Labor has introduced a draft bill to force companies to report ransomware payments to the Australian Cyber Security Centre (ACSC).
The Shadow Minister for Cybersecurity, Tim Watts MP, introduced the proposal in a Private Members Bill on Monday 21 June, ostensibly in an effort to increase the government’s focus on ransom ware.
It is important readers note that it is rare for Private Members Bills to be debated, very rare they are subject to further public consultations in the senate, and extremely rare that they become law.
The draft bill would require firms to provide ACSC with any information known about the attacker, the attack, the ransom paid, the cryptocurrency wallet, and any known indications of a compromise.
The proposal comes soon after Australian Signals Directorate (ASD) and Home Affairs gave testimony before the parliament warning that companies are already reluctant to share information on cyber-attacks with the government.
Head of ASD, Rachel Noble, told the parliamentary joint committee on intelligence there has been “a 60 per cent increase in ransomware attacks against Australian entities between this year and last year.”
Ransomware was addressed extensively in a speech by the head of the ACSC, Abigail Bradshaw, in March: “We are also seeing an increase in the professional syndicates operating ransomware crime – for example – ransomware as a service, and the coupling of ransomware attacks with DDOS attacks to increase the pressure to pay.”
Watts has been critical of the Morrison Government, claiming it is not doing enough to focus on the increasing risk of ransomware attacks, and released a discussion paper calling for a National Ransomware Strategy in February.
In his speech introducing the draft bill to the House of Representatives, Watts notes “Australia's cyber security strategy 2020 only mentions ransomware twice, once in a third-party quote and once in a list of issues the ACSC can provide advice to businesses on.”
He concedes “Mandating reporting of ransomware payments is far from a silver bullet for this national security problem, but it is a crucial first step.”