Australian businesses are paying untold amounts of ransom to hackers, but the government is hoping to claw back some visibility with a landmark cybersecurity law.
While major ransomware attacks on companies such as MediSecure, Optus and Latitude have grabbed headlines for breaching the privacy of millions, the practice of quietly paying off cybercriminals has flourished in the dark.
The situation has deteriorated to the point that the government's original ambition for an outright ban on ransom payments has been nixed, for now, and the focus has shifted to mapping the scale of the problem.
"We have a situation where people are paying criminals money and it is happening in the darkness," said former minister for cybersecurity Clare O'Neil, who spoke to the ABC prior to a cabinet reshuffle.
The Cyber Security Act would force Australian businesses and government entities to disclose payments or face fines, and is expected to be brought before parliament in the next sitting.
"We need to bring this out into the light," she said.
"Government cannot win this war alone. We need a whole-of-nation effort here."
In its 2022/23 Annual Cyber Threat Report, the Australian Cyber Security Centre (ACSC) confirmed it was notified of a cyber incident an average of once every six minutes.
It also said ransomware attacks had increased roughly five-fold since the pandemic.
As worrying as those numbers might seem, they are still only a glimpse of the real problem.
"It is believed that in the Five Eyes countries alone [Australia, Canada, New Zealand, the United Kingdom and the United States] literally billions of dollars in ransoms is being paid, and criminal gangs are reinvesting that money … to attack us again," Ms O'Neil said.
'That could be the end': Small business ready to push back
Business groups say the new disclosure rules, and the proposed $15,000 fines for failures to disclose a payment, could sink some small operators.
They are also pushing back against the decision to include businesses with an annual turnover of more than $3 million, arguing the threshold is too low.
"They might not know that they have this new obligation … and not knowing necessarily what to do will be just another element that could be the end of many small businesses," said Jennifer Low, the Director of Digital Policy at the Australian Chamber of Commerce and Industry (ACCI).
The ACCI, which represents large and small Australian businesses, supports parts of the bill but argued the disclosure rules should only apply to companies with an annual turnover of more than $10 million.
"Small businesses, because they are so time poor [and] resource poor, they really rely on external help," Ms Low said.
"We don't think that a mandatory reporting obligation or any further pressure needs to be put in place.
"They're already reporting and doing it in quite strong numbers."
To help tempt more reluctant businesses into transparency, the government is promising that disclosures will not be subjected to "the glare of regulators".
A crucial measure, called the "Limited Use Provision", will prevent the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) from sharing the information more widely, except in narrow circumstances.
"This is a no-fault scheme. We're not blaming businesses … they're victims of a crime," Ms O'Neil said.
The Australian Chamber of Commerce and Industry (ACCI) has welcomed those protections, but wants to see more put in place.
"We are still very much concerned that you could identify those businesses, and if the regulatory authorities wanted, they could still go after them and prosecute them," Ms Low said.
Under the existing proposal, regulators such as the Privacy Commissioner would still be allowed to investigate and prosecute companies that "leave the front door unlocked", but only using their existing powers.
"It doesn't absolve business of any of their legal responsibilities or liabilities," Ms O'Neil said.
"We expect Australian businesses to take care of their customers … but sometimes things do go wrong."
Cyber security experts say the proposed changes strike the right balance.
"Some in industry during the consultation process were calling for a safe harbour, which would be … immunity from any subsequent prosecution," said Johanna Weaver, director of the Tech Policy Design Centre at ANU, but noted the government has stopped short of that.
"It's basically incentivising industry to cooperate with [the] government during an incident."
How deep is the rabbit hole?
The problem is not limited to the private sector — the Australian Signals Directorate said almost one-third of cybersecurity incidents reported in the 2022-2023 financial year came from the public service.
Consecutive audits of the government sector have found it has a "low-maturity level" when it comes to cybersecurity, despite holding the largest store of sensitive data about Australian citizens.
As it stands, about 1,000 Australian entities providing "critical infrastructure" such as energy, healthcare and banking services are obliged to report ransom payments.
Wider reporting requirements are patchy, and largely being ignored, according to a recent survey of 500 IT and cybersecurity "decision-makers" from Australian businesses in five key sectors — information technology and technology, healthcare, finance, manufacturing and telecommunications and media.
Of those surveyed, 54 per cent said their employer had paid a ransom in the last six months, despite 72 per cent saying their workplace had a public, self-imposed "do not pay" policy.
According to the research, commissioned by cybersecurity company Cohesity, 60 per cent reported their organisation would be willing to pay over US$1 million in ransom, while one-third said ransoms of more than US$3 million were within the scope of possibility.
The irony is, if the law works as designed, and businesses open up about ransom payments, the public may never hear about it.
"Australians might not see the impact of this bill on a day-to-day basis, but it will have the impact of uplifting cybersecurity and protecting their information," Professor Weaver said.
"So, this is a win for the Australian population."
However, the grim reality is that the measures are recognition that there is no end in sight to the attacks.
"No matter how good our cybersecurity protections are … [attacks] will continue to happen," Professor Weaver said.
She also applauded the push to establish an ongoing "Cyber Incident Review Board", similar to what exists in the aviation industry, to learn from other major breaches, such as the attack on MediSecure.
"At the moment, those lessons are being learned within individual companies, but not being disseminated more broadly," she said.
The bill would also see Australia adopt international standards for connected consumer objects — such as home security cameras, smartphone-controlled appliances or baby monitors — a category known as the "Internet of Things".
"That is somewhere that Australia has to catch up … we're implementing similar systems that are already in place in the US and the UK," Professor Weaver said.
As for what is missing from the package, Professor Weaver said Australia was in urgent need of new rules to prevent businesses and government hoarding unnecessary information in the first place, forming what she calls "data lakes".
"Minimising the amount of data that government and industry is actually collecting and keeping so that when incidents happen, we have less data that can be released," she said.
"We have to have privacy reform."