Australian Cybersecurity Act proposals Q3 2024

The Aussie Government is looking towards transparency over ransomware payments and appears to have landed on a mandatory reporting scheme.

source: https://www.abc.net.au/news/2024-07-30/cyber-ransom-payments-new-laws-before-parliament/104113038

a virus alert on a pew pew map

  • Businesses earning over $3M per annum would be expected to report any payments to ransomware operators
  • Failure to do so could incur fines of $15000
  • This does not punish businesses for the act of payment

This appears to align with some sections in the 2023-2030 strategic consultation paper (PDF), so it comes with little surprise.

If I’d had to guess it is to support the idea of giving businesses incentives to engage with LE in meaningful ways, and to ensure that any “consequence management powers” can be exercised according to the level of threat posed to anything related to the delivery of critical infrastructure.

For example:

Expand crisis response arrangements to ensure they capture secondary consequences from significant incidents. Government will consult with industry on introducing an all-hazards consequence management power that will allow it to direct an entity to take specific actions to manage the consequences of a national significant incident. This is a last-resort power, used where no other powers are available and where it does not interfere with or impede a law enforcement action or regulatory action.

The above would be difficult to pull off if it were considered completely legal and above board to silently pay off a ransomware operator as a private business responsible for privatized critical infrastructure.

This all appears to align with the current Privacy Act and its National Data Breaches Scheme's current threshold related to small businesses. For now, consistency is probably a good thing so that it is not a mess of "do I or don't I" report a breach or a ransomware payment.

That said, the thresholds for cybercrime reporting vs, say, anti-modern day slavery commitments feel a bit back to front. Considering that supply chain / modern slavery commitments begin at AUD$100M per annum (under the AG recommendation to lower this to $50M). Arguably, the impacts of such supply chain issues has a bigger impact than ransomware currently, and with the advent of companies that make it somewhat achievable to run a small value-add business on the back of forced labour, probably even more accessible to sub AUD$3M revenue generating companies.

To put this into perspective, depending on who you ask, ransomware in 2021 cost us around USD $20 Billion. The ILO argues that forced labour cost us an obscene USD$280 Billion.

Not to downplay just how much impact cybercrime in total generates, nor the ransomware piece of that puzzle, yet I do feel there is an opportunity for looking at the impact of technology availability in other areas, in the same breath as dealing with ransomware issues.