The Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (Ransomware Crimes Bill) was introduced into the House of Representatives on 17 February 2022. It gives effect to key components of the Australian Government’s Ransomware Action Plan (Plan), primarily to create specific offences for ransomware attacks and related financial crimes.
Interestingly, the Ransomware Crimes Bill was introduced just three days after the Ransomware Payments Bill 2021 (introduced by the federal opposition prior to the publication of the Plan) was withdrawn from Parliament. The Ransomware Payments Bill would have required certain businesses to report any ransomware payments to the Australian Cyber Security Centre. The Government has signalled a broader ‘ransomware incident’ reporting regime in the Plan but that has yet to be introduced.
Australia has become an attractive (and lucrative) target for cybercriminals due to our generally high per-capita wealth, high online engagement and increased availability of online services. The Ransomware Crimes Bill seeks to deter and safeguard Australians against cyber theft, encryption, extortion and other cyberattack tactics by creating specific ransomware offences under the Criminal Code Act 1995 (Criminal Code), Proceeds of Crime Act 2002 (Proceeds of Crime Act) and Crimes Act 1914 (Crimes Act).
Summary of proposed amendments
Criminal Code amendments
The Ransomware Crimes Bill amends the Criminal Code to:
- Extend the jurisdictional limits applicable to offences under the Criminal Code, including allowing the government the authority to investigate and prosecute cybercriminals where the conduct occurs outside of Australia but impacts persons in Australia, regardless of their geographical location.
- Introduce new standalone criminal offences for:
- Cyber extortion, being where the offender attempts to compel the victim to do or omit to do ‘an act’ by threatening to do something with the victim’s computer or data after any of the following has occurred (whether they were caused by the offender or some other person):
- unauthorised access to data held in the computer;
- unauthorised modification of data held in the computer;
- unauthorised impairment of electronic communication of data to or from the computer; or
- unauthorised impairment of the reliability, security or operation of the data held on a computer disk, credit card or other device used to store data by electronic means.
This offence will be punishable by a maximum term of ten years’ imprisonment.
- Stealing or causing access to data, being where the offender ‘dishonestly’:
- obtains data held in a computer;
- causes any access to data held in a computer;
- causes any modification of data held in a computer; or
- causes any release of data held in a computer to one or more other persons.
This offence will be punishable by a maximum term of five years’ imprisonment.
- Increase penalties for a number of computer related offences under the Criminal Code, including increasing the penalty from two to five years imprisonment for unauthorised access to, or modification of, restricted data (section 478.1(1)) and unauthorised impairment of data held on a computer disk (section 478.2).
- Introduce new aggravated offences, including for:
- the targeting of critical infrastructure in Australia, stemming from the recent Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth), which will punishable by a maximum term of 25 years’ imprisonment; and
- buyers and sellers of ransomware, to ensure that those profiting from the development and sale of ransomware, including ransomware-as-a-service, are deterred. This offence will be punishable by a maximum term of ten years’ imprisonment.
The Senate is currently considering the appropriateness of defences to the amended specialised geographical jurisdiction provision for computer offences under Part 10.7 of the Criminal Code, which place the evidential burden on the defendant rather than the prosecution.
Proceeds of Crime Act amendments
The Ransomware Crimes Bill includes amendments to the Proceeds of Crime Act to extend law enforcement agencies’ investigative and freezing powers to digital currency exchanges in addition to traditional financial institutions.
This will ensure law enforcement can identify where digital currencies may be associated with criminal offending and then freeze relevant accounts to prevent that digital currency from being dissipated (and potentially reinvested in further criminal activity) before action can be taken. The amendments can also require a financial institution to disclose details of transactions a person makes over a certain period, set out in a monitoring order by law enforcement.
Crimes Act and Proceeds of Crime Act amendments
The Ransomware Crimes Bill also includes amendments to the Crimes Act and the Proceeds of Crime Act to ensure that law enforcement agencies are authorised to search for and seize digital assets under a search warrant.
A ‘digital asset’ is defined as:
- a digital representation of value or rights (including rights to property), the ownership of which is evidenced cryptographically and that is held and transferred electronically by:
- a type of distributed ledger technology; or
- another distributed cryptographically verifiable data structure; or
- a right or thing prescribed by the regulations.
The regulations may also exclude a right or thing from being considered a digital asset.
One of the intentions of the amendments is to accommodate the broadest range of things that may constitute a digital asset under a search warrant, including a mechanism for the minister to define what constitutes a digital asset, in recognition that this is an emerging and evolving area of property. This could include anything from a digital wallet, digital asset account or app, information on a computer hard drive or the digital asset itself. This change ensures that criminals are deprived of the benefits of their crimes and are (hopefully) deterred from further criminal activity.
Key takeaways and next steps
The Ransomware Crimes Bill aims to augment and modernise Australia's cyber offences to ensure ransomware offenders face criminal liability for each aspect of their criminal enterprise.
The amendments reflect the advancing large-scale nature of cybercrime, changes in criminal approaches and the evolution of online communication and data storage. There are obvious issues in enforcing the legislation but as a form of deterrence it is a necessary part of the Government’s arsenal.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.