By Staff Writer

The Australian Government is considering the mandatory reporting of ransomware attacks in the wake of several high-profile cyberattacks. Operating like the existing Notifiable Data Breaches scheme, Home Affairs secretary Mike Pezzullo flagged the idea at a Senate Committee Hearing last week.

Describing Australia’s current cyber threat environment as “deeply concerning,” the Home Affairs Secretary was asked about the likelihood of a mandatory reporting regime for any ransomware attack.

“It’s currently considering that matter, as an extension of the cybersecurity strategy that was released last year,” Mr Pezzullo told the Legal and Constitutional Affairs Legislation Committee. While mandatory reporting was on the table, the Secretary said the matter was still far from settled, with numerous stakeholders yet to be consulted.

“I am also in the process of consulting with law enforcement and other colleagues because of the need to balance the burden of reporting and the efficacy of reporting as against the value of that reporting.”

Shadow cybersecurity spokesperson Tim Watts has recently said ransomware attacks should be reported.

“The mandatory data breach legislation is about telling individuals their information has been compromised. I think we need a parallel regime that says if you’re going to make a ransomware payment,” Watts says.

What is causing some concern is the possible banning of ransomware payments. Many businesses who fall victim to ransomware attacks do pay up. Ransomware attacks are estimated to have cost Australia $1.4 billion in 2020. The Australian Government has a clear interest in monitoring and tracking those payments.

“Cybercriminals tend to be very business-savvy,” Mike Pezzullo says. ”They’ll chase opportunity. Typically, the more critical a system or the more critical a dataset, the more criminal opportunity there might be.”

“We can target the points in the financial system where they seek to transfer cryptocurrency into fair currency,” suggests Mr Watts.

But some cybersecurity experts warn against paying ransomware demands, saying it only encourages further attacks.

“We should be talking about the need for businesses to be proactively planning for when ransomware hits – resilience planning, having a dedicated cyber leader to implement monitoring and controls for detection and response, and have appropriate back-ups in place that would help organisations avoid paying the ransom for decryption as their only option,” says Claire Pales, co-founder of the cyber risk management firm, The Secure Board Advisory Service.

Ms Pales agrees the flagged mandatory reporting of ransomware attacks has some merit. She says it will help with the collection of data and deliver much-needed intelligence. But the security expert would like to see more clarity from the Australian Government, particularly whether ransomware attacks would be made public.

“These attacks are often hidden. If organisations can hide their incidents from media attention, they will. If these measures mean attacks become public knowledge, organisations will need to plan for potentially significant implications to their brand and reputation.”

Mike Pezzullo says any mandatory reporting regime will be part of a national strategy to combat cybercrime that remains a work in progress.