Australia amends Ransomware Action Plan, introduces penalty to deal with rising attacks

The Australian government has proposed changes in its Ransomware Action Plan to include a provision that deals with ‘aggravated offences’ targeting its critical infrastructure sectors. Such offenses will now face an imprisonment term of 25 years and apply to cybercriminals who commit a computer offense that targets critical infrastructure assets, as the government works on strengthening its laws to go after those perpetrators who compromise systems at such installations. 

The bill titled ‘Crimes Legislation Amendment (Ransomware Action Plan) Act 2022’ recognizes the severe disruption that would be caused by the deployment of malware, including ransomware, on critical infrastructure assets’ computer systems. It also recognizes that the offense imposes a significant penalty “as the conduct is serious and may seriously prejudice national security, cause loss of life or significant economic damage.” 

According to the amended ransomware action plan, ‘aggravated offence’ relates to cyberattacks on critical infrastructure assets committed by a person whose conduct relates to a person intending to cause a direct or indirect impact on the availability, integrity, or reliability of a critical infrastructure asset or the confidentiality of information about or stored in, or the confidentiality of a critical infrastructure asset.

In October, the Australian government had announced its ransomware action plan that introduces criminal offenses, tougher penalties, and a mandatory reporting regime. The measure came as the administration worked towards protecting individuals, businesses, and critical infrastructure from ransomware attacks.

In some cases, cybersecurity incidents have resulted in sensitive personal and medical information being encrypted, such that it could no longer be used. “This conduct directly threatens the operation of essential facilities and significantly risks the safety of the community. These incidents demonstrate the importance of deterring cybercriminals from targeting critical infrastructure with ransomware,” according to an explanatory memorandum issued Thursday.

A significant disruption or attack on Australia’s critical infrastructure could have considerable consequences for its economy, security, and sovereignty, it said. “The offence captures conduct where a person commits an underlying offence, and intends to cause an impact, whether direct or indirect, on the availability, integrity or reliability of a critical infrastructure asset or on the confidentiality of information about or stored in, or confidentiality of the critical infrastructure asset,” the memorandum added.  

The ransomware action plan identified “underlying offences which must be committed together with the conduct in relation to a critical infrastructure asset.” The underlying offenses include unauthorized modification of data to cause impairment, prohibited impairment of electronic communication, unauthorized access to, or modification of, restricted data, and actions such as disallowed impairment of data held on a computer disk, etc., it added.

The plan also recognized that “the person must have intended to cause a direct or indirect impact on the availability, integrity or reliability of the critical infrastructure asset. An impact also relates to the confidentiality of information about or stored in, or of, the critical infrastructure asset. This definition is intended to align with the definition of relevant impact in section 8G of the Security of Critical Infrastructure Act 2018,” the memorandum added. Relevant impact includes an impact on a critical infrastructure asset’s availability, integrity, reliability, and the confidentiality of information about or stored in or the confidentiality of the critical infrastructure asset. 

“This offence is punishable by a maximum penalty of 25 years’ imprisonment. This will ensure that perpetrators face punishment commensurate with the severity of their conduct and the risk of harm it has to critical infrastructure, Australia’s national security and economy, and the Australian community,” the memorandum said. “It also appropriately punishes and deters perpetrators in relation to that conduct,” it added.

The proposed amendments “send a strong and clear message to cybercriminals that the Australian government will not sit idle while our critical infrastructure and way of life get disrupted,” Scott McKinnel, country manager at Tenable ANZ, wrote in an emailed statement. “A task of this magnitude requires global governments to leverage the combined resources and expertise of government, industry and other stakeholders to provide timely and trusted information sharing to enhance the nation’s cybersecurity,” he added.

But the rising number of ransomware attacks can’t be solved in a vacuum, McKinnel said. “It has to be a one-two punch; while the government responds with sanctions, prosecution and other deterrence measures, the private sector must secure its systems properly. If we work together, cyberattacks won’t be the big business they are now,” he added.

The Australian government has been working for a while on implementing a package of significant reforms to the laws aimed at protecting the country’s critical infrastructure assets and systems of national significance from cyber threats. 

Earlier this month, Karen Andrews, Australia’s Minister for Home Affairs, referred the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry and report. The bill was introduced to address outstanding elements of the proposed framework that the Committee reported on in its Advisory report on the SLACIP Bill and Statutory Review of the Security of Critical Infrastructure Act 2018.

Security agencies from Australia, the U.S., and the U.K. issued a transnational joint cybersecurity advisory (CSA) earlier this month. The advisory outlined the growing international threat of ransomware trends observed over the past year. The global security agencies said that ransomware groups had increased their impact by targeting the cloud infrastructure and managed service providers (MSPs), attacking industrial processes and the software supply chain, and launching attacks on organizations on holidays and weekends.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.