Proposed legislation compelling businesses to disclose their ransomware payments to the government has been recommended for “urgent” parliamentary approval.
Introduced last month by cyber security minister Tony Burke, the Cyber Security Bill 2024 aims to enforce mandatory reporting of ransomware payments to “build [the government’s] understanding of the ransomware threat”.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended the bill be urgently passed by parliament.
However, the committee caveated that the proposed ransomware reporting obligations apply only to the “extent that a ransomware incident relates to the reporting business entity’s operations in Australia” [pdf].
It also stated that provisions designed to limit the circumstances in which the National Cyber Security Coordinator can use or share the information provided should be “more clearly expressed”.
This measure is designed to encourage businesses to report ransomware incidents voluntarily.
The committee also stated that the bill should make clearer that disclosure of information under the ransomware reporting obligation does “not amount to a subsequent waiver of legal professional privilege” or “affect any right, privilege or immunity”.
The Cyber Security Bill forms part of a legislative package consisting of amendments to the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024.
Elements of the bill were first promised by the government in 2021, during which time ransomware attacks soared.
The government also flagged the need for a potential Cyber Security Act in February last year.
Home Affairs then ran several consultations, culminating in an exposure draft being shopped to industry last month. In total, 60 submissions were lodged to the PJCIS.
The amendment to Intelligence Services Act will also impose the same circumstantial limitation on the Australian Signals Directorate.
The limitation was encouraged by intelligence agencies, as they found themselves being cut out of the loop on valuable incident response information.
In a statement, PJCIS chair Senator Raff Ciccone said: “The committee recognises that hardening Australia’s cyber resilience and implementing the 2023–2023 Australian Cyber Security Strategy is an urgent priority of the Government and this Parliament.
“Noting the extensive consultation process that the Department of Home Affairs has already conducted – and subject to implementation of the recommendations in this report – the committee supports the urgent passage of the legislative package.”