In a surprising turn of events, the Australian Government will not ban ransomware payments to hackers as part of its new A$600 million Cyber Security Strategy unveiled on Wednesday.
However, Home Affairs Minister Clare O'Neil stated that the government aimed to "move towards a position where we implement a complete ban on paying ransoms” once further analysis on the implications of such a prohibition is conducted.
The wide-ranging strategy, spanning 2023-2030, introduces an array of initiatives to bolster national cyber defences.
This includes a ransomware 'playbook' for businesses, stronger reporting requirements for telecommunications firms and mandatory reporting of ransomware attacks.
O’Neil blamed past administrations for inadequate attention to surging cyber threats.
“The cyber strategy the government is releasing today is not just a big vision document ... it is a very specific set of tangible things the government will do to change the game,” she asserted.
Read: Australia to bolster cybersecurity defence with $600 million investment via new strategy
We’ve just released the Albanese Government’s 2023–2030 Australian Cyber Security Strategy.By 2030, we can reach our vision of becoming a world leader in cyber security. Our Strategy charts the course to get there. pic.twitter.com/b4FM0Zaf9S
— Clare O'Neil MP (@ClareONeilMP) November 23, 2023
'No-fault, no-liability'
A centrepiece of the strategy is a 'no-fault, no-liability' ransomware reporting system for businesses to share anonymised data on ransomware and cyber extortion patterns.
This move intends to encourage reporting by assuaging companies’ fears of potential repercussions.
The strategy delineates six key 'cyber shields', allocating $586.9 million in new funding toward objectives like safeguarding critical infrastructure and nurturing 'sovereign capabilities'.
Free cyber health assessment program for SMEs
Support measures for small and medium enterprises include a free cyber health assessment program and a Cyber Security Resilience Service for post-incident response assistance.
The government will also form a cyber incident review board and explore limiting information sharing about cyber attacks between security agencies and regulators.
Moreover, the strategy pledges a review of controversial data retention laws. Changes could be in store for mandatory metadata retention policies obliging telecommunications firms to store customer communications data.
O'Neil emphasised that this strategy signified a crucial shift toward making Australia a more formidable adversary for would-be hackers.
However, the decision against banning ransom payments suggests there are still complex trade-offs being weighed between security imperatives and practical realities.
Our new Cyber Security Strategy will help protect Australian families, workers and businesses from cyber threats. pic.twitter.com/cpQ56YZZQG— Anthony Albanese (@AlboMP) November 22, 2023