Written by staff journalist.
Ahead of the launch of the Australian Government’s Cyber Security Strategy on November 22, 2023, Minister for Home Affairs and Cyber Security, Clare O’Neil says banning ransomware payments is inevitable.
“Ransomware is one of the fastest growing types of cybercrime,” O’Neil told ABC radio earlier today. “It’s a major problem for Australia, and we need to move to a position where we think about imposing a complete ban on paying ransoms.”
The minister said that in consultations with businesses and stakeholders as part of the strategy’s development, people understand the need to ban ransomware payments. However, O’Neil said neither government nor industry had done “the hard work” to prepare entities for the impact of a mandatory reporting regime.
“The starting point for us is to build a clear picture of the problem,” O’Neil said. “Right now, there are probably lots of businesses around Australia that are dealing with a cyberattack and contemplating paying a ransom, yet the Australian Government has no visibility of the problem.”
Current legislation requires entities working in designated critical infrastructure fields to report cyberattacks and ransomware demands. However, there is no obligation on entities working in sectors outside the designated areas to self-report. Today’s updated strategy release will likely change this. There is also no ban on any entity paying a ransom, although the advice of the Australian Government and its agencies is not to do so.
“We need to build a clear picture of what’s going on and do everything we can to support businesses when they are experiencing a cyber attack, and then I think we’ll be in a position to consider making ransomware payments illegal,” the minister said.
O’Neil says that because no incumbent government has done the work to prepare entities for the impact of a ransomware ban, implementing one immediately was not feasible. “The payment of ransoms sees businesses worldwide funnel billions of dollars to criminal gangs, who reinvest that money into their capability. Every time a ransom is paid, we are feeding the cybercrime problem. But because we haven’t done the hard work here in Australia, now is not the right time to ban ransom payments.”
O’Neil says she plans to spend the next two years properly funding and resourcing law enforcement agencies as well as building some support systems for entities under attack before moving to implement any ban. “My plan for the country on ransoms is to undertake the first two years of this strategy, and then we revisit and contemplate the inevitable for countries worldwide – making a ban on ransom payments.”
The relaunched 2023-2030 Australian Cyber Security Strategy will be a “game-changing strategy,” according to O’Neil. She says cybersecurity is Australia’s fastest-growing national security challenge. The updated strategy will see the government invest another AUD600 million into fighting cybercrime, based on the six cyber shields or pillars O’Neil articulated at a cybersecurity conference in Sydney in September.
“We just cannot continue how we are,” O’Neil said. “We’ve got data flying around the country, we’ve got cyberattacks on major pieces of infrastructure, and we’ve got businesses who keep saying to me that they feel alone in the challenge and unnecessarily vulnerable. The cybersecurity strategy we are releasing today is not just a big picture document; it is a very specific and tangible set of things the government will do to change the game for our country.”