Canberra to mandate ransomware reporting, smart device standards

Businesses will be compelled to report ransomware incidents and adopt minimum security standards for smart devices, according to a cyber security consultation paper released on Tuesday.

The paper said the proposed measures addressed regulatory gaps identified by the government’s ambitious seven-year, $587 million cyber security strategy announced last month.

Home Affairs and Cyber Security Minister Clare O’Neil said cyber security was a “shared responsibility” between the public and private sector.

“The Australian government is 100 per cent committed to working with the private sector to strengthen our cyber defences and reach our vision of becoming a world leader in cyber security by 2030,” she said.

“These initiatives will help Australian citizens and businesses fight back against the cyber crooks.”

The government’s cyber strategy centred on building six “shields around Australia”, which involved improving protections for individuals and businesses, technology, intelligence sharing, critical infrastructure, sovereign capabilities and regional security.

To implement the strategy, the consultation paper contained four legislative initiatives and five amendments to “build basic cyber risk mitigations across the community and help our citizens and businesses engage confidently in the digital economy”.

One of the four initiatives proposed was a mandatory, no-fault and no-liability obligation for businesses to report ransomware incidents and ransom payments.

“An entity would report to government: if an entity is impacted by a ransomware or cyber extortion attack and receives a demand to make a payment to decrypt its data or prevent its data from being sold or released; or if an entity makes a ransomware or extortion payment,” the paper said.

Reports would include where the incident occurred, when the business became aware of it, the kind of ransomware used, system vulnerabilities exploited by the attack, affected assets and data, the ransom payment demanded, and the nature of negotiations between the attacker and the business.

This reporting obligation would develop the government’s “national threat picture rather than making findings of fault or liability”.

The government sought feedback on the scope of the requirement, reporting time limits and penalties for non-compliance to strike a balance between maximising its “visibility of the ransomware threat” and minimising the regulatory burden imposed on businesses.

The paper also floated the idea of an exemption for businesses with turnovers of less than $10 million.

“Small businesses may find it challenging to acquit a reporting obligation due to limited capacity and resources … while [the exemption] would significantly restrict the sample size for ransomware information, this would still result in an increase in the number of entities subject to a cyber incident reporting obligation,” it said.

Another key measure proposed included mandating minimum cyber security standards for smart, internet of things (IoT) devices used by individuals and businesses to protect sensitive information.

“Evidence provided to government, including through industry reports of cyber incidents, indicates that consumer-grade devices continue to be used by cyber threat actors to target consumers,” the paper said.

The code would ban universal default passwords, requiring the sending of cyber vulnerability reports and setting minimum software security update periods, in line with international security standards.

The government said responsible entities would likely be businesses in the IoT devices supply chain, such as manufacturers, subcontractors, software developers, importers and distributors.

While they were previously subject to voluntary guidelines, the government said this had “limited impact on business decision-making”, resulting in inconsistent implementation.

Low-cost manufacturers in particular were unlikely to implement “safety-conscious design choices”, it said.

The government sought feedback on the standards proposed and the entities that would be responsible for implementing them. It also sought feedback on setting up a separate regulatory function within the Department of Home Affairs to oversee enforcement.

Other measures included a “limited use obligation” for cyber incident information shared with cyber agencies, and establishing an incident review board to assess cyber attacks and responses.

The paper also detailed amendments to the Security of Critical Infrastructure Act 2018 and other non-legislative reforms with industry, such as a cyber health check scheme for small businesses, an app store code of practice and a voluntary labelling scheme for IoT devices.

Written submissions on the consultation paper close in March next year.