Held to ransom? To pay or not to pay?
The threat of cyber and ransomware attacks to Australian infrastructure and the economy is a top Government priority driving regulatory reform.
To pay or not to pay a ransom?
The current advice from the Australian Cyber Security Centre (ACSC) is that a ransom should never be paid because payment provides no guarantee that access to a victim's systems/data will be restored and payment may invite further attacks. The ACSC guidance provides that victims should report the incident and "seek professional help".
The ACSC advice is sound for the reasons given and to protect victims from potentially inadvertently breaking the law by making payment into sanctioned jurisdictions or to sanctioned individuals, to terrorist organisations or to money launderers.1
However, in practice, the advice may provide little assistance to ransomware victims unable to operate while incurring massive costs. The temptation and pressure to pay may be enormous where payment offers a quick way to stop an attack and restore operations. In certain cases, paying a ransom may cost less than recovery by other means – this temptation to pay arguably supports the business case for most ransomware attacks.
The risks to critical infrastructure and the economy posed by cyber criminals are so significant that the government appears to be moving from the current position discouraging payment of ransom toward one based on assisting victims, intelligence gathering and actively targeting cyber criminals.
Home Affairs Secretary, Mike Pezzullo has recently been quoted as saying "most advanced economies, including Australia, were reaching a point where a mandatory reporting regime, combined with active defence going after cybercriminals, was needed" (link).
The Shadow Minister for Cyber Security, Tim Watts, has been quoted as saying that because most ransomware attacks are based on financial gain featuring payment via crypto currency, a payment reporting framework "would allow authorities to collect information about the digital wallets that ransoms are being paid into and the infrastructure behind the criminal groups targeting Australian businesses" (link).
The Australian government is not the only jurisdiction considering its policy posture toward ransomware payment in light of the reality that for most victims payment is the best and sometimes only practical option. The US and global perspective on this issue was thoroughly considered in the recent LAW360 article, Gov't Authorities Should Assist Ransomware Targets, by Clifford Chance's Daniel Silver, Celeste Koeleveld and Brian Yin.
For more information on other regulatory reforms linked to ransomware attacks see blog post titled "Australian business held to ransom" (link).
Australia considering mandatory reporting of ransom payments to cyber criminals
An Australian ransomware attack reporting regime is being considered as an extension of Australia's Cyber Security Strategy 2020 released 6 August 2020 which foreshadowed amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCA).
Government legislation before the Parliament
The Government already has a cyber security related critical infrastructure bill before the Parliament which precedes the above developments. However, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the SOCI Bill) (which amends SOCA) seeks to impose additional broad cyber security obligations on operators of 'critical infrastructure' and gives the Australian Signals Directorate powers to intervene in response to or in anticipation of cyber-attacks. The SOCI Bill includes amendments to introduce positive security obligations for critical infrastructure assets including:
- a risk management program based on and delivered through sector-specific requirements;
- mandatory cyber incident reporting;
- enhanced cyber-security obligations for significant national assets; and
- government assistance in responding to significant cyber-attacks for relevant entities for critical infrastructure assets (the SOCI Bill, para 20).2
While providing no specifics in relation to ransomware payments, the broad agency powers and reporting obligations proposed in the SOCI Bill suggest there is scope to extend the framework to accommodate reporting of such payments and provide mechanisms for relevant agencies to assist victims who pay.
Federal opposition reintroduces mandatory ransomware reporting bill
In August 2021, the Federal Opposition reintroduced the Ransomware Payments Bill 2021 (Bill) into the Senate accusing the Government of dragging their feet on cyber security which they describe as a top priority (link to 12 August article).
The Bill was first introduced on 21 June 2021, by Tim Watts, Shadow Assistant Minister for Cyber Security, proposing mandatory notification of ransomware payments by most entities (link to 21 June article).
The explanatory memorandum to the Bill (link) sets out that the reported information will:
- inform the private sector through the ACSC threat-sharing platform;
- assist law enforcement; and
- inform policymaking and track the policy effectiveness.
The Bill proposes a regime where businesses would be expected to "disclose key details of the attack, including the attacker and their cryptocurrency wallet details, which the ACSC could then share with other entities in de-identified form" (link). (For more information see the Second Reading Speech (link)).
However, without bipartisan support, the Bill is unlikely to pass but it does demonstrate that this is an important issue the Government will have to monitor closely.
Until there is reform in this area, the question of whether to pay or not to pay will continue to weigh heavy on ransomware victims when they are at their most vulnerable.
1. See Suppression of the Financing Terrorism Act 2002 (Cth); Criminal Code Act 1995 (Cth), Pt. 5.3; Proceeds of Crime Act 2002 (Cth); Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and Autonomous Sanctions Act 2011 (Cth) and Autonomous Sanctions Regulations 2011 (Cth)
2. Explanatory Memorandum Security Legislation Amendment (Critical Infrastructure) Bill 2020, paragraph 6.