Senate debates

Thursday, 12 August 2021

Bills

Ransomware Payments Bill 2021; Second Reading

11:37 am

Photo of Anne UrquhartAnne Urquhart (Tasmania, Australian Labor Party) Share this | | Hansard source

I move:

That this bill be now read a second time.

I seek leave to table an explanatory memorandum relating to the bill.

Leave granted.

I table an explanatory memorandum and I seek leave to have the second reading speech incorporated in Hansard.

Leave granted.

The speech read as follows—

Labor is introducing the Ransomware Payments Bill 2021 because we listen to the advice of national security experts, we want to protect Australian businesses from cyber threats and because, quite simply, the Liberal National Coalition has failed to do its job.

Ransomware is malicious software used to deny access to IT systems by rendering computers and their files unusable, and is often accompanied by a threat to release sensitive and private data, until a ransom is paid.

According to the Ransomware Taskforce – a collaboration between government, law enforcement, industry and specialists, and including US, UK and Canadian cyber security agencies:

Ransomware is a prevalent and destructive type of cybercrime, with increasingly dangerous physical consequences. Hospitals, school districts, city governments, public infrastructure, and countless other organizations have found their networks and data held hostage by malicious actors seeking monetary gain. Ransomware attacks will only continue to grow in size and severity, unless there is a coordinated, comprehensive, public-private response.

The Australian Cyber Security Centre has said that ransomware attack is the most significant threat facing Australian businesses and governments. A tool of state actors and cyber criminals, ransomware incidents cost the Australian economy as much as $2.59 billion annually.

Moreover, as forewarned by the Government's own cybersecurity Industry Advisory Committee, "when deployed against essential services or critical infrastructure, ransomware may have rapid and serious consequences for the Australian community."

We've already seen the potential of ransomware in attacks in Australia and abroad. This year, in Australia, a ransomware attack on Nine Entertainment disrupted the network's ability to broadcast. Health services providers UnitingCare and Eastern Health lost access to electronic patient data and hospital IT systems during separate ransomware attacks, with staff having to resort to manual processes. JBS Foods – Australia's largest meat and food processing company, which employs 11 000 people in Australia – had its operations paralysed and supply chain threatened by a ransomware attack. JBS Foods paid a A$14 million ransom to ensure no data was exfiltrated.

In the United States, a successful ransomware attack by the DarkSide group shut down the Colonial pipeline, which carries almost half of the Eastern United States' fuel supply, for six days leading to widespread fuel shortages.

But the scale of the problem and its cost to Australian businesses, jobs and productivity can only be estimated because organisations currently have no obligation or incentive to report ransomware attacks. Australian victims are paying millions to ransomware criminal groups each year. But payments – which encourage further attacks – are typically kept secret due to potential reputational harm, insurance ramifications and legal liability.

While organisations with an annual turnover above $3 million must report data breaches resulting in unauthorised access of personal information to the Office of the Australian Information Commissioner, ransomware may not be caught by this framework.

The Morrison Government has consistently failed to implement recommendations for a mandatory notification scheme for ransomware payments, despite this being the advice of influential cyber security experts and canvassed as a likely policy recommendation during May's Budget Estimates by Department of Home Affairs seniors.

A similar scheme has been recommended to US President Biden by the Ransomware Taskforce, and data breach schemes in the EU and UK apply to ransomware.

Without consistent reporting and information collection, we cannot understand the scale of the problem or measure the effectiveness of policy and operational responses.

This is the problem Labor's Bill aims to fix. The Ransomware Payments Bill 2021 would introduce a stand-alone notification scheme requiring that entities intending to make a ransom payment must notify the ACSC of key details, collecting actionable threat intelligence such as the purported identity of the attacker, the details of cryptocurrency wallets for payment, the ransom amount demanded, and indicators of compromise for the attack.

The information provided would not be made public, and the Bill includes penalties for disclosure of personal information except for use by law enforcement.

To reduce the compliance burdens for small businesses, entities with an aggregate turnover of less than $10 million will be excluded from the scheme.

The actionable, de-identified intelligence collected under the bill could be shared with Australian businesses to improve cybersecurity. It could also inform ACSC or law enforcement counter-action.

Moreover, mandatory notifications would create a more complete picture of the cybersecurity threat landscape, enabling targeted policy responses to protect Australian businesses, critical sectors, and jobs.

This is a simple policy and it is a good policy.

Ransomware is an increasing threat to Australian security, and we must understand it better.

I seek leave to continue my remarks later.

Leave granted; debate adjourned.