Squeezing a balloon: How Australia's new ransomware laws will affect businesses
The Australian Government is beginning to legislate its ‘Ransomware Action Plan’ announced last October. Rates of cyber extortion and ransomware have risen exponentially in Australia and government action is welcome – even overdue. But what does the Plan mean for Australian businesses and will it materially improve our country’s cyber threat landscape?
In launching the Ransomware Action Plan in October, the Home Affairs Minister promised a “zero tolerance” approach to ransomware. The Plan discusses multiple lines of policy effort, but two parts are key:
- More police action to pursue and prosecute ransomware operators
- Intelligence collection and sharing on ransomware attacks, facilitated by a new mandatory reporting scheme for large and medium businesses.
This post looks at how these measures are likely to impact businesses, including their risk of suffering a ransomware attack.
More law enforcement activity
In February, the government introduced a bill to boost police power to pursue and prosecute ransomware operators. Likely to pass Parliament before the election, the bill:
- Creates new criminal offences for cyber extortion (including dealing with stolen data)
- Extends Australian Federal Police (AFP) authority to investigate offshore cyber crime
- Bolsters police power to track, freeze and seize cryptocurrency that’s the proceeds of cyber crime.
This comes on top of the AFP’s decision last year to create a Cyber Command, putting cyber crime on a similar footing to priorities like organised crime and counterterrorism.
Will it work?
With these measures, Australia has joined the US and countries across Europe in signalling a crackdown against offshore cyber criminals. Signalling is a good first step but is unlikely to meaningfully reduce the risk of ransomware to Australian businesses in the short term.
Last year, global law enforcement agencies made several highly publicised arrests of criminals involved in ransomware. The FBI also notably recovered 63.7 Bitcoins (around $2.96 million) in ransom paid by US oil pipeline giant Colonial Pipeline.
But these law enforcement wins have not (yet) materially affected the ransomware threat. Cyber criminals continue to see extortion as a lucrative enterprise. Already this year, CyberCX has seen several new groups emerge and target Australian businesses. If established gangs feel the heat, they often ‘phoenix’ by temporarily laying low and rebranding. The digital nature of their operations makes this a cheap and easy option: IT infrastructure and services are made to be deployed rapidly and temporarily.
What else is needed?
Australian law enforcement should continue to work with international partners to pursue and prosecute cyber criminals. But what Australians need today is an AFP that proactively disrupts cyber criminal operations before they can cause harm. Last year’s Surveillance Legislation Amendment (Identify and Disrupt) Act enhanced AFP authorities to police in cyberspace. The AFP now needs resources and capabilities to step up its use of low-sophistication but high impact tools to disrupt cyber criminals at scale and protect Australians.
A new mandatory reporting scheme
The government is working on a new mandatory reporting scheme for ransomware victims. The scheme is expected to require businesses with turnover above $10 million per year to:
- Report a ransomware attack within hours or several days (depending on how severe it is)
- Make a ‘follow-up’ report several weeks later with information like indicators of compromise and whether they paid a ransom (and how much).
Will it work?
Underreporting of cyber crime is a problem. Last financial year, the Australian Cyber Security Centre (ACSC) received over 500 ransomware reports, but the true number of attacks is almost certainly higher. Australian businesses also desperately need threat intelligence when preparing for – and responding to – cyber extortion incidents. As drafted, the scheme will help chip away at both of these problems, but will fall far short of solving them.
Firstly, the $10 million threshold will exclude over 98% of Australian businesses, as well as the non-profit and public sectors. Ransomware attacks will continue to go unreported and unseen. Indeed, attacks against large corporations are the ones we already hear about most – the impact is generally hard to hide, and they have other reporting obligations.
Additionally, cyber criminals are increasingly using supply chain and software platform attacks. These cause harm across Australia’s economy but may well only affect smaller businesses. In 2021, dozens of Australian businesses were downstream victims of extortion attacks against two American software companies: Accellion and Kaseya.
Secondly, the success of this scheme will hinge on whether ACSC can materially uplift its processes, resources and culture around information-sharing with industry. Right now, the process is beset by gaps and time-lags. In part, this reflects an inherent tension between the agency’s mandate to collect intelligence for broader national security objectives and the need to use intelligence to benefit industry.
The time gap proposed between reporting an incident and then reporting indicators of compromise will also be a challenge, since it’s relatively easy for criminals to vary these between attacks to cover their tracks. Real time intelligence-sharing would be more procedurally difficult but would lead to better outcomes for victims.
What else is needed?
A broader reporting obligation (plus support for small and medium organisations to offset the regulatory impact) would be better. The ACSC needs to continue to build the capacity to curate and share information with industry in a timely and actionable way.
Squeezing a balloon?
There’s one final challenge facing any government’s response to the cyber extortion threat. Cyber criminals are highly adaptive. Shifts in technology, organisations’ cyber resilience and governments’ responses trigger changes in what criminals target and how they operate.
CyberCX is already monitoring trends that may outstrip the measures discussed in this post.
Firstly, the dominant approach of ransomware operators today is one of ‘big game hunting’. They target large organisations because they perceive that they are more likely to pay. But this strategy could change. Indeed, there’s a real chance that law enforcement responses globally will cause cyber criminals to shift to smaller entities to attract less attention. In turn, this would make the $10 million reporting threshold even less fit for purpose.
Secondly, ransomware is only one type of cyber extortion. In early 2021, CyberCX assisted multiple local victims of the Accellion attack. The group responsible, Cl0p, started out as a ransomware gang, but in this case they instead stole and threatened to expose victims’ sensitive information. Many ransomware groups are now following Cl0p’s lead. Data theft extortion may even soon become the dominant strategy for cyber extortionists.
We are also actively tracking emerging forms of cyber extortion. Some groups use ransom DDoS attacks (although in CyberCX’s experience these tend to be less effective), while others steal personal information and then extort the individuals it affects.
Ultimately, when you squeeze air in a balloon, without enough pressure to pop it, the air just moves around. Beating ransomware – and the broader cyber extortion threat – will require concerted pressure from the government, industry and the international community. Otherwise, the cyber extortion threat might evolve, but it won’t go away.
Katherine Mansted is Director, Cyber Intelligence and Public Policy.
Chris Horlyck is Director, Digital Forensics and Incident Response.
Read more about our practices and insights:
If you need assistance responding to a cyber incident, please contact our investigation and response team here.