Written by Andrew Hannay, Cheng Lim and Sean Field.
New mandatory ransomware incident notification requirements for large Australian businesses, new and stronger criminal offences applicable to cybercriminals. Similar legislation may be enacted in the United States soon.
On 13 October 2021, the Minister for Home Affairs unveiled a 'new and comprehensive' Ransomware Action Plan (Plan). Under the Plan, the Australian Government has disclosed upcoming legislative and operational/policy reforms to better protect individuals, businesses and critical infrastructure across Australia against ransomware. The Plan outlines current initiatives already undertaken by the Government to improve cyber security generally, as well as future legislative reforms aimed specifically at disrupting and deterring ransomware attacks.
The Plan also clearly sets out the Commonwealth's policy position regarding the payment of ransoms, that is, that the Commonwealth does not condone the payment of ransoms. We have previously provided guidance around the legal risk associated with the payment of ransoms.
Key legislative initiatives
Under the Plan, the key future initiatives to deter ransomware attacks include:
Specific mandatory ransomware incident reporting to the Australian Government – however the Government has indicated that this would only apply to businesses with turnover exceeding $10 million per year. The current voluntary reporting entity is the Australian Cyber Security Centre (ACSC), an agency of the Australian Signals Directorate, and we expect that it will continue to receive reports on behalf of the Government under the new legislation.
Legislative reform to ensure law enforcement agencies can investigate and seize ransomware payments in cryptocurrency.
Introducing a stand-alone offence for all forms of cyber extortion. Presumably this will extend beyond ransomware to other forms of cyber extortion, such as Denial of Service threats.
Criminalising the buying or selling of malware for the purposes of undertaking computer crimes.
Criminalising the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim's sensitive data, face increased penalties. Given it will extend beyond dealings with data stolen in the course of a ransomware attack to dealings with data stolen in the course of other criminal offences, it will be interesting to see the actual breadth of this new offence and its application to those who "steal" data.
A stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure (as proposed to be regulated by the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill)). Our previous alerts on the purpose of the reforms and the content of the SOCI Bill are available here, here, here and here. The Government has indicated this will mean an increase in penalties, given the importance of these assets to Australia.
The Plan also indicates an intention for the Government to work with international partners (in joint operations with counterparts) to detect, investigate, disrupt and prosecute malicious cyber actors when engaging in cybercrime and to call out states who support cybercriminals. This presumably would include co-operation on offensive cyber capabilities.
Similar legislation may be enacted in the US soon
A bipartisan bill was introduced to the US Senate last month that would require owners and operators of critical infrastructure to report to the relevant Federal agency any "covered cyber incident" and any ransomware payments. Entities reporting ransomware payments will be required to have conducted due diligence into available alternatives, including whether recovery from a ransomware attack was possible without succumbing to a demand for payment. This accords with Department of State guidance, which is that before paying a ransom, entities should consult with the Department of State to minimise the risk of inadvertently funding proscribed organisations, individuals or activities through ransom payments.
Both points are consistent with strategies we would typically recommend for mitigating the risk of committing an offence under Australia's Criminal Code in relation to anti-money laundering and counter-terrorism financing laws including, in the Australian context, notifying and liaising with one or both of the ACSC or the Australian Federal Police."