Thursday, 17 February 2022
Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022; Second Reading
That this bill be now read a second time.
Australians have never been more connected than they are today. Digital connectivity has enabled the sharing of ideas to maximise innovation and offered businesses opportunities to grow on a global scale. Throughout the pandemic, these digital and cyber enabled systems have been critical to keeping our country running, delivering many of our daily essential services, from health care to our children's' education, and allowing many of us to continue in our jobs working from home.
The promise of this technologically driven connectivity is one of increased productivity and prosperity for all.
But this promise is threatened by a rapidly evolving strategic environment, punctuated by increasing cybercrime. Cybercrime—and, ransomware, in particular—threatens all Australian businesses and individuals that seek to benefit from our modern digital economy.
Industry and the Australian government are fighting a daily battle against sophisticated and persistent ransomware gangs. Ransomware costs victims time and money, interrupts the operations of businesses and—in the worst cases—threatens the lives and livelihoods of Australians.
Ransomware gangs use malware to hack their victim's computers or devices, and encrypt electronic folders and files to render their systems inaccessible. Once files are encrypted, criminals demand a ransom from the system owner in return for decryption keys. Ransom payments are often made in the form of hard-to-trace cryptocurrencies. If a victim refuses to pay the demanded ransom, they may find their sensitive data destroyed, sold or released online.
Australia's wealth, high levels of online connectivity and increasing reliance on digital services make it an attractive target for ransomware gangs.
The rise in ransomware-as-a-service, or use of ransomware on commission, represents the increasing commercialisation and sophistication of the ransomware business model. As new entrants to the criminal marketplace gain access to ransomware, the threat to Australia will only grow.
Ransomware Action Plan
On 13 October 2021, the government released the Ransomware Action Plan, which sets out Australia's policy, operational, and legislative response to ransomware.
The Ransomware Action Plan's criminal law reform package seeks to ensure that law enforcement is better able to pursue and prosecute ransomware gangs targeting Australians and Australian businesses. This complements the action plan's ransomware reporting obligation for business and the Australian Federal Police led, multiagency Operation Orcus, which seeks to disrupt ransomware gangs.
Today, the government introduces the Crimes Legislation Amendment (Ransomware Action Plan) Bill as a critical step to deter ransomware gangs, enable a more effective law enforcement response, and halt the flow of cryptocurrencies that reflect the ransomware business model.
Outline of measures in the bill
Criminal Code Act 1995 reforms
This bill modernises Australia's computer offences to ensure ransomware gangs face criminal liability for each aspect of their business model and increases penalties for their egregious conduct.
Firstly, the bill extends the jurisdictional limits applicable to these offences. This will provide the Australian government clear legal authority to investigate and prosecute cybercriminals targeting Australians and Australian businesses regardless of their location.
The bill introduces a standalone offence to target the central component of ransomware—the act of cyberextortion. Extortion is not a new concept to criminals, however cyberextortion is rising in prevalence because it is financially effective and perpetuated by readily available ransomware. Successful cyberextortion has significant impacts on victims, including financial, reputational and psychological damage.
The bill will also introduce an aggravated offence for cybercriminals seeking to target Australian critical infrastructure. The government recently passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 to recognise the catastrophic risks associated with disruption to critical infrastructure. Disruption to critical systems caused by a cyberattack could cause widespread damage to our businesses, national security, and community. To complement these reforms, this offence will target those who deliberately launch a cyberattack against Australia's critical infrastructure assets and carry a maximum penalty of 25 years imprisonment.
The bill will introduce a standalone offence for dealing with data stolen through ransomware, cyberextortion or other cybercrime—further protecting individuals and businesses whose data and commercially sensitive information is often targeted and exploited by cybercriminals.
The bill will introduce an aggravated offence for buyers and sellers of ransomware to ensure that those profiting from the development and sale of ransomware, including ransomware-as-a-service, are deterred from contributing to the threat and endangerment of Australians.
Finally, the bill increases maximum penalties for a number of other computer offences in recognition of the increasingly disruptive impact of cybercrime on our digitally-enabled society.
Proceeds of Crimes Act 2002 and Crimes Act 1914 reforms
Successful ransomware attacks almost exclusively rely on digital currency as a payment mechanism. Digital currency provides opportunities to move funds in ways that challenge law enforcement detection and disruption. The scale and speed with which digital currencies are adopted necessitates the continual review of our proceeds of crime legislation. We need to ensure that law enforcement agencies have the capabilities to identify where digital currency is used in criminal offending and to freeze or seize that digital currency to prevent its dissipation and reinvestment in criminal activities.
The bill will also ensure that law enforcement agencies can seize digital assets (including cryptocurrency) where it is discovered during the execution of a warrant (and suspected to be proceeds of crime). This measure reflects changes in the way criminals are using cryptocurrency as part of their criminal activities. As criminals change the way they do things, it is vital that our law enforcement agencies are able to continue to effectively detect, disrupt and deter activities harmful to Australians.
This bill demonstrates the government's commitment to deterring and disrupting cybercriminals who target Australians and use ransomware to lock their systems and extort them for financial gain.
Supported by a broad suite of legislative, policy and operational reforms, this bill helps make Australia a harder target for ransomware gangs. By protecting Australians and Australian businesses from cyberthreats, the government is safeguarding the nation's connectivity and promise of our digital future.
I commend this bill to the House.