Businesses that have paid ransomware hackers may be forced to report it to the government under proposed cyber security laws introduced to parliament.
The Cyber Security Bill 2024 was unveiled by cyber security minister Tony Burke, who said it aims - among other things - to “build [the government’s] understanding of the ransomware threat”.
Elements of the bill were first promised by the government back in 2021, during which time ransomware attacks soared. The government also flagged the need for a potential Cyber Security Act in February last year.
Home Affairs then ran several consultations, culminating in an exposure draft being shopped to industry last month. The government characterised industry feedback as "broadly supportive". [pdf]
Speaking in parliament, Burke said ransomware attacks continue to “cause large-scale harm to the Australian economy and national security” with Australian businesses paying an average of $9.27 million to hackers in 2023.
“This issue needs to be tackled,” Burke said.
“Mandatory reporting of ransomware payments will crystallise our picture of how much is being extorted from businesses via ransomware attacks.
“Who are these payments being made to, and how? With these timely and comprehensive insights, the government will be better able to develop the resources, tools and supports that are most useful to industry and help break the ransomware business model.
"Together, we can work to prevent future ransomware crises and to equip businesses to bounce back.”
The Cyber Security Bill is a legislative package of reforms that also includes amendments to the Intelligence Services Act and the Security of Critical Infrastructure Act, better known as SoCI.
To encourage businesses to report ransomware incidents voluntarily, the bill will include a measure that limits the circumstances in which the National Cyber Security Coordinator can use or share the information provided.
An amendment to the Intelligence Services Act will also impose the same limitation on the Australians Signals Directorate.
The limitation was encouraged by intelligence agencies, as they found themselves being cut out of the loop on valuable incident response information.
Burke said the totality of the bill "will collectively strengthen our national cyber defences and build cyber resilience across the Australian economy."
“This is a significant step in achieving the Australian government's vision of becoming a world leader in cyber security by 2030," he said.
"To achieve this vision, Australia needs a clear legislative framework that addresses whole-of-economy cyber security issues and positions us to respond to new and emerging threats.”
The Cyber Security Bill 2024 will also establish mandatory security standards for smart devices.
“Australians love the convenience of smart devices at home, but consumers need to know that smart devices are still safe devices,” Burke said. “These devices currently often lack basic cyber security protections.”
It will also establish an independent cyber incident review board that will conduct reviews of significant cyber security incidents.
“The Optus and Medibank breaches from 2022 and the more recent MediSecure data breach demonstrate the urgent, need for government and Industry to collectively, learn lessons from high impact, cyber security incidents and to prepare contingencies for future attacks,” Burke said.
The board will be modelled on the United States’ Cyber Safety Review Board and will “ensure that we're learning from these cyber incidents and improving Australian organisations’ practices policies and procedures,” Burke added.
