Insight,

Parliament considers Ransomware plan legislation

AU | EN
Current site :    AU   |   EN
Australia
Belgium
China
China Hong Kong SAR
Germany
Italy
Japan
Singapore
Spain
UAE
United Kingdom
United States
Global

TL;DR

New, stronger criminal offences applicable to cybercriminals proposed with extraterritorial application.  Modernised powers to investigate and seize digital assets, including cryptocurrency, introduced.  The mandatory ransomware incident reporting regime may be enacted soon.

What is the Ransomware Action Plan Bill?

On 17 February 2022, the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (the Bill) was introduced into the House of Representatives.  The Bill proposes amendments to the Criminal Code Act 1995, the Crimes Act 1914 and the Proceeds of Crime Act 2002 to modernise criminal offences and procedures to respond to the threat of ransomware.  Beyond the suite of new and stronger criminal offences, the Bill also proposes amendments to modernise law enforcement powers to ensure that law enforcement agencies can investigate and prosecute cybercriminals and continue to reduce, and nullify, the profitability of ransomware crime.

The Bill implements key aspects of the Ransomware Action Plan (the Plan) as announced in late 2021.  As set out in our earlier alert “Australian Government Unveils Its Ransomware Action Plan”, the Plan discloses the Australian Government’s policy, operational and legislative response to ransomware attacks. 

The Bill is one of the Plan’s key legislative initiatives relating to criminal law and law enforcement that is aimed specifically at disrupting and deterring perpetrators of ransomware attacks.  These reforms target the increasing trend of data theft and encryption, cyber extortion and Ransomware-as-a-Service (RaaS) and work hand-in hand with recent and ongoing reforms to critical infrastructure security.  According to the Bill’s Explanatory Memorandum, “[i]ndividuals and crime syndicates, including transnational syndicates, have modernised their cybercrime tradecraft by ‘locking’ or encrypting computers through ransomware or by stealing and threatening to release sensitive information contained on a computer publicly.  Once files are stolen or encrypted, criminals demand a ransom (often in the form of hard-to-trace cryptocurrencies) from the system owner in return for the decryption keys.  Malware developers also provide ransomware for payment (ie, RaaS) which represents the increasing commercialisation and sophistication of the ransomware business model”.  The object of the Bill is to ensure all cybercriminals who engage in this conduct are captured under the Bill’s modernised offences. 

What offences does the Bill introduce?

The Bill introduces a suite of new standalone and aggravated offences including:

  • a standalone cyber extortion offence, which will criminalise the extortive conduct associated with ransomware: specifically, the conduct of a person making a threat with the intention of compelling another person to do or omit to do an act;
  • an aggravated offence relating to cyber attacks on critical infrastructure assets as defined under the Security of Critical Infrastructure Act 2018 (SOCI Act);
  • a standalone offence of dealing with data obtained by unauthorised access or modification; and
  • an aggravated offence criminalising producing, supplying or obtaining data under arrangement for payment.

The Bill also amends the extraterritoriality provisions of the Criminal Code Act as they apply to computer offences in Part 10.7 of the Criminal Code Act.  These amendments provide Australian law enforcement with clear legal authority to investigate and prosecute offshore cybercriminals, where the crime impacts on a person in Australia.  The application of extended geographical jurisdiction to these computer offences reflects the increasingly multinational and borderless nature of cybercrime. 

The Bill also increases the relevant penalty provisions for other computer offences (Division 478 offences) such that the maximum penalties for each offence carries at least a maximum term of 5 years’ imprisonment.  These increases are intended to reflect the severity of harm or potential harm they cause to the community.

Ransom payments

Despite these new and aggravated offences, the Bill does not make the payment of a ransom as such illegal. While the Bill does increase the number (and magnitude) of applicable criminal offences, it does not change accessorial liability under the Criminal Code Act 1995 in relation to the making of ransom payments nor does it change the availability of the defence of duress. Generally, accessorial liability requires that a party intends to aid, counsel or procure the commission of the offence and from a broader policy perspective, it would be inconsistent to find a victim of a crime to also be an accessory to it.

Nonetheless, the increased computer offences, as introduced by the Bill, make it more important that organisations carefully consider the potential risks of committing an offence – or being an accessory to one – before making any ransom payment. And if a company is considering making a ransom payment despite the Australian Government’s guidance that it does not condone the making of ransomware payments, thought should be given to the considerations set out in our previous alert “Cyber Attacks: Is It Legal To Pay a Ransom In Australia?”.  

Digital Currency

In addition to the modernised ransomware-related offences, the Bill amends the Crimes Act and the Proceeds of Crimes Act to address the increasing criminal use of digital assets (such as cryptocurrency).  The Bill proposes amendments to ensure that existing law enforcement agencies have the appropriate capabilities to investigate the use of, and ability to seize, these digital assets.  This includes ensuring that existing information gathering powers and freezing orders available in relation to financial institutions are applicable to digital currency exchanges.

Mandatory Ransomware Reporting Scheme

Importantly, the mandatory ransomware incident reporting regime (the Ransomware Reporting Regime), foreshadowed in the Plan, does not form part of this Bill.  While the details of the Ransomware Reporting Regime are still being settled, the likely key components are understood to be as follows:

  • The Ransomware Reporting Regime will apply to businesses with a turnover of more than $10 million per annum;
  • The Ransomware Reporting Regime will mirror reporting obligations under the SOCI Act and require a business to notify the Australian Cyber Security Centre within:
    • 12 hours of becoming aware of a ransomware incident that is having a “significant impact” on its business; or
    • 72 hours of becoming aware of a ransomware incident that is having a “relevant impact” on its business.
  • Following notification of a ransomware incident, a business will then be required to produce a follow up report of the “material details” of the ransomware incident, including details such as the impact of the incident and payment details.

As signposted under the Plan, and in line with the recent and ongoing reforms to critical infrastructure security, the Ransomware Reporting Regime may be enacted soon.

Conclusion

For now, the Bill delivers a key legislative initiative under the Plan by introducing new and stronger computer offences.  These offences, including their extended geographical jurisdiction, are considered to be imperative in light of the increasing prevalence of ransomware-related attacks in Australia.  The Bill’s modernised approach to investigating and prosecuting these cybercrimes also critically reflects the transnational and borderless nature of cybercrime and increasing criminal use of digital assets. 

As a practical aside, the Bill may well lapse if it’s not passed by the time Parliament is prorogued for an election.  Given there are limited sitting days scheduled before May, most of which will be allocated to consider the budget, the passing of the Bill is time-critical.

LATEST THINKING
Insight
APRA has released its proposed new remuneration disclosure and reporting requirements for APRA-regulated entities for consultation. This article explores the key features of the new and enhanced disclosure requirements proposed by APRA.

12 August 2022

Insight
Offshore wind farms are one step closer in Australia following an announcement from the Federal Government on Friday.

11 August 2022

Insight
On 2 August 2022, the Aged Care and Other Legislation Amendment (Royal Commission Response) Bill 2022 was passed (Aged Care Bill), introducing important regulatory changes to Australia’s aged care sector. The Bill makes numerous legislative amendments, including to the Aged Care Act 1997 (Cth) (Aged Care Act) and the Aged Care (Transitional Provisions) Act 1997 (Cth) (Transitional Provisions Act), and responds to various recommendations made by the Royal Commission into Aged Care Quality and Safety (Royal Commission) Final Report (Report). The Report identified the provision of substandard aged care services and perceived systemic failures in the aged care sector.[1]

08 August 2022