The Australian Government released the 2023-2030 Australian Cyber Security Strategy: Legislative Reforms Consultation Paper (Consultation Paper) in December 2023. The Consultation Paper follows the Australian Governments 2023-2030 Australian Cyber Security Strategy (Strategy). The Strategy aims to build ‘cyber shields’ to strengthen Australia’s cyber defences and build resilience against cyber-attacks.

The Consultation Paper considers areas of legislative reform set out in the Strategy including new cyber security legislation to address gaps in existing regulatory frameworks, and amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) to strengthen protection of Australia’s critical infrastructure.

Notably, the Consultation Paper proposes to impose no-fault ransomware reporting obligations on Australian businesses to help expand understanding of ransomware incidents and develop a ‘threat picture’. ‘Threat picture’ is the term used in the Consultation Paper to describe gathering a more coherent understanding of ransomware and the way in which it presents in society. The Consultation Paper seeks input from the Australian public on the proposal.

This article explores the current ransomware environment in Australia, and the Government’s proposed ransomware reporting obligations.

Ransomware in Australia: the current situation

Ransomware attacks

Ransomware is malware used to infiltrate an operating system and prevent the host from accessing their data until a ransom has been paid. Cyber extortion is where cybercriminals exfiltrate data that is sensitive or personal in nature from individuals or businesses and threaten the sale or release if extortion demands are not adhered to. Both cyber incidents pose some of the greatest, most destructive cybercrime threats to Australian businesses, and can extend to have serious implications on both personal privacy and national security.

The infectious malware used in ransomware attacks is commonly spread via the following methods:

• malicious websites;
• attachments or links in emails;
• social media posts;
• message apps; and
• downloadable applications.

The driving motivation for cybercriminals when committing ransomware attacks is financial gain, with ransomware incidents costing the Australian economy an average of $2.59 billion per year.

Regulating ransomware attacks

Australian ransomware and cyberattack regulations are limited. Businesses and individuals are not prohibited from making ransom payments to cybercriminals, although it is strongly discouraged by the Australian Government.

The issues

The Australian Institute of Criminology suggest that ransomware and cyber extortion attacks are severely underreported with only 1 in 5 entities reporting when they suffer a ransomware attack.

Businesses are often reluctant to report ransomware and cyber extortion attacks due to fear of reputational damage and legal reprimand. This limits visibility of the issue and reduces the capacity for the Government and private sector to help Australian businesses prepare for, mitigate, and respond to these incidents.

Additionally, when a business pays a ransom, it helps to fund the cybercriminals business, a form of permission to continue to operate and expand their reach and technology. Paying a ransom also gives no guarantee to the victim that their stolen data will not be shared by the cybercriminal.

Governments Proposed Ransomware Reforms

In the Consultation Paper, one of the Government’s proposals is to introduce a ransomware reporting obligation for businesses to enable them to gather more information on cyber threats and develop better responses and defences.

The proposed reforms align strongly with the Strategy to work with industry to break the ransomware business model and co-design options for mandatory no-fault, no-liability ransomware reporting obligations for businesses to report ransomware incidents and payments.

Gaining a greater understanding of ransomware threats through reporting will assist in developing mitigation strategies for businesses and allow adaptability in the Government’s approach to the rapidly evolving cyber security landscape. The proposed measures will help develop a more thorough ‘threat picture’, enhance the whole economy’s risk mitigation to such threats and help establish and tailor victim support services.

What would these reporting obligations entail?

Under the proposed reforms, the Government is seeking to establish two reporting obligations. An entity would be required to report to the Government where it has:

1. been impacted by a ransomware or cyber extortion attack, and has received a demand to make a payment to decrypt its data or prevent its data from being sold or released; or
2. made a ransomware or extortion payment.

If a business pays a ransom, it would be obliged to submit two reports, one for the initial impact and one for the payment of the ransom. Some information the business would be required to detail in the report includes:

• when the incident occurred, and when the entity became aware of the incident;
• what variant of ransomware was used, if relevant;
• what vulnerabilities in the entity’s system were exploited by the attack, if known;
• which assets and data were affected by the incident;
• what amount of money has been demanded as payment by the ransomware cybercriminal, and what method of payment has been demanded;
• the nature and timing of any communications between the entity and cybercriminal;
• the impact of the incident, including impacts on the entity’s infrastructure and customers; and
• any other relevant information about the incident that could assist law enforcement with mitigating the impact of the incident and any future incidents.

Who will be required to report?

The Government is looking to find a balance between maximising the data available to develop a greater understanding of ransomware incidents, and minimising the administrative burden of imposing a new reporting obligation on Australian businesses, particularly small businesses. Striking this balance will involve determining who must report on ransomware incidents.

There may be circumstances where an entity is already subject to other cyber incident reporting obligations that require it to collect the relevant ransomware information. Instead of introducing new reporting obligations for these organisations, the Government could expand reporting obligations under existing regulations. For example, approximately 1,000 Australian entities already fall within mandatory cyber incident reporting obligations under the SOCI Act, which includes an obligation to report ransomware and cyber extortion incidents.

The Consultation Paper also contemplates limiting the reporting obligation to specific types of entities, for example, businesses with an annual turnover of $10 million or more. This will exclude over 98% of Australian businesses.[1] The downside of limiting the sample size is that data is only gathered from a small percentage of Australian businesses, excluding a lot of potential data.

Timeframes for reporting

Prioritising timely reporting of ransomware and cyber extortion attacks would allow the Government to generate time-sensitive threat assessments that respond to the issue promptly in the hopes of mitigating future attacks. Currently, the Government is considering aligning the timeframes of the new reporting obligations with those already prescribed under other reporting schemes. For example, mandatory incident reporting obligations under the SOCI Act require reports to be made within 72 hours of an incident. The Government is likely to adopt a similar timeframe.

‘No-fault’ and ‘No-liability’ protections

The ‘no-fault’ principle seeks to provide entities with assurance that the agency receiving and reviewing the ransomware reports will not apportion blame for the incident and provide further confidence that it will not be prosecuted for making a ransom payment. Whilst the payment of a ransom is strongly discouraged, there is no legislative ban on such actions.

The proposed reporting obligations do not seek to penalise victims of an attack or to make findings of fault or liability. However, a proportionate compliance framework, such as a civil penalty provision, is necessary to ensure businesses comply with these reporting obligations.

Looking Forward

In the Strategy, the Government emphasises its commitment to build an understanding of ransomware attacks, disrupt their growing presence, and develop a ransomware playbook to assist mitigating the destructive impact on Australian businesses. The Consultation Paper provides a considered first look at the proposed reforms, giving useful insight into their application and any expected changes Australian businesses can expect moving forward. The opportunity for community submissions closed on 1 March 2024 and the Government will be considering these views to improve its approach to the reforms and ensure it accurately reflects the community’s vision for greater protection against ransomware.

The Consultation Paper suggests releasing a public quarterly report to share information on ransomware incidents gathered through the proposed reporting obligations. The report would anonymise or aggregate sensitive information. The Government seeks the public’s view on this initiative.

For more specific information on the proposed reforms, including those which extend beyond ransomware, we recommend you read the full Consultation Paper and become aware of the extensive list of reforms and how they could impact your business.

[1] According to the Australian Small Business and Family Enterprise Ombudsman which uses 2022 Australian Bureau of Statistics figures.