Tim Watts (Gellibrand, Australian Labor Party, Shadow Assistant Minister for Communications and Cyber Security) Share this | Hansard source

On Tuesday of this week the Assistant Minister for Defence released new figures indicating that ransomware reports to the Australian Cyber Security Centre had increased by 200 per cent. In response, he announced an awareness campaign and called on Australian organisations to lift their cyberdefences in the face of increasingly sophisticated and well-resourced Russian ransomware groups.

Defending against ransomware certainly begins with individual organisational IT security, but that is far from the end of the conversation. Labor has been calling on the Morrison government to develop a national ransomware strategy since February to ensure that government is doing all that it can to combat these attacks across its policy, regulation, law enforcement, diplomacy and defence capabilities. The head of the UK's National Cyber Security Centre, Lindy Cameron, echoed this call on Monday of this week, saying that ransomware required 'a whole-of-government response'. Minister, in the wake of an onslaught of ransomware attacks targeting Australian organisations, including JBS Foods, the Nine Network and multiple hospitals, why won't the government develop a national ransomware strategy?

Labor has also said that the foundation of such a national ransomware strategy should be mandatory notification of ransomware payments. This is really the bare minimum that the government should be doing if it is really serious about fighting back against the threat of ransomware. Such a scheme should require businesses to tell the Australian Cyber Security Centre before they make a ransom payment and to provide a standard set of data, including the ransomware crew demanding the payment, the cryptocurrency wallet ID that the ransom is being paid into and any indicators of compromise related to the attack. It would provide valuable actionable intelligence about ransomware crews menacing organisations that law enforcement and policymakers could use to target those crews for disruption through law enforcement and offensive cyberoperations. Mandatory notification has been recommended by the Institute of Security and Technology's international Ransomware Task Force report, by the former head of the US Cybersecurity and Infrastructure Security Agency, Chris Krebs, and by the former head of MI6, Alex Younger. Why won't the government take this basic step of establishing a mandatory reporting scheme for ransomware payments?

Our major allies are treating this issue with the urgency that it deserves, with the US Department of Justice establishing a dedicated ransomware task force. This task force will target the criminal ecosystem around ransomware and coordinate law enforcement action, including sharing of intelligence, coordination with other agencies and international partners, and boosting of collaboration with the private sector. FBI director Christopher Wray compared the threat of ransomware to the threat posed by the 9/11 attacks and said the FBI would treat ransomware with the same priority level as it did terrorism. Despite the ACSC labelling ransomware as 'the highest threat facing Australian businesses', we learnt in Senate estimates that the AFP doesn't even track the number of ransomware incidents in Australia and that there was only one Australian prosecution for ransomware attacks in the last 12 months. Ransomware is effectively a crime with impunity in Australia today. Minister, why won't the Morrison government prioritise this serious threat with the same urgency as the US justice department and the FBI by establishing a dedicated ransomware task force?

The Morrison government needs to use all its available capabilities in fighting ransomware. These criminal ransomware groups are motivated by money and we should be going after them. We can target the points in the financial system where ransomware crews seek to transfer and exchange cryptocurrency into fiat currency to utilise their ill-gotten gains. A report by the international Ransomware Task Force cited research by Chainalysis that found that just a handful of cryptocurrency addresses received the vast bulk of the ransomware payments paid in 2020. The Financial Action Task Force recently proposed a travel rule, which would extend know-your-customer obligations on the senders and receivers of digital currency to digital currency exchange providers. AUSTRAC told us at Senate estimates that these reforms would assist in the fight against ransomware. Minister, why won't the Morrison government give AUSTRAC the tools it needs to track cryptocurrency payments and exchanges made by ransomware groups?

To date, ransomware crews have been able to target Australian organisations with impunity. No wonder we've seen attacks increasing in scale, frequency and ambition. The Assistant Minister for Defence has issued media releases with lots of tough talk on offensive cyberoperations against cybercrime groups, but the government can't give a single example of operations against a ransomware group. In fact, the Australian Signals Directorate confirmed at Senate estimates that it took no offensive cyberoperations against the groups responsible for the ransomware attacks on the Nine Network or for attacks on Australian hospitals. As the former head of the UK NCSC Ciaran Martin has said: 'Unless these statements on offensive operations are followed by specific'—

See this speech in context