Australia drops plans to ban ransomware payments in new national cyber strategy

Australia’s government dropped plans to ban businesses from making ransomware payments as part of its revamped national cybersecurity strategy released on Wednesday, opting instead to introduce a mandatory reporting obligation.

The strategy — published almost a year after the idea of criminalizing payments was touted by Clare O’Neil, the minister for home affairs and cybersecurity — follows several large security incidents affecting businesses in the country.

Costed at AU$587 million($382 million) over the next seven years, the new approach is intended to cut the AU$3 billion ($1.9 billion) in annual damages that ransomware is estimated to drain from Australia’s economy.

“We cannot continue as we have. We can’t have a situation where we have data flying around the country, where we have critical infrastructure starting to fail, where we have small business and citizens who are continually telling us they feel vulnerable and unable to cope with the cyberthreats themselves,” O’Neil told journalists in Sydney.

In the 64-page document, the government set out its plans to introduce new mandatory reporting obligations for businesses to disclose when they have been hit by a ransomware attack.

The underreporting of ransomware incidents is “limiting our national understanding of their true impact on the economy,” states the document, which explains that the “mandatory, no-fault, no-liability” obligation to disclose these incidents would improve this.

“Pending design, anonymised reports of ransomware and cyber extortion trends could be shared with industry and the broader community to help us take steps to build our national resilience against cybercrime,” it adds.

Among the highest-profile incidents to have affected Australians was a ransomware attack on Medibank last year, one of the country’s largest health insurance providers.

The attack resulted in sensitive health care claims data for around 480,000 individuals — including information about drug addiction treatments and abortions — being stolen and published online as part of the criminals’ attempt to extort the company.

O’Neil told journalists she would have preferred to ban ransomware payments altogether as a method to undercut the business model supporting the criminal ecosystem, and that the government would again consider whether it could be possible to introduce a prohibition on payments in two years time.

“Every time a ransom is paid, we are feeding the cybercrime problem. Now, we are in a situation in our country where it is clearly not the right time at this moment to ban ransoms, and that’s because we haven’t done the hard work,” she said, as reported by the Australian Financial Review.

In response to the Medibank attack and others last year, the Australian government announced a new permanent joint standing operation between the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) — the country’s cyber and signals intelligence agency — to tackle cybercrime.

This operation has been named Operation Aquila in the strategy document, which explains that the agencies will “use offensive cyber capability as a criminal investigation tool towards prosecution or disruption.”

Alongside Operation Aquila, the Australian government announced it was continuing to invest in Project REDSPICE — an AUS $10 billion ($6.5 billion) funding increase for the country’s cyber intelligence agency.

This boost in funding is intended “to build world-class, innovative offensive cyber capabilities that can deliver real world impact to deter, disrupt, degrade and deny cybercrime” and “triple Australia’s offensive cyber capabilities.”

The strategy said the details of these capabilities would remain classified.

Australia’s government has pledged, alongside dozens of other nations, to not pay ransoms when its own networks are attacked.