Australia’s new ransomware plan to create ransomware offences and reporting regime

The Australian government has announced a new set of standalone criminal offences for people who use ransomware under what it has labelled its Ransomware Action Plan.

Under the new plan [PDF], people who use ransomware to conduct cyber extortion will be slapped with new stand-alone aggravated criminal charges.

A new criminal offence has also been created for people that target critical infrastructure with ransomware.

The acts of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence as well as buying or selling malware for the purposes of undertaking computer crimes are also both now criminalised.

“The Ransomware Action Plan takes a decisive stance — the Australian Government does not condone ransom payments being made to cybercriminals. Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk,” Minister for Home Affairs Karen Andrews said.

Alongside the new criminal offences, the plan will also roll out a new mandatory ransomware incident reporting regime, which would require organisations to formally notify government if they experienced a cyber attack.

The new plan will also see government work to introduce additional legislative reforms that potentially allow law enforcement to track, seize or freeze ransomware gangs’ proceeds of crime. 

The new criminal offences and reporting regime will all be regulated through the Security Legislation Amendment (Critical Infrastructure) Bill 2020, the government said. The Bill is expected to be passed soon after it received the tick of approval from a parliamentary joint committee two weeks ago.

These new measures were specifically recommended to be passed immediately by the parliamentary committee as it said there was compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure was increasing.

“Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” committee chair Senator James Paterson said.

The Bill was originally meant to be broader in scope, but the committee advised that other “less urgent” aspects of the Bill should be introduced under a second, separate Bill following further consultation.

Under the government’s new ransomware plan, a multi-agency taskforce led by the Australian Federal Police, called Operation Orcus, will be also created. The new taskforce will be the country’s “strongest response to the surging ransomware threat”, the government said.

The new plan follows almost an entire year of Home Affairs repeatedly requesting for these new powers and requirements to be formalised.

According to Andrews, these new measures all fall within one of the plan’s three objectives, which are to build Australia’s resilience to ransomware attacks; strengthen responses to ransomware attacks; and disrupt and deter cybercriminals through tougher laws. To achieve these three objectives, Andrews said the federal government would work closely with state and territory governments and industry stakeholders.

The new plan builds on Australia’s overarching 2020 Cyber Security Strategy, which aims to impose cyber standards on operators of critical infrastructure and systems of national significance and create powers that allow the federal government to get on the offensive and actively defend networks and critical infrastructure.

MORE ON THE BILL

READ MORE HERE