Monday, 21 June 2021
Ransomware Payments Bill 2021; Second Reading
That this bill be now read a second time.
The Morrison government never misses an opportunity for a dramatic press conference on cybersecurity, but it has gone missing when called on to act on the biggest cyberthreat facing Australian organisations—ransomware.
With this bill, Labor is showing the political leadership on cybersecurity policy that has been missing since the election of this Prime Minster.
This bill will require Australian organisations to inform the Australian Cyber Security Centre before they make a payment to a criminal organisation in response to a ransomware attack.
Such a scheme would be a policy foundation for a coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy and offensive cyberoperations.
There is an urgent need for this bill.
The Australian Cyber Security Centre has labelled ransomware the 'highest cyber threat' facing Australian businesses.
Indeed, it's more than just a threat to business; ransomware is a significant national security threat in its own right.
Former head of MI6 Alex Younger recently wrote in the Financial Times that: 'We have to recognise that (ransomware) is not merely a criminal problem but a national security and geopolitical one, too.'
Consistent with this, FBI director Christopher Wray has compared the national security threat of ransomware to 9/11 and said it will treat ransomware payment investigations with the same priority level as terrorism.
This national security threat is escalating at a dramatic pace.
Recent figures reveal a 200 per cent increase in reported ransomware attacks on Australian organisations.
In the last 18 months we have seen Australian organisations menaced in an onslaught of ransomware attacks, including prominent incidents affecting:
Talking to the incident responders combating this tidal wave of attacks, it's clear to me that for every ransomware incident you read about in the papers there are a dozen happening outside public view.
These attacks are an intolerable burden on Australian organisations.
Ransom payments—like the $11 million ransom payment recently made in response to the JBS meats attack and which Chainalysis, a cryptocurrency analysis firm, has observed topped $350 million last year—are just the tip of the iceberg of the costs of these attacks.
As ransomware groups have become better resourced and more sophisticated, the estimated average IT system downtime caused by a ransomware attack has increased to between 15 and 20 days—an incredible cost to these organisations.
Security firm Emsisoft has used reports of ransomware attacks in Australia and assumptions on the downtime caused by these attacks to estimate the cumulative cost of ransomware to the nation at around $1 billion annually.
The costs of ransomware are not just felt by the victims of attacks.
All organisations are being forced to spend ever-increasing amounts defending against this escalating threat.
Gartner have estimated that global cybersecurity spending has increased to $150.4 billion in 2021—a 21 per cent increase in the past two years.
Time and resources are expended fighting off Russian cybercriminals instead of on their core business or organisation's mission.
The current trajectory of these attacks, and the traditional response to them—asking organisations to implement an ever-increasing uplift in cyber-resilience—is inefficient and not sustainable.
A hospital shouldn't be forced to use more and more of its scarce resources fighting cybercriminals, it should be using its resources to make sick people better.
The boards and executive teams of our nation should be able to focus on making investments in its core business that create new jobs and increase shareholder returns, rather than constantly ratcheting cybersecurity investments.
Tackling ransomware may begin with organisational security, but that is not the end of the conversation.
Unfortunately, that's the state of the policy response to ransomware under the Morrison government—blaming the victims.
Instead of doing its bit and identifying strategic interventions that government can make to seek to reduce the volume of these attacks, it's played the blame game.
Australia's cyber security strategy 2020 only mentions ransomware twice, once in a third-party quote and once in a list of issues the ACSC can provide advice to businesses on.
The Department of Home Affairs issued an industry advisory report on ransomware in March, but the report consisted solely of advice about how businesses could protect themselves from this threat and included no new government policy initiatives.
Australia's international cyber and critical tech engagement strategy, released in April, only mentions ransomware once, in a list of past public attributions of cyberattacks, and again included no government initiatives to address the threat.
And last week, when releasing statistics showing that the number of ransomware attacks in Australia have increased by 200 per cent, the Morrison government's response was to announce an 'awareness campaign'.
Does anyone seriously think that if outlaw bikie gangs were extorting Australian businesses—extorting Australian hospitals—the extent of the Morrison government's policy response would be an 'awareness campaign' about how organisations can protect themselves from this threat?
Compare this approach with that of the Biden administration.
Before issuing a recent memo on what it expected from business in the fight against ransomware, the Biden administration set out what it is doing as a government to fight the threat:
Under President Biden's leadership, the Federal Government is stepping up to do its' part, working with like-minded partners around the world to disrupt and deter ransomware actors. These efforts include disrupting ransomware networks, working with international partners to hold countries that harbor ransomware actors accountable, developing cohesive and consistent policies towards ransom payments and enabling rapid tracing and interdiction of virtual currency proceeds.
Unfortunately, the Australian government can't say to Australian business that it is doing its part in the fight.
In contrast, Labor has been calling for a national ransomware strategy which coordinates government action aimed at reducing the volume of these attacks across policy, regulation, law enforcement, diplomacy and defence capabilities since February.
The ransom payment notification scheme created by this bill is the starting point for such a comprehensive plan to tackle ransomware.
It will require large businesses and government entities that choose to make ransomware payments to notify the ACSC before they make the payment.
This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups.
It will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks.
Importantly, it will give us a fuller picture of ransomware attacks in Australia and the scale of the threat.
Such a notification scheme has been endorsed by the Institute for Security and Technology's International Ransomware Task Force report, and by the former head of the US Cybersecurity and Infrastructure Security Agency, Chris Krebs, who has said that it is 'table stakes' for governments looking to take action on ransomware.
We should be clear at this point.
Ransoms should not be paid.
Paying a ransom does not guarantee you'll be able to quickly bring your systems back online or prevent further disruption—in fact, quite the contrary—and it does not guarantee your data won't be leaked.
What it does do is provide further resources to the criminal organisations mounting these attacks and create an incentive for them to carry out more attacks.
But where organisations feel compelled to make these payments, government should be involved. When arguing that mandatory notification of ransomware payments is the minimum the government should be doing in this space, the former head of MI6 Alex Younger said:
If one accepts that this is a national security problem, then it becomes hard to defend the suggestion that governments should simply leave these decisions to private citizens.
Mandating reporting of ransomware payments is far from a silver bullet for this national security problem, but it is a crucial first step.
I have loved being Labor's shadow assistant minister for cybersecurity. I think it is one of the most complex and consequential areas of policy facing this nation and facing the globe. But it's been lonely talking about these issues in this place at times.
The current Prime Minister's first act on becoming Prime Minister in 2018 was to abolish the dedicated ministerial role for cybersecurity in the Commonwealth government that his predecessor Malcolm Turnbull created in 2016.
For two years, cybersecurity languished at the bottom of the former home affairs minister's to-do list. He never even said there word 'ransomware' in this chamber, as the threat grew by 200 per cent. So I welcomed the decision to give the new Assistant Minister for Defence responsibility for the ACSC when he was appointed towards the end of 2020. Similarly, I have welcomed the fact that Minister for Home Affairs has said that cybersecurity would be a priority for her when she assumed the portfolio in March.
It is great that they have joined the conversation, but it's now time for action.
While ransomware grew dramatically as a threat to Australian organisations over the past two years, cybersecurity policy was politically leaderless under the Morrison government.
All too often we see the Morrison government refuse to take action until we reach a crisis point. Well, we've reached that crisis point when it comes to ransomware.
When we see attacks on one of our biggest meat producers, it is a crisis. When we see attacks on one of our biggest media organisations, it is a crisis. When we see attacks on multiple health and hospital networks, it's a crisis.
The time to act as now. This bill is the first step towards that action, and I urge the government to support it. I commend the bill to the House.