Labor has introduced a bill to mandate ransomware payment reporting. Here’s why it’s a good idea
The federal Labor opposition has introduced a bill that would require businesses and government agencies to notify the Australian Cyber Security Centre before paying a ransomware gang.
Shadow Assistant Minister for Cyber Security Tim Watts introduced the private member’s bill in federal parliament this Monday following a spate of high-profile ransomware incidents that have resulted in payments being made.
The official ACSC advice is not to pay a ransom, suggesting that it makes a payee vulnerable to future attacks.
Watts cited more than a dozen attacks in the last 18 months, including recently against meat processor JBS Foods which forked out $14 million earlier this month.
The Ransomware Payments Bill 2021 would create a “ransomware payment notification scheme” that extends to corporations, all federal government entities and state and territory government agencies.
Entities would be required to disclose key details of the attack, including the attacker and their cryptocurrency wallet details, which the ACSC could then share in de-identified form through its threat sharing platform.
“This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups,” Watts said.
“And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks. Importantly, it will give us a fuller picture of ransomware attacks in Australia and the scale of the threat.”
“We should be clear at this point. Ransoms should not be paid. Ever,” Watts said.
“Paying a ransom does not guarantee you’ll be able to quickly bring your systems back online or prevent further disruption, it does not guarantee your data won’t be leaked…what it does do is provide further resources to the criminal organisations mounting these attacks and create an incentive for them to carry out more attacks.
“But where organisations feel compelled to make these payments, government should be involved.”
Watts said the bill, if passed, would act as a “policy foundation for a coordinated government response to the threat of ransomware” and the “starting point for… a comprehensive plan to tackle ransomware”.
Labor’s essential thesis is that “mandating reporting of ransom payments is far from a silver bullet for this national security problem, but it’s an important first step”.
We’re inclined to agree.
Around the globe, organisations continue to pay from the results of ransomware because they cannot fathom the results of not doing so. But what’s been missing in this picture is the government support that is needed to actually give organisations a leg to stand on. Watts rightly noted that the Australian government has – relatively speaking – gone “missing when called on to act on the biggest cyber threat facing Australian organisations”.
This comes at a time when the US government is stepping up, elevating ransomware investigations to near terrorism-investigation grade status. While this may seem a bit dramatic, it is seen as the only way there to counter the increasing threat.
From our work with clients, it is understandable why organisations may not want to “report” what’s happened. Reasons range from embarrassment over reputational concerns to a fear that it may happen again and show a vulnerability to attackers.
Whatever the case, the real reason organisations feel so alone is that there is no real government support or willingness (to date) to help understand and track down perpetrators. These developments may just be the start of a different future in that respect.
Rachel Noble, chief of the Australian Signals Directorate, cited an unnamed company’s refusal to work with the government when responding to a cyber attack earlier this month as evidence of the need for laws that would compel some form of cooperation.
And that is a case in point. Without organisations in both the private and public sector being mandated to give information that can (collectively) help turn the screws on ransomware gangs, no one is going to want to “go it alone” out of sheer corporate citizenry. And that is why a mandatory scheme is the way to turn the tide and work towards a better future.