Commonwealth releases Ransomware Action Plan

October 14, 2021 |

The Home Affairs Ministers, Karen Andrews, today released the Government’s Ransonware Action Plan.

It has been heralded as a new plan to protect Australia against ransomware.  Actually that is the title of the media release which provides:

The Morrison Government is taking action to protect the community and economy from ransomware attacks, announcing new criminal offences, tougher penalties and a mandatory reporting regime as part of a new and comprehensive Ransomware Action Plan.

Minister for Home Affairs Karen Andrews said individuals, businesses, and critical infrastructure across Australia will be better protected as a result of the new Plan.

“Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” Minister Andrews said.

“Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses.

“That’s why the Morrison Government is taking action to disrupt, pursue and prosecute cybercriminals. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances.”

Under the Ransomware Action Plan the Government will:

    • Introduce a new stand-alone aggravated offence for all forms of cyber extortion to ensure that cyber criminals who use ransomware face increased maximum penalties, giving law enforcement a stronger basis for investigations and prosecution of ransomware criminals;
    • Introduce a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure. This will ensure cybercriminals targeting critical infrastructure face increased penalties, recognising the significant impact on assets that deliver essential services to Australians;
    • Criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties;
    • Criminalise the buying or selling of malware for the purposes of undertaking computer crimes; and
    • Modernise legislation to ensure that cybercriminals won’t be able to realise and benefit from their ill-gotten gains, and law enforcement can better track and seize or freeze cybercriminals’ financial transactions in cryptocurrency.

The Government will also develop a mandatory ransomware incident reporting regime to enhance our understanding of the threat and enable better support to victims of ransomware attacks. It will be designed to benefit, not burden small businesses, with businesses with a turnover over $10 million per annum expected to be subject to the regime.

The Plan also makes clear that the Australian Government does not condone ransom payments to cyber criminals. There is no guarantee hackers will restore information, stop their attacks, and not leak or sell stolen data. Those impacted by ransomware attacks should visit cyber.gov.au for advice.

Today’s Plan follows the establishment of a new Australian Federal Police-led multi-agency operation which targets ransomware attacks that are linked directly to sophisticated organised crime groups operating in Australia and overseas, and shares intelligence directly with the Australian Cyber Security Centre as they utilise their disruptive capabilities offshore.

“The release of the Ransomware Action Plan is the latest in a long list of developments that have been rolled out since the Government’s $1.67 billion Cyber Security Strategy commenced in August last year. It builds on the Morrison Government’s strong track record fighting cybercrime,” Minister Andrews concluded.

The Ransomware Action Plan is available on the ?Department of Home Affairs website.

The Government will now consult further with the community, industry and interested stakeholders on the mandatory reporting regime and new criminal offences.

The Minister was on the media offensive, doing interviews like the 4BC breakfast interview which provides:

Topics: Release of Australia’s Ransomware Action Plan; cyber security; climate change and emissions reduction.

NEIL BREEN: Every Wednesday I speak to Home Affairs Minister, MP for McPherson on the Gold Coast, Cabinet Minister Karen Andrews. She joins me on the line. Good morning, Minister.

KAREN ANDREWS: Good morning, Neil. How are you?

NEIL BREEN: I’m very well, thanks. So we’re going to have a ransomware action plan announced today. Tell us all about it?

KAREN ANDREWS: Absolutely; our Federal Government Ransomware Action Plan is being released today. Effectively the plan is about protecting Australians, their digital information and – of course – our economic recovery. I think everyone’s really well aware that cyber is a significant issue for us both individually and for businesses. A key part of that is ransomware, where basically cyber criminals hack into your system, they steal your information, and then they charge a ransom that they ask you to pay to get that information back.

So this Ransomware Action Plan is all about the action that the Federal Government is going to take; introducing some new offences to deal with the cyber crims out there – particularly with cyber extortion – and to make sure there is an offence for the buying of selling of malware; and I think many people are familiar with malware – that’s been around for quite some time.

This is about making sure the Morrison Government is supporting Australians – to keep them as safe as we can online; to give them the tools they need to be able to deal with some of these attacks; that starts with reporting these attacks to the Australian Cyber Security Centre at cyber.gov.au. And for those crims out there: we’re going to introduce some new criminal offences to make sure we do our best to take them down.

NEIL BREEN: So when we’re talking ransomware attacks, we see the big ones. We know that Channel Nine – the company I work for – was subject to attack earlier this year which affected a lot of their systems. We’ve seen some big ones in the United States; and in the United States a couple of those major businesses actually paid the ransoms. That’s something I always worry about, you know – it just encourages others, Karen Andrews.

KAREN ANDREWS: It certainly does and that’s why in the Ransomware Action Plan we’ve made it very clear that we don’t condone payment of any ransom at all. It does just make you more liable to a further attack and it doesn’t mean you’re going to get back the information that’s been stolen either. So we need people to be reporting it to the ACSC – which is the Australian Cyber Security Centre – so we can get the data and we can provide information to help people deal with this. The stats are absolutely appalling; just over the last year in particular there’s been about a 15 per cent increase in the number of ransomware-related cybercrimes we have seen reported – and we know there is significant underreporting because people don’t always put their hand up and say, “My system has been attacked.” They’re concerned about their data being released publicly, so they tend to hide it. We want people to put their hands up and say, “No, actually, I have been the victim of a ransomware attack,” and get the support they need to be able to deal with the implications and the outcomes of that. It’s a serious issue because globally the estimate is that there’s a ransomware attack on a business every 11 seconds – that’s an extraordinary amount and it’s big money now for the cyber crims, and Australia is certainly taking action to combat that.

NEIL BREEN: When we talk about those ransoms, it obviously deals with big business. But the general member of the public also… I know the message is getting through, but people still fall for it. You’ve got to watch out for your own accounts as well. Like – while you were talking Karen Andrews – I called up my Hotmail account that I’ve had for many years and if I go into the junk folder… ‘ABC Bit Coin’ is just trying to give me hundreds of thousands of dollars. IGA – for no reason – wants give me $500, Netflix want to give me $90, Aldi want to give me $300 US; you know what I mean? Woolworths, they just want to give me cash. It’s amazing how many people want to give me money through my Hotmail account!

KAREN ANDREWS: Yeah, absolutely, and I guess the reaction has to be ‘if it’s too good to be true, it really is’.

NEIL BREEN: It is. It’s a con. I’ve also got a lot of packages just waiting for me to confirm the shipment. I don’t know how many people get these emails. I haven’t ordered anything.

KAREN ANDREWS: Absolutely, and we get it not just through emails but get it messaged to phones and it can look really legitimate. So it is easy for people to be drawn into that. But I would encourage people to exercise a great deal of caution and just because you receive an email or a text message it doesn’t mean it’s legitimate. In fact, it’s generally not. So approach them with a great deal of suspicion, a great deal of caution.

NEIL BREEN: Yeah, absolutely. Okay. So the situation we have at the moment nationally is the zero emissions strategy. It’s a big debate and we know that the Liberal Party and the Nationals in the Coalition have got to find some common ground. Where do you think we’re at with it at the moment, Karen Andrews? You’re in Cabinet. I know you can’t tell us what happens in Cabinet, but are the discussions willing or are they amicable?

KAREN ANDREWS: Look, all discussions generally are amicable. There’s obviously different views, and I respect the different views of people not just around the Cabinet table but right across Australia. But – in fact – Australia has a very good story to tell about the work that we have already done with emissions. Our emissions are at their lowest levels since records began back in 1990. Now that message doesn’t often get out very much. We also have the highest uptake of rooftop solar here, and that’s particularly so in Queensland. So people are actually doing their bit. I think the stat is around about one in four people or homes actually have rooftop solar. We’re building wind and solar around three times faster than the likes of Europe and the USA on a per person basis. So these are all fantastic things that Australia is doing. I think it’s back to 2005, Australia’s reduced our emissions at a much faster rate than the likes of Canada, Japan, New Zealand, and the US. These are all great things that Australia is doing. So we actually are getting on individually and collectively through the Government to make sure that we are doing our bit to keep emissions low. What you’ll see over the coming days and weeks is some further discussions nationally about what the agenda should be for continuing to reduce our emissions. Angus Taylor – as the Minister responsible – previously put out a technology investment road map. It canvassed a whole range of options, which included the likes of hydrogen, which is very topical at the moment particularly here in Queensland. All of those things have been tested with the people across Australia; with industry. Industry is absolutely on board to do all that it can to reduce emissions. So I think now is the time for us to make sure that we are looking-

NEIL BREEN: But it’s about the Nationals, though, isn’t it? It’s about getting the Nationals on board, and they can use this as a wedge issue as you approach an election.

KAREN ANDREWS: Well the Nationals have a lot of regional electorates that they represent, as do the Liberals quite frankly. So it’s both the Liberal and the National parties that represent rural and regional Australia. And, yes we will be very conscious of the impact on those regional communities. I mean, no-one is going to be ignored in the plans that we will be taking forward. I understand the concerns of the Nationals, and the Nationals understand the concerns of the Liberals and other parts of urban Australia, too. So I think there’s an opportunity for us to all work together in the best interests of all Australians.

NEIL BREEN: Okay, Karen Andrews. Well, he was on 7.30 last night – Barnaby Joyce – I’ll say it was an interesting appearance and I’ll leave it at that. I shouldn’t laugh. Hey, Karen Andrews, thanks so much for joining us this morning. The Home Affairs Minister, we’ll talk to you next week. Have a great day.

KAREN ANDREWS: You, too. Take care.

The plan is very strong on forshadowing new crimes but quite weak on requiring businesses and agencies to lift their game in having proper cyber security practices.  Ransomware is not magic.  It needs an entrance into a victim’s system.  It just doesn’t appear.  It is all very well to mandate reporting of ransomware attacks but whether that happens in practice is another matter.

The coverage has been heavily focused on mandating reports of ransomware attacks with the Sydney Morning Herald

Leave a Reply