The government has shelved plans to ban the payment of ransoms to cybercrime groups for at least two years but says a ban at some point is still “inevitable”.
A ban was one of the questions put to industry in a consultation around the cyber security strategy earlier this year.
“Should the government prohibit the payment of ransoms and extortion demands by cyber criminals by victims of cybercrime; and/or insurers? If so, under what circumstances?” it had asked.
“What impact would a strict prohibition of payment of ransoms and extortion demands by cyber criminals have on victims of cybercrime, companies and insurers?”
“[And] should [the] government clarify its position with respect to payment or nonpayment of ransoms by companies, and the circumstances in which this may constitute a breach of Australian law?”
Responses had highlighted the complexity of imposing an outright ban, noting that it could be cheaper than other recovery and remediation avenues following a ransomware infection.
Minister for cyber security Clare O’Neil said the government had decided that more groundwork needed to be laid before any ban on payments could be initiated.
“In all the consultation I did about the strategy, the really clear message that I got is that people understand we are ultimately going to need to ban ransom payments in this country, but we haven't done the hard work to prepare the country to manage the impacts of that,” O’Neil said.
“We don't have, for example, a federal police force that's properly resourced and properly equipped to deal with this problem, and we solve part of that problem in the [new cyber] strategy.
“We don't have a proper system of support for companies that are undergoing cyber attack, and we solve that problem in the strategy.
“So, my plan for the country on ransoms is that we undertake what is the first two years of this strategy, and then we revisit where we are then and contemplate what I think is inevitable for countries around the world, and that is one day a ban on making ransomware payments.”
O’Neil said that the concern in allowing payments to continue indefinitely is that it continued to feed the ransomware machine and encourage threat groups.
“The payment of ransoms at the moment is effectively businesses around the world funnelling millions and millions and hundreds of millions, probably billions of dollars into criminal gangs who reinvest that money back in their capability,” she said.
“Every time a ransom is paid, we are feeding the cybercrime problem. We just can't feed cybercrime like this.”
The government yesterday unveiled its new cyber security strategy for 2023-2030.