Australian News Today

Most cyber ransoms are paid in secret, but a new law could change that

Most cyber ransoms are paid in secret, but a new law could change that

Australian businesses are paying untold amounts of ransom to hackers, but the government is hoping to claw back some visibility with a landmark cyber security law.

While major ransomware attacks on companies such as MediSecure, Optus and Latitude have grabbed headlines for breaching the privacy of millions, the practice of quietly paying off cybercriminals has flourished in the dark.

The situation has deteriorated to the point that the government’s original ambition for an outright ban on ransom payments has been nixed, for now, and the focus has shifted to mapping the scale of the problem.

“We have a situation where people are paying criminals money and it is happening in the darkness,” said former minister for cyber security Clare O’Neil, who spoke to the ABC prior to a cabinet reshuffle.

The Cyber Security Act would force Australian businesses and government entities to disclose payments or face fines, and is expected to be brought before parliament in the next sitting.

“We need to bring this out into the light,” she said.

“Government cannot win this war alone. We need a whole-of-nation effort here.”

Clare O’Neil told the ABC the new laws would soon be introduced to parliament.(
ABC News: Matt Roberts
)

In its 2022/23 Annual Cyber Threat Report, the Australian Cyber Security Centre (ACSC) confirmed it was notified of a cyber incident an average of once every six minutes.

It also said ransomware attacks had increased roughly five-fold since the pandemic.

As worrying as those numbers might seem, they are still only a glimpse of the real problem.

“It is believed that in the Five Eyes countries alone [Australia, Canada, New Zealand, the United Kingdom and the United States] literally billions of dollars in ransoms is being paid, and criminal gangs are reinvesting that money … to attack us again,” Ms O’Neil said.

‘That could be the end’: Small business ready to push back

Business groups say the new disclosure rules, and the proposed $15,000 fines for failures to disclose a payment, could sink some small operators.

They are also pushing back against the decision to include businesses with an annual turnover of more than $3 million, arguing the threshold is too low.

“They might not know that they have this new obligation … and not knowing necessarily what to do will be just another element that could be the end of many small businesses,” said Jennifer Low, the Director of Digital Policy at the Australian Chamber of Commerce and Industry (ACCI).

The ACCI, which represents large and small Australian businesses, supports parts of the bill but argued the disclosure rules should only apply to companies with an annual turnover of more than $10 million.

“Small businesses, because they are so time poor [and] resource poor, they really rely on external help,” Ms Low said.

“We don’t think that a mandatory reporting obligation or any further pressure needs to be put in place.

“They’re already reporting and doing it in quite strong numbers.”

A lady looks at a computer.

Jennifer Low said elements of the plan were welcome.(ABC News: Aran Hart)

To help tempt more reluctant businesses into transparency, the government is promising that disclosures will not be subjected to “the glare of regulators”.

A crucial measure, called the “Limited Use Provision”, will prevent the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) from sharing the information more widely, except in narrow circumstances.

“This is a no-fault scheme. We’re not blaming businesses … they’re victims of a crime,” Ms O’Neil said.

The Australian Chamber of Commerce and Industry (ACCI) has welcomed those protections, but wants to see more put in place.

“We are still very much concerned that you could identify those businesses, and if the regulatory authorities wanted, they could still go after them and prosecute them,” Ms Low said.