Australia Considers Mandating Ransom Payment ReportingSponsor of Bill Says Ransomware Attacks Are 'Completely Out of Control'
A bill introduced this week in the Australian Parliament would make it mandatory for organizations based in the country to report to the Australian Cyber Security Center any payments they plan to make to ransomware gangs.
The Ransomware Payments Bill 2021, introduced Monday by the opposition Labor party, is scheduled for debate in the House of Representatives in August.
The government of Prime Minister Scott Morrison should support the legislation to show it's serious about taking action on ransomware, Tim Watts, Australia's shadow assistant minister for cybersecurity who introduced the bill in Parliament, tells Information Security Media Group.
Ransomware, he says, is "completely out of control." In Australia, recent victims include Sydney-based TV network Nine Network and several healthcare organizations, including Queensland Hospital, the Eastern Health Hospital Network and PRP Diagnostics.
"The [annual] cost of ransomware to the Australian economy is in the order of $1 billion, according to security firm Emsisoft," Watts notes. "Recent figures show a 200% increase in reported ransomware attacks on Australian organizations. This is an unsustainable trajectory."
As ransomware attacks have become more sophisticated, the estimated average IT system downtime caused by attacks has increased to 15-20 days, Watts says.
A mandatory ransom payment notification requirement, similar to the one being proposed in Australia, has been endorsed by the U.S. Institute for Security and Technology’s International Ransomware Taskforce.
In a speech to Parliament, Watts said: "Under President Joe Biden's leadership, the [U.S.] federal government is stepping up to do its part, working with like-minded partners around the world to disrupt and deter ransomware actors. These efforts include disrupting ransomware networks, working with international partners to hold countries that harbor ransomware actors accountable, developing cohesive and consistent policies toward ransom payments and enabling rapid tracing and interdiction of virtual currency proceeds."
Lawmakers in the U.S. have recently introduced several cybersecurity-related bills (see: Lawmakers Unveil Cybersecurity Legislation).
A U.S. Senate bill, the International Cybercrime Prevention Act, looks to increase the criminal penalties for attackers who target U.S. critical infrastructure, such as power plants and hospitals. Meanwhile, a House bill, the Enhancing K-12 Cybersecurity Act, seeks to provide funding to protect school districts' networks.
The Data Protection Act, meanwhile, seeks to create a federal agency to protect Americans' private data.
A draft of the federal breach notification bill, which is being circulated by several senators, would require government agencies and businesses that support critical infrastructure to report cyber incidents, including ransomware attacks, to the Cybersecurity and Infrastructure Agency within 24 hours (see: Senators Draft a Federal Breach Notification Bill).