Hackers to face 25 years in jail for cyber attacks on Australia's national infrastructure

Hackers could face up to 25 years in jail if found guilty of cyber offences against Australia’s critical infrastructure, under proposed changes introduced by the government today.

The government tabled the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 in a bid to modernise criminal offences and procedures to respond to the threat of ransomware. It has several proposals that update the Criminal Code Act 1995, the Crimes Act 1914, and the Proceeds of Crime Act 2002.

One proposal is to set a maximum jail term of 25 years for hackers who target critical infrastructure assets. The government said it wanted to ensure that any computer offence against Australia’s infrastructure carries an appropriate penalty and deters would-be offenders.

Australian law enforcement will also be given clear legal authority to investigate and prosecute ransomware crimes and offences that occur in foreign countries, where the crime affects a person in Australia. Law enforcement will also be given the power to seize cryptocurrencies and other digital assets associated with cyber crime.

A new offence will also be created for those who buy or sell ransomware, with the government eager to crack down on the ransomware-as-a-service business model in particular.

The bill also makes adjustments to the law governing unauthorised access to, or the modification of, restricted data and unauthorised impairment of data held on a computer disk. In this case the maximum jail term will increase from two years to five years.

“Although a positive step in the fight against cybercriminals, this deterrent will by no means be the end of ransomware in Australia,” said Camellia Chan, CEO and Founder of X-PHY. “It is imperative that organisations do not rest on their laurels despite tougher punishments for criminals. New ransomware gangs and threat actors who are willing to risk the consequences are sure to emerge.

“Indeed, the devastating attack last year on the Colonial Pipeline in the US proves no organisation is too large to be targeted. Efforts to improve cyber security and bolster defences should be more strong than ever.”

This legislation implements key aspects of the government’s Ransomware Action Plan that was announced on 13 October 2021. The plan set out the government’s strategic approach to tackle the threat posed by ransomware and make it easier to clamp down on cryptocurrency transactions associated with ransomware crimes.

Australia’s proposals to update the current legislation may be watched by other nations across the globe, many of which lack formal charges against ransomware.

In the UK, the Computer Misuse Act, last updated in 2015, has faced repeated calls to be brought in line with current threats, including from a coalition of businesses and cyber security groups.

The US has the Computer Fraud and Abuse Act (CFAA), which was introduced in 1986 to address hacking. It was most recently amended in 2008 to cover a broad range of conduct far beyond its original intent.

Australia's new bill shadows attempts made by an opposition legislator in June last year, who introduced the Ransomware Payments Bill 2021. That bill would have required victims who make ransomware payments to notify the Australian Cyber Security Centre (ACSC) of key details of the attack, the attacker, and the payment.

Labour MP Tim Watts said it would provide a fuller picture of ransomware attacks in Australia and the scale of the threat. However, the bill did not proceed from the House of Representatives and was formally removed on 14 February 2022.

Other countries have taken steps against ransomware as its use skyrocketed during the pandemic, including the US, which gave it a similar status as terrorism in June 2021. Last November, the Justice Department charged a Ukrainian national with conducting ransomware attacks against multiple victims and also announced the seizure of $6.1 million in funds traceable to alleged ransom payments.