Would mandatory reporting of ransomware payments cause more good or trouble?
By Cameron Abbott, Warwick Andersen and Jacqueline Patishman
Last month, the federal opposition (Shadow Assistant Minister for Cyber Security) introduced the private member’s Ransomware Payments Bill (the Bill) that proposes to make it mandatory for all Australian businesses and government agencies to notify the Australian Cyber Security Centre (ACSC) before paying a ransom to a ransomware attacker. Failure to notify will attract a penalty of 1,000 penalty units ($181,740).
As we all know, there have been a series of high profile ransomware attacks in the past few months (see ransomware attack on UnitingCare Queensland, JBS Meatpacking, New York’s subway and American Colonial Pipeline). These attacks are giving governments around the world ammunition for greater control and influence over organisation’s security and management of technology related threats (for example, see the blog we wrote about the CSET tool recently introduced by the US Department of Home Affairs).
The ACSC’s position is that organisations should not pay ransoms; despite this, many organisations chose to (or perhaps feel they are forced to) pay the ransom. The Bill is set to introduce a ransomware payment notification scheme that will require organisations to disclose key details of the attacks made on them (such as what cryptocurrency wallet the attacker has requested payment into).
The explanatory memorandum of the Bill has suggested that the Bill will provide an “important foundation for a comprehensive national ransomware strategy, which is needed to deal with the onslaught of ransomware attacks on Australian organisations.” The motivation of the regime is centred around the idea of data gathering so that the government can better understand patterns in cybercrime and develop strategies to defend against it.
It is a crime in Australia to pay a ransom and forcing organisations to report when they chose to do so will force them to self-incriminate (likely making the regime unpopular with businesses).
The government is currently weighing up the merits of introducing a mandatory reporting requirement and it will be interesting to see what conclusion it comes to. We have seen a number of ransoms paid recently and sometimes businesses see this is the best option for their businesses.