Companies will be required to report cyber ransom attacks By Anthony Galloway October 13, 2021 https://www.theage.com.au/politics/federal/companies-will-be-required-to-report-cyber-ransom-attacks-20211012-p58zcv.html
Businesses will be forced to inform the federal government when they have been hit by a ransomware attack under a major change to Australia’s cyber security regime. Home Affairs Minister Karen Andrews will on Wednesday release a ransomware plan that includes mandatory reporting requirements for companies with turnover of $10 million or more a year. Ransomware attacks – where hackers upload a form of malware that encrypts the victim’s files and then demand a ransom to restore system access – have increased 60 per cent over the past year. “Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” Ms Andrews said. “Stealing and holding private and personal information for ransom costs victims’ time and money, interrupting lives and the operations of small businesses. “A new ransomware incident reporting regime will enhance our understanding of the threat and enable better support to victims of ransomware attacks. It will be designed to benefit, not burden small businesses.” The Australian Signals Directorate recently revealed some large Australian companies had failed to co-operate with the cyber spy agency after being the target of ransomware attacks. Under the government’s plan, which will require legislative change, companies will have to tell the Australian Cyber Security Centre, an arm of the ASD, soon after being subjected to a ransomware attack. They could be hit with civil penalties if they do not comply with the proposed scheme. The government is yet to determine what the penalties will be for non-compliance but wants to prioritise education and assistance over sanctions. The exact details around how soon a company would have to report an attack will be worked out after consultation with industry over the coming months. It is expected there will also be follow-up requirements on companies to provide additional information to the ACSC in the days after the attack. Cyber security experts and the federal opposition have been calling on the government to put a mandatory reporting regime in place. Home Affairs Minister Karen Andrews has blamed China's Ministry of State Security for exploiting the private sector through malicious cyber activity. Labor’s cyber security spokesman, Tim Watts, has a private member’s bill before Parliament that would require companies to inform the ACSC once a ransom payment had been made. The government believes requiring companies to report an attack, rather than payment, is a better option because it will give the ACSC information about the hack sooner and authorities will have the chance to consider whether it has wider national security consequences. It will also provide an early opportunity for victims to receive advice and access resources to deal with the attack. Ms Andrews said individuals, businesses and the nation’s critical infrastructure would be better protected under the scheme. The measure is another step in the government’s tightening of cyber security laws. It already has legislation before Parliament that would allow agencies such as the ASD to step in to protect operators of critical infrastructure during or after a major attack on their network. Transport and logistics giant Toll Group in August conceded it might have been company that failed to comply with the ASD for weeks after it was hit by a significant ransomware attack. ASD director-general Rachel Noble weeks earlier revealed her agency found out about a cyber attack through media reports despite the incident having a “national impact on our country”. Ms Noble said at the time there were some “wonderful examples of incredible co-operation” with the ASD but she wanted to provide an example of what “bad looks like”. “This is a real example but I’m not going to name names, that’s really important: we find out something has happened because there are media reports,” Ms Noble said. “Then we try to reach out to the company to clarify if the media reports are true and they don’t want to talk to us. An Australian Strategic Policy Institute report in July warned Australian organisations were “soft targets” for ransomware attackers and called on the government to establish a mandatory reporting regime. --- _______________________________________________ Link mailing list [email protected] https://mailman.anu.edu.au/mailman/listinfo/link
