Ransomware crackdown in new cyber security strategy

Companies will be required to report ransomware attacks to the government under a mandatory, no-fault reporting system.

Geoff ChambersCHIEF POLITICAL CORRESPONDENT

3 min read

10:30PMNovember 12, 2023.

Updated 11:42PMNovember 12, 2023

Home Affairs and Cyber Security Minister Clare O’Neil, with Prime Minister Anthony Albanese, has declared war on ransomware criminal gangs and thugs ahead of releasing the new Cyber Security Strategy. Picture: NCA NewsWire / Martin Ollman

Companies will be forced to report cyber ransom demands under Australia’s first mandatory no-fault reporting system but will not be banned from paying criminal gangs and state-sponsored offenders, amid a 45 per cent surge in global ransomware attacks this year.

The new regime, a centrepiece of the Albanese government’s cyber security strategy expected to be released next week, comes following a suspected ransomware attack on Friday against DP World Australia, which operates 40 per cent of the nation’s maritime freight.

The cyber attack, described by Home Affairs Minister Clare O’Neil as “serious and ongoing” after shutting down Australia’s second biggest port operator, follows attacks on companies including Optus, Medibank, BlueScope, Nine Entertainment, Toll and major healthcare providers.

Key elements of the government’s seven-year cyber strategy includes an early-warning system for ransomware attacks, a ransomware playbook and a fightback strategy targeting “thugs and criminals”.

As chair of the International Counter Ransomware Task Force, which met in Washington this month, Australia will launch counter-ransomware operations alongside 50 global partners including the US, Britain, India, France, the EU, Israel, Japan and South Africa.

In addition to sanctions targeting ransomware criminals, who cost the global economy $13.5 trillion last year, the Australian Federal Police and Australian Signals Directorate will ramp up operations to identify, investigate and strike back at cyber gangs.

Multiple Australian ports closed after cyber security breach

Coalition-era critical infrastructure laws, designed to oversee the protection of water, energy, telecommunications, transport, defence industry, healthcare and other core assets, are expected to be strengthened given the pace of technological advancements and rise in threats.

Mandatory, no-liability ransomware obligations overseen by the government will require businesses to report any ransom incident, demand or payment. The early-warning system, designed to help businesses get swift support, will not carry any penalties.

The government will consult industry on the early-warning system following the release of the cyber security strategy, which is expected after Anthony Albanese’s visit to San Francisco later this week for the APEC summit.

While the government strongly discourages Australians from paying ransoms, which is often the cheaper and faster option for companies, it will not ban payments following talks with business leaders. US companies and entities are estimated to have paid more than $2bn in ransoms over the 12 months to mid-2023.

With ransomware costing the Australian economy almost $3bn annually, Ms O’Neil said the government would continue “to strongly discourage businesses from paying ransoms”.

“There is no guarantee you will regain access to your information, or prevent it from being sold or leaked online. You may also be targeted by another attack,” Ms O’Neil said.

Optus customers targeted by cyber criminals pretending to offer outage compensation

The Cyber Security Minister said ransomware was the “most disruptive cyber threat in the world today” and the government was working with industry to “break the business model of the thugs and criminals behind it, and choking off their avenues of attack”.

“The government is stepping up and helping defend Australian businesses and citizens from the scourge of ransomware. Over the last 12 months, I have engaged with hundreds of business leaders across the country and some of the best cyber thinkers in the world, and what we have heard consistently is that Australia is not yet ready for an outright ban of ransomware payments,” she said.

“Our first step must be getting the right supports in place for businesses and citizens so that it can become an easy decision to not pay ransoms. And, to build a picture of what’s really going on so we can tackle it head-on. The problem today is effectively hidden.

“We know tens of millions of cyber attacks are attempted every year. We don’t have that picture of which companies and industries are targeted and when, and how many ransom demands are actually paid.”

A playbook will be developed to provide clearer guidance for businesses and citizens hit with ransomware attacks, including advice around cyber protection, victim support and how to respond to ransom demands.

The DP World cyber attack, deemed a nationally significant event, affected the ports of Melbourne, Fremantle, Botany and Brisbane. The government’s National Co-ordination Mechanism met on Saturday and Sunday, bringing together top federal, state and territory officials, logistic companies and other port operators.

ASD has reported that the cost of cybercrime for Australian businesses rose 14 per cent over the year to mid-2023. The Australian Cyber Security Centre responded to 118 cyber incidents involving ransomware, compared to 115 in 2021–22.