[BreachExchange] Australia's new ransomware plan to create ransomware offences and reporting regime

Wed Oct 13 09:20:26 EDT 2021

https://www.zdnet.com/article/australias-new-ransomware-plan-to-create-ransomware-offences-and-reporting-regime/

The Australian government has announced a new set of standalone criminal
offences for people who use ransomware under what it has labelled its
Ransomware Action Plan.

Under the new plan [PDF], people who use ransomware to conduct cyber
extortion will be slapped with new stand-alone aggravated criminal charges.

A new criminal offence has also been created for people that target
critical infrastructure with ransomware.

The acts of dealing with stolen data knowingly obtained in the course of
committing a separate criminal offence as well as buying or selling malware
for the purposes of undertaking computer crimes are also both now
criminalised.

"The Ransomware Action Plan takes a decisive stance -- the Australian
Government does not condone ransom payments being made to cybercriminals.
Any ransom payment, small or large, fuels the ransomware business model,
putting other Australians at risk," Minister for Home Affairs Karen Andrews
said.

Alongside the new criminal offences, the plan will also roll out a new
mandatory ransomware incident reporting regime, which would require
organisations with a turnover of over $10 million per year to formally
notify government if they experience a cyber attack.

The new plan will also see government work to introduce additional
legislative reforms that potentially allow law enforcement to track, seize
or freeze ransomware gangs' proceeds of crime.

All of the new measures will be developed through a new tranche of
legislation rather than through the Security Legislation Amendment
(Critical Infrastructure) Bill 2020 currently being considered by
Parliament.

This is in spite of the Security Legislation Amendment (Critical
Infrastructure) Bill 2020 already containing provisions that seek to create
mandatory reporting requirements for organisations that suffer a cyber
attack and provide more powers for government to undertake action against
cyber attacks.

While the plan itself says some of the new measures will be regulated
through the Security Legislation Amendment (Critical Infrastructure) Bill
2020, a federal government representative clarified that the Bill would
just be providing clarity surrounding the definitions of critical
infrastructure.

The government representative also said the new tranche of legislation
would be primarily focused on introducing new offenses to allow law
enforcement to charge cybercriminals on ransomware grounds, while the
Security Legislation Amendment (Critical Infrastructure) Bill 2020 is
focused on providing government more powers to intervene during cyber
attacks.

That Bill received the tick of approval from a parliamentary joint
committee two weeks ago, with the parliamentary committee saying at the
time there was compelling evidence that the complexity and frequency of
cyber attacks on critical infrastructure was increasing.

"Australia is not immune and there is clear recognition from government and
industry that we need to do more to protect our nation against
sophisticated cyber threats, particularly against our critical
infrastructure," committee chair Senator James Paterson said at the time.

The Bill was originally meant to be broader in scope, but the committee
advised that other "less urgent" aspects of the Bill should be introduced
under a second, separate Bill following further consultation.

Under the government's new ransomware plan, a multi-agency taskforce led by
the Australian Federal Police, called Operation Orcus, has also been
created. Created in July, the government has touted the new taskforce as
being the country's "strongest response to the surging ransomware threat".

According to Andrews, these new measures all fall within one of the plan's
three objectives, which are to build Australia's resilience to ransomware
attacks; strengthen responses to ransomware attacks; and disrupt and deter
cybercriminals through tougher laws. To achieve these three objectives,
Andrews said the federal government would work closely with state and
territory governments and industry stakeholders.

The new plan builds on Australia's overarching 2020 Cyber Security
Strategy, which aims to impose cyber standards on operators of critical
infrastructure and systems of national significance and create powers that
allow the federal government to get on the offensive and actively defend
networks and critical infrastructure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211013/20ebeba6/attachment.html>