‘Ransomware remains the most destructive cybercrime threat’ – Australian Cyber Security Centre (ACSC)
This is why the Tech Policy Design Centre produced this Policy Options Paper, Combatting Ransomware.
The paper includes 7 actionable policy options available to the Australian government. We recommend adopting a clear policy against the payment of ransoms, but we do not support a complete ban or criminalisation of ransom payments, as it shifts the burden of breaking the ransomware business model to the victim.
The policy paper is available for download below.
7 Policy Recommendations to Combat Ransomware
The growing occurrence of high-profile ransomware incidents – including Optus, Medibank, Latitude Financial and the Crown Princess Mary Cancer Centre – has created a palpable demand from the public and industry for the Australian government to act.
Australia’s 2023-2030 Cyber Security Strategy presents an opportunity to recalibrate Australia’s policy setting. The Quad Leaders’ Summit on 24 May 2023, in Sydney, offers a unique opportunity for the governments of Australia, India, Japan, and the United States to commit to collective action against this global threat. Australia’s leadership in the International Counter Ransomware Taskforce serves as another opportunity to invigorate action among the 37 member states of the Counter Ransomware Initiative.
Researchers found strong support for Quad leaders to take the following specific actions:
- Condemn the activities of ransomware criminals and articulate a joint policy position strongly discouraging payment of ransoms.
- Introduce common mandatory disclosure requirements compelling entities that pay ransoms to confidentially notify an appropriate authority.
- Harmonise cyber incident reporting requirement across Quad jurisdictions.
Researchers also found strong support for Australia to take the following actions domestically (as part of its review of the Cyber Security Strategy), or in concert with like-minded countries.
- Introduce annual Cyber Security Board Statements (replicating the approach with the Modern Slavery Act) for ASX listed companies.
- Establish a cyber insurance taskforce to examine means for the cyber-insurance market to incentivise improved cyber security and reduce the impact of ransomware.
- Sanction individuals and entities most prolifically conducting significant ransomware incidents, in close coordination with like-minded countries.
- Step-up international engagement to combat ransomware, especially vis-a-vis ‘safe haven’ states, in close coordination with like-minded countries.
The recommendations and a copy of the full paper is available here.
The recommendations in this paper were informed by research, analysis and discussions on 27 April 2023 at an executive workshop attended by 44 representatives from industry groups, companies, government, and academia.
This Policy Options Paper was prepared by the Tech Policy Design Centre, with thanks to the generous sponsorship from Microsoft.