to future attacks.”
Watts cited more than a dozen attacks in the last 18 months. These include against meat processor JBS Foods, which forked out $14 million earlier this month, Nine Entertainment and UnitingCare Queensland.
Organisations often refused to respond to questions about whether or not a payment was made.
The Ransomware Payments Bill 2021 would introduce a “ransomware payment notification scheme” that covers corporations, all federal government entities and state and territory government agencies.
“It will require large businesses and government entities that choose to make ransomware payments to notify the ACSC before they make the payment,” Watts said, introducing the bill on Monday.
Entities would be required to disclose key details of the attack, including the attacker and their cryptocurrency wallet details, which the ACSC could then share in de-identified form through its threat sharing platform.
This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups,” Watts said.
“And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks. Importantly, it will give us a fuller picture of ransomware attacks in Australia and the scale of the threat.”
Watts said that such a notification scheme was recommended in a report by US-based think tank the Institute for Security and Technology and by former US Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs.
We should be clear at this point. Ransoms should not be paid. Ever,” Watts said.
“Paying a ransom does not guarantee you’ll be able to quickly bring your systems back online or prevent further disruption, it does not guarantee your data won’t be leaked.
“What it does do is provide further resources to the criminal organisations mounting these attacks and create an incentive for them to carry out more attacks.
But where organisations feel compelled to make these payments, government should be involved.”
Watts said the bill, if passed, would function as a “policy foundation for a coordinated government response to the threat of ransomware” and the “starting point for… a comprehensive plan to tackle ransomware”.
Labor has been advocating for a national ransomware strategy since February to help reduce the frequency of attacks.
The government has so far resisted calls, although it has released a series of guides providing advice to businesses.
“Mandating reporting of ransom payments is far from a silver bullet for this national security problem, but it’s an important first step,” Watts said.
Watts said that the government had “gone missing when called on to act on the biggest cyber threat facing Australian organisations” at a time when the US government is stepping up, including by elevating ransomware investigations by assigning them a similar priority to terrorism.
Cyber security is a vital area that is relevant to the Commonwealth of Nations and ransomware attack on a country’s critical infrastructure could take place at any time and proactive action is needed to prevent such attacks and paying ransom would not be serve any purpose.