Hackers will face up to 25 years' jail for deliberately targeting critical infrastructure assets under proposed changes to Australia’s computer offences designed to stem the rise in ransomware attacks against businesses.
The new laws will also give federal police “clear legal authority” to investigate and prosecute gangs operating offshore, and the ability to seize cryptocurrencies and other digital assets during the course of an investigation.
The proposed amendments are contained in the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2020 introduced to parliament by assistant minister to the minister for industry, energy and emission reduction Tim Wilson earlier this month.
The bill delivers the federal government’s ransomware action plan, which proposed a suite of new offences for stealing data and the buying and selling of malware, to better protect businesses from attacks.
The action plan, released in October, also foreshadows a mandatory ransomware incident reporting regime that will apply to businesses with a turnover of $10 million or more each year, though that proposal does not form part of the bill.
It follows attempts by the federal opposition to create a similar reporting scheme as part of a private members bill introduced by shadow assistant minister for cyber security Tim Watts in June 2021.
Introducing the bill on behalf of home affairs minister Karen Andrews, Wilson said the amendments are a “critical step to deter ransomware gangs, enable a more effective law enforcement response and halt the flow of cryptocurrencies”.
“This bill modernises Australia’s computer offences to ensure ransomware gangs face criminal liability for each aspect of their business model and increases penalties for their egregious conduct,” he said.
If passed, the bill will allow law enforcement agencies to “investigate and prosecute [computer] offences under the... Criminal Code where the conduct occurs outside of Australia but impacts persons in Australia”.
Wilson said the new power would “provide the Australian Government clear legal authority to investigate and prosecute criminals targeting Australians and Australian businesses regardless of their location”.
The bill creates several new offences targeting cyber criminals, including an “aggravated offence” for any person who commits a computer offence against critical infrastructure, which is intended to work hand-in-hand with reforms to critical infrastructure security.
Actions intended to “cause an impact, whether direct or indirect, on the availability, integrity or reliability of a critical infrastructure asset or on the confidentiality of information about or stored in, or confidentiality of the critical infrastructure asset” will be considered an offence.
The offence carries a maximum penalty of 25 years in prison, which the explanatory memorandum states “appropriately reflects the catastrophic risk posed by cyber attacks that utilise ransomware or malware to cause harm to critical infrastructure”.
A new aggravated offence is also created for buyers and sellers of ransomware, which is intended to target the ransomware business model, particularly “ransomware-as-a-service” or any commissions paid by threat actors.
The bill also introduces a new offence that “criminalises all forms of extortion in relation to a victim of a computer offence”, regardless of “whether or not the person has caused the unauthorised access, modification or impairment of data”.
“This ensures that groups of individuals or criminal syndicates face criminal liability where individuals comprising the group perform specific roles,” the explanatory memorandum states, adding that the offence carries a maximum penalty of 10 years' prison.
Other changes include increases to the maximum penalty for unauthorised access to, or modification of, restricted data and unauthorised impairment of data held on a computer disk from two years to five years – the first time this has been amended since 2001.
In addition to the new offences, the bill “extends current investigative and freezing powers that cover financial institutions to certain digital currency exchanges” and establishes a legal basis for police to seize cryptocurrency and other digital assets under a warrant.
Wilson said this change “reflects the way criminals are using cryptocurrency as part of their criminal activities” and would allow law enforcement to continue to “effectively detect, disrupt and deter activities harmful to Australians”.