INSIGHT

Captive to no one: Australian Government releases its Ransomware Action Plan

By Valeska Bloch, Sophie Peach, Winnie Ma, Emiliana Gallego, Sam Clark
Cybersecurity & Privacy Data Defence Energy Financial Services Infrastructure Risk & Compliance Technology Telecommunications Transport

Combatting ransomware and cyber extortion 7 min read

The Department for Home Affairs has released the Australian Government's Ransomware Action Plan (the Plan).

The Plan signposts legislative reforms to introduce mandatory reporting of cyber extortion and criminal offences to deter malicious actors, signalling the importance of information sharing in the fight against cyber criminals. If passed, these reforms will provide an additional layer to the matrix of organisations' mandatory reporting obligations for cybersecurity threats.

This development forms part of the Government's Cyber Strategy and is the latest in a series of actions taken by the Government to combat the escalating threat of ransomware and cyber extortion attacks. The Plan comes after the Government's announcement in August that it plans to overhaul Australia's sanctions framework, including by legislating for increased sanctions regulation of malicious cyber activity by the end of this year (although a defence is available).

Key takeaways

The Ransomware Action Plan outlines current initiatives already undertaken by the Government to improve cybersecurity generally, as well as upcoming policy, operational and legislative reforms aimed specifically at disrupting and deterring ransomware attacks.

  • Mandatory notification requirements: if proposed legislative reforms are enacted, Australian companies with a turnover of $10 million or more will, for the first time, have an express obligation to notify the Australian Government if they are the subject of ransomware incidents. We expect these proposals to have bipartisan support given Labor proposed similar legislation by private members bill in June this year.
  • Tougher new penalties for non-compliance: under the Plan, law enforcement is set to have greater powers to investigate and seize ransomware payments. The Plan proposes new standalone aggravated offences for all forms of cyber extortion and for cybercriminals seeking to target critical infrastructure. The latter is likely to be passed expeditiously and implemented before the end of the Parliamentary sitting calendar in 2021, as part of the first tranche of reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).
  • Alignment between related or parallel reporting regimes: the devil will be in the detail, but we expect some alignment with notification requirements under the SOCI Act. We expect further details to emerge following consultation, including what additional information organisations are expected to provide in the event of an attack and in the days that follow.
  • Industry consultation expected in the coming months: this raft of proposed cybersecurity measures means that in the event of a ransomware incident, organisations will need to consider their response through a matrix of Australian obligations. Accordingly, industry should engage in the consultation process expected over the coming months to minimise duplicative or even inconsistent obligations.
  • New sanctions laws: if a proposed overhaul of Australia's Autonomous Sanctions Act 2011 (Cth) comes to pass, organisations that are the subject of a cyber extortion attack may essentially be prohibited from making payments in connection with the incident if the attacker is a 'designated entity'. However, a defence is available to an organisation if it undertook due diligence and reasonable precautions to avoid contravening a sanctions law. This means that, before making ransom payments, organisations should conduct sanctions risk assessments, screen third parties against sanctions lists and adopt sanctions controls.
  • New criminal offences: law enforcement is set to have greater powers to investigate and seize ransomware payments, and criminals will be subject to new standalone offences for cyber extortion. A standalone aggravated offence for cybercriminals seeking to target critical infrastructure is likely to be passed expeditiously and implemented before the end of the Parliamentary sitting calendar in 2021, as part of the first tranche of reforms to the SOCI Act. See our recent Insights on the Parliamentary Joint Committee on Intelligence and Security's recommendations to split the SOCI Act into two amended Bills.
  • New powers for AFP and ACIC: the enforcement of new and existing criminal offences will also be supported by the information and intelligence gathering powers that were recently introduced by the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 (Cth), which allows the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) to obtain three new warrants aimed at investigating, disrupting and prosecuting serious online criminal activity. 
  • Centralised law enforcement operations: the recent establishment of a new multi-agency law enforcement operation led by the Australian Federal Police (Operation Orcus) is dedicated to disrupting cyber extortion. Operation Orcus centralises law enforcement efforts against ransomware attacks by the Australian Cyber Security Centre, the Australian Criminal Intelligence Commission, AUSTRAC, state and territory police as well as industry and other government partners.
  • An international affair: we can expect to see greater international coordination and information sharing among these 30 countries (including Australia) to combat the transnational threat of ransomware activity. On 15 October 2021, 30 countries released a joint statement on countering ransomware, the result of a two-day virtual Counter Ransomware Initiative summit hosted by the US Government.

Actions you should take now

Boards and senior management should be actively thinking about regularly assessing and continually up-lifting cybersecurity response capability. In relation to ransomware attacks and cyber extortion, boards and senior management should:

  • Understand the ransom risks to your organisation and regulatory requirements around notifications in the event of a ransomware incident in each of the jurisdictions in which your organisation operates.
  • Put in place a ransom recovery plan that sets out accountabilities within your organisation for co-ordinating and implementing your response, including service continuity and data restoration. In particular, consider:
  • the extent of board involvement in decision making. If your organisation needs to engage with a threat actor (whether or not it intends to pay), who is responsible for making that decision? Will authority in relation to ransomware decisions sit with the whole board, or will a sub-committee have delegated authority? Where a sub-committee has delegated authority, are there clear parameters in place to ensure issues are appropriately escalated to the whole board for consideration as and when required?
  • how updates will be given to the board. How should the board be notified of, and receive updates in relation to, a ransomware attack or digital extortion? How frequently should updates be provided?
  • Ensure you have a comprehensive training program for all staff who are ultimately responsible for protecting your critical information assets, as well as those who would be involved in the actual response and recovery effort. It is also prudent to ensure regular testing and updating of IT systems and processes is in place to respond to, and recover from, ransomware attacks and/or cyber extortion.
  • Review and access your existing cyber insurance policies to ensure your organisation has coverage for items including external legal advice, incident response and technical forensics, extortion negotiation and payment.
  • Engage legal and cybersecurity experts to assess your organisation's cyber resilience capability and preparedness for a ransomware attack or cyber extortion (eg by running mock incident tests).
  • Get involved in consultation. There will be opportunities to engage with Government regarding the shape of the reforms. Allens can help share your views on how the reforms can be crafted to avoid creating undue compliance friction and risks for your organisation.

Spotlight on the approach in the United States

The US Senate recently approved a bipartisan bill that requires critical infrastructure owners and operators to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and organisations with more than 200 employees to report within 24 hours if they make a ransomware payment. The bill grants CISA the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments.

The proposed bill is closely aligned with the detailed report produced by the US Ransomware Taskforce focussed on deterring ransomware attacks, disrupting the ransomware organisation model, helping organisations prepare and responding to ransomware attacks more effectively (read the report here). 

The table below compares the proposed notification obligations in Australia and the US.

Notification obligations: comparison of proposals

 

Australia

United States

Source of obligation

Security of Critical Infrastructure Bill (2020)

Mandatory Ransomware Reporting Obligations

Cyber Incident Reporting Bipartisan Legislation Bill

Applicable to

Entities responsible for critical assets in the Australian economy

Companies with an annual turnover of $10 million or more

Companies considered to be critical infrastructure vital to the functioning of the US 

Organisations with over 200 employees

Notification trigger*

Cyber Incident (the ransom attack)

Ransomware attack

A covered cyber incident

Payment of ransom

Who needs to be notified

Australian Signals Directorate

Cybersecurity and Infrastructure Security Agency

When must you notify

As soon as practicable:

Within 12 hours if there is a significant impact on the availability of the critical asset

Within 72 hours if the availability, integrity, reliability or confidentiality of the asset is impacted

It is suggested that reporting would be required when the attack happened plus in the days following

Within 72 hours of the cyber incident occurring

Within 24 hours of making payment

Consequences for non compliance

Civil penalties (50 penalty units - $11,000)

TBC - the enforcement arsenal will include civil penalties (although the Government has indicated this would be as a last resort)

Subpoena of information

*The Australian Government has indicated that requiring companies to report an attack, rather than payment, ensures that the ACSC is informed about the hack sooner in order to consider any potential broader national security consequences, and allow targeted entities to receive advice and access resources to deal with the attack sooner.