25 October 2021



I thank the member for Fisher for moving this motion, though I have to say that the member may have left out a few things along the way that I do want to bring to the attention of the House. I'll start out by saying that, in the ASD and the ACSC, we have some outstanding technical capabilities. They do really fantastic work. There are world-class capabilities in these agencies and we need to ensure that they've got everything they need to do their jobs.

The member for Fisher is right to highlight the threat of ransomware, as I have done in this place many times over the last few years. It has been a rapidly growing threat over that time, particularly in the last two years—so significant that the ACSC, in its first Annual cyber threat report, in 2020, labelled it the 'highest' cyberthreat facing businesses and reaffirmed this in its most recent threat report.

Unfortunately, despite its agencies continually warning about the threat, the Morrison government has been a little bit slow to wake up to it and even slower to do something about it. I first mentioned ransomware in this place more than four years ago in 2017. In 2019, I warned in this chamber that:

We know that this threat is imminent. We've seen it playing out in the United States over the preceding months. If the Morrison government fails to act to get the word out on this issue now, then the consequences of these attacks in Australia for our nation will be on the government's head.

Of course, they didn't act. The former Minister for Home Affairs, the member for Dickson, never once mentioned ransomware in this place in his entire time in the role, despite the rapidly escalating ransomware attacks on Australian businesses during his years in the role. We saw multiple Victorian hospitals hit with ransomware in October 2019, BlueScope Steel hit with ransomware in May 2020, transport and logistics firm Toll in February 2020, and one of our biggest breweries, Lion, in June 2020, and countless more that didn't make the news headlines. But what did we hear from the Morrison government about what it was doing to stop those attacks at that time? Crickets. Cybersecurity was at the bottom of the Home Affairs minister's to-do list, and it has been at the bottom of the Morrison government's priority list ever since, with countless opportunities to act passed up.

The member for Fisher should listen, because one of the first acts of this Prime Minister when he took the job was to abolish the dedicated role for cybersecurity in the ministry. His 2020 Cyber Security Strategy, released in April 2020, mentions ransomware only twice—once in a third-party quote and once in a list of issues the ACSC can advise on. The Department of Home Affairs released its industry advisory report on ransomware in March 2021, but it consisted entirely of advice to business and included no new government policy initiatives. Australia's International Cyber and Critical Technology Engagement Strategy, also released in April, only mentions ransomware once, in a list of past attributions of cyberattacks, and again includes no new policy initiatives. Now, to her credit, the current Minister for Home Affairs said that cybersecurity was 'a priority' for her on coming into the job. Unfortunately, only when the scourge of ransomware has escalated to a crisis point has the government started paying attention. We've seen high-profile ransomware attacks on the Nine Network; on JBS, our biggest meat supplier; and, internationally, on the Colonial pipeline.

Now, Labor, having recognised this threat some time ago, has tried to be constructive in this area. We haven't just stood on the sidelines and criticised; we've proposed ideas. In February this year, we released a discussion paper calling for a national ransomware strategy designed to increase the costs and reduce the returns of ransomware attacks on Australia and outlined a series of ideas for how we could go about it. Among others we recommended a mandatory notification scheme for ransomware payments, an idea we crystallised in a private member's bill in June. We recommended renewed efforts to close a cyberenforcement gap, through increased law enforcement cooperation; a new campaign of offensive cyberoperations against ransomware crews that target Australians; and new anti-money-laundering interventions against cryptocurrency exchanges, to cut off their payment systems.

I'm pleased to see the government has now adopted all of these proposals, if somewhat belatedly. In July 2021, the government launched a multiagency ransomware task force, targeting ransomware and led by the AFP, called Operation Orcus—tick. In October, nine months after we called for a national ransomware strategy, the minister released a Ransomware Action Plan—totally different—tick. Included in the plan were new anti-money-laundering laws—tick; powers targeting cryptocurrency payments—tick; and new commitments to join international cyberoffensive operations against ransomware crews—tick.

The new plan even included a mandatory notification scheme, not just for payments but for all ransomware attacks. This, I admit, came as a bit of a surprise, as, when the minister was asked why the government wouldn't simply support Labor's widely welcomed private member's bill to require notification of ransomware payments, she said:

"What I don't want to do is end up putting the cart before the horse effectively, and moving directly to 'this is a mandatory reporting of ransomware' …"

She didn't want to act because the government hadn't 'gone through the process of raising awareness of cybersecurity and raising awareness of ransomware' with Australian organisations.

If a ransomware payment notification scheme was too much too soon for business, according to the minister, it's difficult to see how the notification scheme for all ransomware attacks isn't too much today. Regardless, the distinction is likely to be moot, as there are not enough sitting days left before the election to pass this bill.