The Albanese government is facing calls to steer Australia’s Quad partners towards a ransomware policy that clearly discourages payments but also introduces new reporting obligations for business that do pay under exceptional circumstances.
Ahead of the Quad Leaders meeting in Sydney later this month, the government is also being urged to push for the harmonisation of other cyber incident reporting requirements across Australia, India, Japan and the United States.
The recommendations are contained in a new research report from the Australian National University’s Tech Policy Design Centre, to be released on Friday. It is produced with insight from 44 executives from industry, government and academia.
A clear policy position against the payment of ransomware without introducing a blanket ban topped the list of recommendations for the Quad, followed by a scheme that requires entities that pay ransoms to notify the authorities within 24 hours if they do.
The report identified little to no support for a fully-fledged ban or the criminalisation of payments, with survey respondents supporting a “nuanced case-by-case assessment” of each ransomware attack that takes into account the risk to life and the prospect of civil unrest.
A total ban – which the Insurance Council of Australia also warned against last month – of ransomware payments would also “drive payments further underground, deter incident reporting, and decrease the visibility of the true extent and impact of the crime”, the report said.
By disclosing payments if and when they occur, meanwhile, information about the payments, including how much was paid and to who, will “enhance mitigations, inform law enforcement activities, and allow for better assessment of the effectiveness of policy changes”.
ANU Tech Policy Design Centre director Professor Johanna Weaver, who authored the report, said the “recent spate of high-profile cyber incidents on Optus, Medibank, and Latitude Financial catapulted ransomware into the headlines and the public conscience of Australia”.
“Demand for the government to act to combat ransomware has never been stronger. Our report responds to that demand with specific actionable recommendations to government,” Professor Weaver said.
In opposition, Labor twice introduced a private members bill to create a mandatory ransomware notification scheme that would require businesses and government agencies to notify the Australian Cyber Security Centre before paying a ransomware group.
The former Coalition government, however, failed to bring the bill on for debate, opting instead to release a Ransomware Action Plan of its own that foreshadowed a similar mandatory reporting scheme for businesses with a turnover of $10 million or more that suffer an attack.
But no bill to introduce such a scheme was introduced before Parliament was dissolved ahead of last year’s election, and a bill that would have increased jail terms for hackers that deliberately targeted critical infrastructure assets also ultimately lapsed.
Former Telstra chief Andy Penn, who chairs the board that is advising the government on its refreshed cybersecurity strategy, last year stopped short of recommending legislation to help address the prevalence of ransomware, despite urging the former government to adopt a “clear policy position”.
The committee made the recommendation in its annual update last year after observing that it was not clear to business whether paying ransomware gangs was illegal or what best-practice was for incident reporting.
The Albanese government has indicated it will consider making it illegal to pay the ransom demands of cyber criminals as part of the refreshed cybersecurity strategy, which is expected to be released later this year.
The Tech Policy Design Centre report also contains specific recommendations for Australia to consider as part of its cybersecurity strategy review, which it could take to the 37 likeminded countries that form the global ransomware taskforce that Australia leads.
Actions include the introduction of annual Cyber Security Board Statements for ASX-listed companies, which would operate similar to the obligations that boards face under the Modern Slavery Act.
The government should also establish a cyber insurance taskforce to “examine means for the cyber-insurance market to incentive cyber resilience and reduce the impacts of ransomware”, and begin using its Significant Cyber Incidents Sanctions Regime, according to the report.