Australia's new ransomware plan to create ransomware offences and reporting regime

Under Australia's new Ransomware Action Plan, organisations that suffer from a ransomware attack will be required to report the incident to government.

The Australian government has announced a new set of standalone criminal offences for people who use ransomware under what it has labelled its Ransomware Action Plan.

Under the new plan [PDF], people who use ransomware to conduct cyber extortion will be slapped with new stand-alone aggravated criminal charges.

A new criminal offence has also been created for people that target critical infrastructure with ransomware.

The acts of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence as well as buying or selling malware for the purposes of undertaking computer crimes are also both now criminalised.

"The Ransomware Action Plan takes a decisive stance -- the Australian Government does not condone ransom payments being made to cybercriminals. Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk," Minister for Home Affairs Karen Andrews said.

Alongside the new criminal offences, the plan will also roll out a new mandatory ransomware incident reporting regime, which would require organisations with a turnover of over $10 million per year to formally notify government if they experience a cyber attack.

The new plan will also see government work to introduce additional legislative reforms that potentially allow law enforcement to track, seize or freeze ransomware gangs' proceeds of crime. 

All of the new measures will be developed through a new tranche of legislation rather than through the Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently being considered by Parliament. 

This is in spite of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 already containing provisions that seek to create mandatory reporting requirements for organisations that suffer a cyber attack and provide more powers for government to undertake action against cyber attacks.

While the plan itself says some of the new measures will be regulated through the Security Legislation Amendment (Critical Infrastructure) Bill 2020, a federal government representative clarified that the Bill would just be providing clarity surrounding the definitions of critical infrastructure.

The government representative also said the new tranche of legislation would be primarily focused on introducing new offenses to allow law enforcement to charge cybercriminals on ransomware grounds, while the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is focused on providing government more powers to intervene during cyber attacks.

That Bill received the tick of approval from a parliamentary joint committee two weeks ago, with the parliamentary committee saying at the time there was compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure was increasing.

"Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure," committee chair Senator James Paterson said at the time.

The Bill was originally meant to be broader in scope, but the committee advised that other "less urgent" aspects of the Bill should be introduced under a second, separate Bill following further consultation.

Under the government's new ransomware plan, a multi-agency taskforce led by the Australian Federal Police, called Operation Orcus, has also been created. Created in July, the government has touted the new taskforce as being the country's "strongest response to the surging ransomware threat".

According to Andrews, these new measures all fall within one of the plan's three objectives, which are to build Australia's resilience to ransomware attacks; strengthen responses to ransomware attacks; and disrupt and deter cybercriminals through tougher laws. To achieve these three objectives, Andrews said the federal government would work closely with state and territory governments and industry stakeholders.

The new plan builds on Australia's overarching 2020 Cyber Security Strategy, which aims to impose cyber standards on operators of critical infrastructure and systems of national significance and create powers that allow the federal government to get on the offensive and actively defend networks and critical infrastructure.

Updated at 2:30pm AEST, 13 October 2021: Updated article to reflect clarifications from the federal government about how the ransomware plan's new measures would be legislated. 

MORE ON THE BILL