The federal government has adjusted its cyber aspirations from being the world’s best to being among the leaders, a recognition that several factors will be beyond Australia’s control in a “deteriorating” global cyber landscape. Under a new national strategy unveiled by Cybersecurity minister Clare O’Neil on Wednesday, the government will invest an additional $587 million…
Australia’s international and domestic cyber strategies will be integrated in the upcoming national strategy, with a renewed cyber diplomacy push seeking to make Australia the “partner of choice” for Pacific nations. It puts an end to the former government’s practice of a separate international cyber engagement strategy led by the Department of Foreign Affairs. That…
Australian officials turned up their cyber-diplomacy in Singapore this week, promising to help Pacific nations combat risks like ransomware accompanying their increased digitalisation, and to use Australia’s sanction regime to punish cyber criminals. On Tuesday, Assistant Minister for Foreign Affairs Tim Watts addressed the Singapore Government’s main cyber conference, warning of “ubiquitous” ransomware attacks across…
Labor has pledged $4 million in new funding to support Australian quantum researchers, promising to grow the strategically important sector and capitalise on the comparative advantage it has created if it wins Saturday’s election. Announced Wednesday, the commitment includes $3 million for quantum technology PhDs, and another $1 million to “kickstart” national collaboration on quantum…
The federal government has questions to answer about its record $9.9 billion investment in the Australian spy agency’s cyber capabilities, including where the additional highly skilled workforce will come from, according to the Opposition. The federal budget, handed down by Treasurer Josh Frydenberg on Tuesday night, included the “biggest ever investment in Australia’s cyber preparedness”,…
The federal Opposition has backed growing calls from industry for a Council of Technology Regulators to be established to address the “ad hoc” nature of tech policy development in Australia. In additional comments to a report on online safety released this week, shadow assistant minister for cybersecurity Tim Watts and Labor MP Sharon Claydon said…
Critical infrastructure legislation has been passed by the lower house before the national security committee has reported back on it, in what Labor says is a “departure from long-standing conventions” which sets a “disturbing precedent”. The Coalition brought on the last tranche of its critical infrastructure reforms for debate in the House of Representatives on…
Labor will drive a “step change” in the Commonwealth’s cybersecurity culture to counter the current secrecy and lack of accountability around the issue if it wins the election, shadow cybersecurity minister Tim Watts says. Addressing the Government Data Protection Summit, Mr Watts said recent reforms around cybersecurity will be for nothing if the culture problems…
Global cyber criminals will be targeted with new targeted sanctions, such as travel bans and the freezing of assets, from the Australian government under Magnitsky-style reforms passed on the last sitting day of Parliament for the year. Both houses of Parliament on Thursday – the last sitting day of 2021 and potentially before the next…
Australia’s first Quantum Commercialisation Hub will be established with $70 million in federal government funding over the next decade as part of a push to develop and protect certain critical technologies and supply chains. The government’s backing of quantum, which also includes a commitment to develop a national quantum strategy and committee led by the…
There is a growing contest between democracies and a “new breed of autocrat” in the technology space, and Australia can’t afford to be “recalcitrant” in the global debate on this issue, shadow assistant cybersecurity minister Tim Watts says. In a speech to the Australian Information Security Association (AISA) Cyber Conference 2021 on Wednesday, Mr Watts…
Australia’s spy agency is “going hunting” for ransomware gangs “every night”, according to Home Affairs secretary Mike Pezzullo, who has reaffirmed the government’s commitment to an offensive cyber capability. At the same Senate Estimates hearing, it was revealed that the federal government’s new Ransomware Action Plan contains no new funding, and its mandatory notification scheme…
Legislation allowing the government to take control of a company’s network as a “last resort” in the event of a cyberattack has sailed through the lower house despite a group of tech heavyweights labelling it “highly problematic”. The critical infrastructure bill was debated in the House of Representatives on Wednesday afternoon, with the Coalition moving…
The federal government will introduce tougher penalties for ransomware criminals and a mandatory incident reporting scheme for large businesses that suffer an attack under a new ransomware action plan released Wednesday. The plan follows a series of high-profile ransomware attacks and warnings the risks to local companies had been growing in an Australian policy vacuum….
Ransomware is the biggest cyber threat facing businesses today, the national cyber agency has warned, as new statistics show the digital extortion method is now reported more than once a day in Australia. The Australian Cyber Security Centre’s annual threat report released on Wednesday revealed 67,500 cybercrime reports to the government agency last financial year…
Liberal senator and defence committee chair Eric Abetz has called on his government to hold a national cybersecurity summit in response to the growing threat cyberattacks pose to individuals and businesses. Senator Abetz, a government senator, has written to Home Affairs Minister Karen Andrews urging her to hold a summit of “industry experts, business leaders…
Legislation handing “extraordinary” new hacking powers to Australian authorities has sailed through Parliament with support from the Opposition, despite the government not implementing some of the recommendations from the national security committee.
The Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) will now be able to access the computers and networks of those suspected of conducting criminal activity online, and even take over their online accounts covertly, under the Identify and Disrupt bill, which was passed by the Senate on Wednesday.
Hackers?: The Australian Federal Police are in line for sweeping new powers to hack.
Three new warrants will be introduced under the legislation, allowing authorities to “disrupt” the data of suspected offenders, access their devices and networks to identify them and take over their accounts.
“Under our changes the AFP will have more tools to pursue organised crime gangs to keep drugs off our street and out of our community, and those who commit the most heinous crimes against children,” Home Affairs Minister Karen Andrews said.
The government moved 60 amendments to the legislation in the lower house in response to the Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) report from earlier this month.
The amendments included enhanced oversight powers, reviews in several years time by the Independent National Security Legislation Monitor and the PJCIS, the sunsetting of the powers after five years, and strengthened protections for third parties and journalists.
The amendments meet 23 of the PJCIS’s 33 recommendations, while the government has agreed to implement several others through a broader reform of intelligence surveillance powers.
But it rejected the national security committee’s call for a higher threshold in the issuing of warrants in terms of the crimes they can be applied for, and for warrants to only be approved by a judge, rather than a member of the Administrative Appeals Tribunal.
Several Labor members raised concerns with this and echoed others raised by members of the civil and digital rights sector, as did government members of the PJCIS, but all eventually voted to pass the legislation.
The bill was rejected by the Greens, which said the legislation is another step on the “road to a surveillance state”.
The PJCIS had recommended that the type of crimes the warrants could be issued for be narrowed to those relating to offences against the security of the Commonwealth, offences against humanity, serious drug, weapons and criminal association offences, and money laundering and cybercrime.
Currently, the broad new powers can be granted to combat a swathe of crimes, far further than the terrorism and other offences the government has pointed to in order to justify the need for the legislation.
But the government instead raised the threshold for issuing the warrants to them being “reasonably necessary and proportionate”, up from “justifiable and proportionate”.
Labor had wanted this to go even further, calling on changes to require the warrants only be issued for “serious offences”.
Shadow assistant minister for immigration Andrew Giles said the government is “mischaracterising the breadth of the new powers”.
“It is obviously much easier to justify the introduction of such powers by focusing on the most serious types of crime. No-one would argue with that in respect of crimes like child abuse and exploitation, and terrorism,” Mr Giles said.
“But it is important that we engage in the more difficult task of justifying the introduction of extraordinary powers by reference to how the powers could actually be used.”
The amendments “go a long way” to ensuring the powers can only be used to combat serious crime, but don’t go far enough, multiple Labor MPs said.
Shadow assistant minister for cybersecurity Tim Watts said the warrants should only apply to serious offences.
“This would be an important constraint on the use of these new warrant powers and would limit their application to offences that carry at least a maximum of seven years’ jail and other specified offences,” Mr Watts said.
“While these powers do have international precedent, they also carry inherent risks. As currently drafted, the substance of this bill does not match the government’s rhetoric.”
Liberal MP Tim Wilson, a member of the PJCIS, broke ranks to criticise the government in not adopting all of the committee’s recommendations.
“I’ll be frank…and say that my preference would be more consistent with that of the committee. That’s why we made those recommendations,” Mr Wilson said.
“I will not die in a ditch over them, because the purpose of the legislation is more important than the threshold, but I think the threshold test around warrants and their application, particularly with the new powers, is something that we as a Parliament need to review.”
Despite these concerns, Labor offered support for the legislation in both houses, ensuring its quick passage.
Mr Giles said the new warrants give “extraordinary” powers to authorities, and appropriate safeguards need to be in place.
“Labor supports this bill. It’s an important bill which addresses very significant and worrying gaps in the legislative framework so as to better enable the AFP and the [Australian Criminal Intelligence Commission] to collect intelligence, conduct investigations, and disrupt and prosecute the most serious of crimes in an evolving environment,” Mr Giles said.
“The process of the Parliament here has produced a bill that meets the very serious challenges required to respond to, with appropriate safeguards in place, some of which will require all of us to maintain our attention on their operation and adequacy.”
Mr Watts blasted the government’s handling of the legislation.
“It’s indicative of this government’s record in this place to rush through legislation on national security matters with little regard for process, particularly with national security legislation or even with more technical legislation,” he said.
“While we support the bill, Labor members of the PJCIS do think … safeguards in this bill could go further, particularly in relation to the offences this bill applies to.”
The Greens voted against the legislation in both houses, with Senator Lidia Thorpe unsuccessfully moving a number of amendments.
“Really disappointed to see Labor and Liberal both vote in favour to increase police powers of online surveillance. We tried to make this bill better and include human rights protections for innocent people, but the Greens were outvoted by the major parties,” Senator Thorpe tweeted.
“New warrants allow police to monitor online activity without accusing us of a crime. Take over our accounts and edit our data…making the AFP judge, jury and executioner is not how we deliver justice in this country.”
Crossbench senator Rex Patrick also attempted to amend the legislation, raising concerns that the bill had been “dropped on the Senate in the very last minutes”.
The federal government must require greater transparency from the social media giants about COVID-19 misinformation following the large-scale anti-lockdown protests in Sydney and Melbourne at the weekend, shadow assistant minister for cybersecurity Tim Watts says.
Thousands of people marched through the streets of Sydney and Melbourne to protest against lockdown restrictions in both cities, with reports the protests were organised through social media and driven by content on the platforms.
A report from The Australian said that misinformation about the pandemic and the protests was spread on Facebook faster than the global tech giant was able to delete it.
Tim Watts
Mr Watts said that tech firms like Facebook were spreading dangerous misinformation for years, and action needed to be taken to stop this.
“These are minority, marginal views. A very tiny proportion of the population share these views but unfortunately the views of these people are amplified by social media platforms, and they’re more easily able to find other people with their stupid and selfish views on social media platforms, and they’re able to organise to the detriment of the entire country,” Mr Watts told InnovationAus.
“The overwhelming majority of Australians understand that the way we need to beat this pandemic is through community action to stop the spread of this virus from one person to another.
“A big problem we’ve seen in recent years is the business model of these social media platforms is driven by the promotion of engagement through outrage, division and conspiracy. That’s their business model, and it’s hurting our democracy and hurting our community.”
There is a dearth of data from these companies on their actions to combat misinformation and the prevalence of it on their platforms, Mr Watts said, and addressing this is the first step to further regulations.
“Facebook makes a number of claims about the good quality of information about COVID-19 that users are able to access on its platform, but it doesn’t share data around the volume of conspiracy theories and misinformation on COVID-19,” he said.
“Independent researchers and academics aren’t able to access Facebook’s data to make assessments, and that leaves policymakers in a very difficult position, they’re only seeing a [small amount] of the evidence on the issue.”
It was reported recently that Facebook was splitting up the independent team within it working on CrowdTangle, an analytics tool for social media posts acquired by the tech giant five years ago – because it was making the firm look bad.
“Moves from Facebook to shut down existing transparency services like CrowdTangle give me great suspicion as a policymaker,” Mr Watts said.
Last week Reset Australia called for greater transparency from the likes of Facebook about how algorithms are used to push anti-vaccination and COVID-19 misinformation content. The organisation called on the federal government to mandate that platforms post a “live list” of the most viral content surrounding COVID-19.
Mr Watts said he is interested in pursuing these recommendations further as a starting point for new regulation.
“The starting point needs to be looking at transparency mechanisms. It’s a very complex area of policy and I don’t have specific proposals now, but I’m interested in proposals around trying to create additional transparency to enable policymakers to better understand what is happening on these platforms,” he said.
“I’m interested in understanding those proposals and understanding more. Transparency is an increasingly important focus point for policy intervention in this area.”
Facebook’s algorithm is driving the prevalence of COVID-19 conspiracy theories and misinformation, Reset Australia executive director Chris Cooper said last week.
“Social media’s unchecked algorithms are supercharging conspiracy theories and misinformation, pushing some people into echo chambers where false information is all they see,” Mr Cooper said.
“Facebook’s algorithms are designed to pull us in and keep us online – but they don’t discriminate on what they’re engaging us with. If we want to stop the spread of misinformation online we actually need transparency about how these algorithms are operating and how we can moderate or disrupt their rabbit hole tendencies.”
The proposal for a “live list” of COVID-19 content has been backed by the Doherty Institute, Immunisation Coalition and the Immunisation Foundation of Australia.
“Australian authorities and the Australian public should be able to answer questions like: what kind of content is being amplified by these platforms? Who made it? What kind of demographics are consuming it?” Mr Cooper said.
“To do that we need a live list of the most contentious issues our society is facing, so we can begin to tackle misinformation collectively and transparently. Self-regulation will not work. It is no longer acceptable to have a user-beward style model when it comes to social media and digital platforms.”
With another anti-lockdown protest reportedly planned for this weekend, Facebook and other tech firms can and should act now, Mr Watts said.
“The greatest frustration I’ve had with Facebook is they shut the gate after the horse has bolted. We know Facebook is able to act – they need to be far more proactive in dealing with it,” he said.
It’s also important that the federal government leads by example, he said.
“All of us have a responsibility for what we post on social media. It does matter for the Prime Minister to say to his party room members not to share this crap on Facebook, not to support conspiracy movements, anti-vaccination movements and anti-lockdown protest movements through Facebook pages,” Mr Watts said.
The federal government has ordered its intelligence forces to go on the offensive against ransomware gangs, with a new cross-agency taskforce established and a near-tripling of the AFP officers focusing on the issue.
A new taskforce, dubbed Operation Orcus, has been established, spanning across agencies including the Australian Cyber Security Centre (ACSC), the Australian Federal Police (AFP), the Australian Criminal Intelligence Commission (ACIC), Austrac and state and territory police forces, the Australian reported.
As part of this new taskforce, the number of AFP staff working directly with the ACSC on cyber issues will jump from 13 to 35.
Home affairs minister Karen Andrews said that “time’s up” for ransomware gangs.
“Time’s up for the organised criminals who prey on our schools, hospitals, businesses and private citizens with this despicable technology,” Ms Andrews said.
Home Affairs Minister Karen Andrews
“The Morrison government is protecting Australia’s digital economy with a new AFP-led operation against ransomware, and it has already invested $89.9 million to expand the AFP’s operational capabilities to disrupt and identify cybercrime as part of the government Cyber Security Strategy.
“This strong action should come as no surprise. I’ve said consistently that increasing cybersecurity and cracking down on cyber crime are my top priorities.”
But shadow assistant minister for cybersecurity Tim Watts said time should have been up a long time ago for ransomware groups.
“While this taskforce is a welcome step, the Morrison government has missed every opportunity to take the basic actions needed to combat ransomware. Australian businesses and workers need a government that’s on their side in the fight against ransomware,” Mr Watts told InnovationAus.
“Labor has been calling for a national ransomware strategy since February to combat the billion-dollar ransomware scourge which threatens jobs and livelihoods. The Minister now says ‘time’s up’ for ransomware crews. What on earth has the Morrison government been waiting for?
“It’s past time the Morrison government put the full force of government behind fighting ransomware and developed a national ransomware strategy.”
The new Australian taskforce announcement came just days after the US government stumped up its own cross-agency ransomware taskforce. Unlike Australia, the US has also offered up $10 million as rewards for information on ransomware threat actors.
The Coalition is looking to hand the AFP and other agencies significant further powers to access the online accounts of suspected criminals and “disrupt” their data, with this legislation currently the subject of a parliamentary inquiry.
Ransomware has been a significant issue this year, driven by a spate of high-profile attacks of Australian businesses and institutions, and by Labor zeroing in and attacking the government for a lack of action in the space.
A report by the Australian Strategic Policy Institute released last week said that a “policy vacuum” has made Australia an “attractive market” for hackers, and that ransomware will only get worse unless there are strategic domestic efforts to prevent it.
In terms of ransomware this year, the government has launched a new awareness campaign, consulted with its business advisory group and has said it will work with international allies on the growing threat.
It came after it was revealed that the Australian Signals Directorate did not take an offensive action against the group behind the ransomware attack on Nine, despite knowing who they were.
Mr Watts said the ASD should establish a “target list” of the top 10 ransomware groups targeting Australia and ramp up efforts to disrupt them.
The Labor legislation introducing a mandatory reporting scheme for ransomware attacks is likely to be debated in Parliament next month. Mr Watts said it “lays the foundation” for further enforcement actions against these groups, and would require businesses to notify the ACSC if they are going to make a ransomware payment in order to inform authorities and policy-making in the space.
Ransomware attacks will only get worse for Australia without strategic domestic efforts to thwart it, according to a new report which warns a “policy vacuum” has made the nation an “attractive market” for cyber attackers.
The Australian Strategic Policy Institute report follows a spate of ransomware attacks in Australia and across the world, which have crippled services and infrastructure while costing organisations millions of dollars.
The latest report from ASPI said much more will be needed in Australia to combat the growing threat of ransomware, part of a $1 trillion “tsunami” of cybercrime.
“A current policy vacuum makes Australia an attractive market for these attacks, and ransomware is a problem that will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed,” the report said.
“Developing a strategy now is essential. Not only are Australian organisations viewed as lucrative targets due to their often low cybersecurity posture, but they’re also seen as soft targets.”
Written by Cyber Security Cooperative Research Centre chief executive Rachael Falk and colleague Anne-Louise Brown, the ASPI report suggests several domestic policy levers to thwart ransomware attackers, which typically operate from foreign countries.
“Such action is essential because the grim reality is that, when it comes to ransomware, prevention is the best response,” it said.
The report’s policy recommendations include a mandatory notice scheme, a dedicated cross-departmental taskforce also involving state and territory representatives, greater clarity about the legality of ransomware payments, more transparency when attacks do occur, expanding the official alert system of the Australian Cyber Security Centre (ACSC), education programs to improve public and the business understanding, and tax, procurement and subsidy measures to incentivise cybersecurity uplift.
On the same day the federal government funded ASPI’s report was released, Home Affairs minister Karen Andrews launched a discussion paper on regulatory reforms and voluntary incentives to strengthen cyber security across the economy.
The paper estimates the cost of cyber security incidents to the Australian economy is $29 billion per year, or 1.9 per cent of GDP.
“We cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security,” Minister Andrews said.
Labor said the ASPI report echoes its continued calls for a ransomware strategy and a notification scheme.
“By contrast, while the Morrison government never misses an opportunity for a dramatic press conference on cyber security it’s missed every opportunity to take the basic actions needed to combat this threat,” said shadow assistant minister for cyber security Tim Watts, who introduced a private members bill for a notification scheme last month which is yet to be listed for debate.
“Instead it’s simply played the blame game, telling businesses it’s up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals.
“Australian businesses and the workers they employ need a government that understands organisational IT security is only part of the response to the threat of ransomware.”
The ASPI report concludes there is a key role for government to play in tackling ransomware but the problem is a shared responsibility.
“While there’s no doubt that organisations must take responsibility for ensuring that their cybersecurity posture is up to scratch, there are practical and easily implementable steps the government can take to provide clarity, guidance and support,” it said.
A renowned US cybersecurity expert has put weight behind calls for a mandatory ransomware payment notification scheme in Australia and said the country’s election administration system should be considered critical infrastructure.
Cybersecurity expert and former United States Cybersecurity and Infrastructure Security Agency chief Chris Krebs appeared at a Parliamentary Joint Committee on Intelligence and Security on Friday, where he backed calls for organisations being required to report to authorities when they have made a ransomware payment.
Mr Krebs said a notification scheme would help authorities understand the scale of the problem and collect valuable intelligence on incidents.
“We have to get to the denominator of ransomware attacks, and the easiest way to do that is to require ransomware victims to make a notification to the government…if you’re going to be engaging [in a] transaction with a ransomware group, that needs to be notified,” Mr Krebs told the inquiry, which is reviewing current and proposed critical infrastructure legislation.
“The second [reason] is if you’re going to make the payment we also want to make sure the information, specifically the wallet to which the ransomware payment is going, can be tracked by law enforcement and intelligence officials to light up the economy.”
Former US Cybersecurity chief Chris Kreb. Image: Department of Homeland Security/Tara Molle
Home Affairs Minister Karen Andrews told a business event shortly after that the government is “open to exploring” a mandatory reporting scheme but added it must follow an increased awareness of the problem.
The Department of Home Affairs is reportedly considering a notification scheme, with secretary Mike Pezzullo saying he believes it is “likely” one would be rolled out soon.
Following Mr Krebs evidence on Friday, Labor’s Mr Watts issued a statement calling for the government to urgently list his bill for debate when Parliament returns in August.
“The Minister said when taking on the role in March cyber security was a ‘priority’ for her. It’s time we saw some real action,” Mr Watts said.
“Ransomware is completely out of control in 2021. There has been an onslaught of attacks that threaten Australian jobs including JBS Foods, our biggest meat producer, the Nine Network, and multiple hospitals.”
The US expert also called for Australia to consider election administration as critical infrastructure. Mr Kerbs was fired by the-US President Donald Trump in 2020 for refuting his claims the 2020 presidential election was fraudulent.
“I think there are elements of the election administration function that should absolutely be considered critical infrastructure, and that is the administration element,” he said.
“That’s the systems, the machines, the counting process, the protocols around it — I think it’s, at least in the US, a step too far to call the political parties themselves as part of the infrastructure, but they do have certainly a contribution and a piece involvement.”
The PJCIS is currently considering legislation which would see more Australian sectors considered “critical infrastructure”, including communications and data storage and processing.
Mr Krebs said bad actors have been effective in disrupting elections with disinformation campaigns and “perception hacks”.
“Those are the more pervasive, much harder to debunk, because there’s an asymmetry of the adversary,” he said.
“Even if it’s domestic, it’s still an adversary, in this case, [a] domestic actor that is trying to undermine confidence in the process for their own outcomes.”
The federal government is considering banning insurance reimbursements for companies opting to make ransomware payments, as the Opposition pushes for a mandatory notification scheme around these attacks.
A House Committee inquiry last week heard from a number of Australian insurance companies, with Chair and Liberal MP Tim Wilson investigating insurance reimbursements for ransomware attack payments and the potential to make this illegal.
Several of the insurance companies confirmed they do offer some coverage for companies making a ransom payment following a cyber-attack, and that these attacks are occurring far more frequently recently.
Following the hearing, Mr Wilson said he would back legislation outlawing insurers making payouts to companies subject to a ransomware payment.
“It seems pretty clear to me that allowing insurance to reimburse for ransoms just incentivises criminal behaviours, while also increasing premiums for other cyber risks and should be outlawed,” Mr Wilson said.
Tim Wilson: “pretty clear” ransomware insurance incentivises attacks
Insurance Australia Group CEO Nick Hawkins told the committee that the company does offer coverage for cyber-attacks and ransomware payments currently.
“If there is a cyberattack on a business…we would cover that claim to a certain extent. If part of the cost ends up being some sort of cost to the negotiation and consultants and even potentially a ransom, my understanding is that that is of the coverage,” Mr Hawkins said.
“None of those payments can contravene any laws. So if there is any sort of suggestion that payments are money laundering or if there are any acts or laws in the country that don’t allow it or that you are contravening by making this sort of payment, then that is an exclusion and that payment is not allowed to be made.”
Mr Hawkens said that the prospect floated by Mr Wilson of banning insurance payouts for ransomware payments “sort of sounds sensible”.
“Anything to incentivise this topic would be better, so yes, I can’t see any reason why what you suggested wouldn’t sound like a good idea,” he said.
Marsh managing director Craig Claughton also confirmed the company insurers against ransomware payments, and that these demands have increased “fairly significantly” in the last 18 months.
“Most of our clients are terribly concerned about ransom demands being made upon them, so they’re looking for us to arrange cover if it’s available. Obviously, an insurance contract can’t do anything that’s against the law but, at the moment, provided it’s not in breach of any laws, insurers are willing to provide cover for ransom demands,” Mr Claughton said.
There is a risk that this will incentivise ransomware attacks against Australian businesses, QBE Insurance Australia chief financial officer Chris Esson told the MPs.
“We’re very conscious here of the risk that the availability of insurance for ransom might drive attacks. We do note that there’s a need to balance that against the fact that a ransom attack can be very possible for business, which is part of the market in which we operate,” Mr Esson said.
“But we do suggest that these considerations need to be carefully balanced, and it would be an appropriate area to do more review.”
Shadow assistant minister for cybersecurity Tim Watts criticised the fact the policy proposal was coming from Mr Wilson rather than the responsible ministers.
“The leadership vacuum left by the Morrison government on ransomware is now being filled by its own backbenchers,” Mr Watts told InnovationAus.
“The Morrison government missed every opportunity to act while ransomware escalated to a crisis point. It needs to show leadership now.”
Mr Watts last week introduced a private members bill to the lower house which would launch a mandatory notification scheme for ransomware attacks, with companies subject to such an attack having to inform authorities about it before making a payment to the attackers.
“Mandatory notification of ransomware payments is a sensible foundation for government action against ransomware. If the Morrison government wants to get serious about fighting ransomware it can support Labor’s private members bill introducing a mandatory payment notification scheme in the next sitting of Parliament,” Mr Watts said.
Home Affairs minister Karen Andrews has said she is “open to exploring” the proposal, with the legislation set to be debated in August.
Labor has called on the federal government to urgently support its legislation introducing a mandatory ransomware notification scheme which “lays the foundation” for enforcement actions against cyber attacks.
Shadow assistant minister for cyber security Tim Watts on Monday morning introduced a private members’ bill to the House of Representatives which would launch a scheme requiring organisations to notify the Australian Cyber Security Centre (ACSC) if they are planning to make a ransomware payment.
This information would then be used to inform Australian authorities and policymaking in the space.
Tim Watts
The scheme would function in a similar way to the existing mandatory data breach notification scheme, which has been in place since early 2018.
The Coalition is already reportedly considering such a scheme, with Home Affairs secretary Mike Pezzullo saying he believes it is “likely” that it would be rolled out soon.
Speaking in Parliament, Mr Watts said the legislation would mark a first step in government action to combat the growing threat of ransomware attacks.
“With this bill, Labor is showing the political leadership on cyber security policy that has been missing since the election of this Prime Minister,” Mr Watts said.
“Such a scheme would be a policy foundation for a coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy and offensive cyber operations. There is an urgent need for this bill. Mandatory reporting of ransomware payments is far from a silver bullet for this national security problem but it’s an important first step.”
The Opposition said there is “no reason” for the government to not support the bill, and called on it to list it for debate “as a matter of priority” when Parliament returns in August.
The bill would establish a mandatory reporting requirement for Commonwealth entities, state or territory agencies, and corporations or payments who are making a payment in response to a ransomware attack.
“This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups,” Mr Watts said.
“And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks. Importantly, it will give us a fuller picture of ransomware attacks in Australia and the scale of the threat.”
The legislation defines a ransomware attack as “when an unauthorised person accesses, modifies or impairs data and demands payment to repair or undo damage or prevent the publication of data”.
Small businesses with annual turnover under $10 million will be exempt from the scheme, as would sole traders, unincorporated entities and charities.
The entities will have to notify the ACSC of key details about the ransomware attack, the attacker and the payment to be made, including the cryptocurrency wallet details, the amount of the payment and the indicators of a compromise.
Failure to notify the ACSC will result in a penalty under the new regime.
The information will be held by the ACSC and shared in a de-identified way with the private sector through the threat-sharing platform, and will also be used by law enforcement and to inform policy making and track the effectiveness of policy responses.
Mr Watts said Australia has reached a “crisis point” on ransomware attacks, pointing to several recent events, including this month against JWS meats, which eventually paid an $11 million ransom payment to the attackers.
These ransomware attacks are an “intolerable burden on Australian organisations” and represent a “significant national security threat”, Mr Watts said.
“The current trajectory of these attacks, and the traditional response to them – asking organisations to implement an ever-increasing uplift in cyber resilience – is inefficient and not sustainable,” he said.
Last week the federal government launched a new public awareness campaign around the threat of ransomware, centred mostly on what companies can do to protect from these attacks and make it harder for cyber criminals.
It is also considering implementing a mandatory reporting scheme on ransomware, according to Mr Pezzullo, as an extension to the 2020 Cyber Security Strategy.
“I think we’re at a point, most advanced economies are at a point, where by some means, whether it’s mandatory reporting combined with other measures, that a much more active defence posturing is going to be required simply because of the prevalence of the attacks,” Mr Pezzullo said in a Senate Estimates hearing last month.
The federal government has launched a new public awareness campaign on ransomware, amid a sharp uptick in attacks and calls from the Opposition for a more concerted effort to combat them.
With reports that there has been a 200 per cent increase in ransomware attacks against Australian organisations recently, the Australian has launched the next stage of its Act Now Stay Secure public awareness campaign, focusing on this cyber risk.
The campaign focuses on what companies can do to protect from these attacks and make it harder for cyber criminals.
But many in the industry and the federal Opposition said this does not go far enough, and the government needs to launch a national ransomware strategy and urge its agencies to go on the offensive against criminal gangs.
The govt has launched a new ransomware public awareness campaign
Assistant minister for defence Andrew Hastie launched the new public awareness campaign on Tuesday after it was earlier dropped to the media.
“The ASD has used, and will continue to use, its broad range of offensive cyber capabilities to disrupt and bring cybercriminal syndicates targeting Australia to their knees. Offensive cyber is just one of the tools in Australia’s toolkits,” Mr Hastie said in a statement.
Australian companies should access the new information available through the Australian Cyber Security Centre (ACSC) and report any ransomware attacks to the government, Mr Hastie said.
“The ACSC provides vital advice and assistance to defend Australian businesses and individuals against ransomware, and brings together the ASD’s intelligence, offensive cyber and cybersecurity capabilities to defend Australia’s interests from malicious cyber actors,” he said.
“The ACSC takes the information it learns from cyber attacks against Australian businesses, and uses it to warn and protect further Australian organisations from being targeted. I encourage Australian organisations to report their ransomware incidents to the ACSC so we can protect and warn all organisations and build better overall cyber defences for ‘Team Australia’.
“Any cyber criminal operating on the dark web or hiding behind encryption should be on notice that the full range of Australia’s intelligence and law enforcement capabilities are being aimed at you.”
The federal government is understood to be readying to launch a mandatory notification scheme for businesses subject to a ransomware attack, with Home Affairs secretary Mike Pezzullo recently saying it was “likely” that such a scheme would be introduced.
The new ACSC campaign includes a prevention and protection guide for businesses with basic measures they can take to protect from ransomware attacks, including to turn on automatic updates, use two-factor authentication, perform regular backups, implement access controls, and use a cybersecurity emergency plan.
Shadow assistant minister for cyber security Tim Watts said the government needs to be doing much more on ransomware than just a public awareness campaign.
“Does anyone believe that if there had been a 200 per cent increase in crime from outlaw bikie gangs, Peter Dutton would respond with an ‘awareness campaign’? Why is the Morrison government so complacent and weak in the face of the threat of ransomware?” Mr Watts tweeted.
“It’s time for a comprehensive National Ransomware Strategy to coordinate the government’s response to this threat.”
Along with a national strategy, Mr Watts has also said the federal government should introduce the mandatory reporting scheme and to take a more proactive approach to targeting the ransomware gangs.
Last week ransomware became a literal barbeque stopper when JBS Foods, Australia’s largest meat processor, was paralysed by a ransomware attack mounted by Russian cybercriminals. All beef and lamb kills along the east coast of Australia were temporarily cancelled.
JBS was able to get back up and running quickly enough to avoid barbeque meat shortages. But not before thousands of workers in Australia were stood down and an $US11m ransom payment was reportedly made by the company to the criminal group.
The JBS attack was just the latest reminder of the national cost of ransomware. In 2021, ransomware attacks on Australian organisations have grown in frequency and scale including major attacks on eight hospitals, the Nine Network, political parties, accounting firms, consultancies, retailers, and chemical packaging companies.
In total, it’s a billion-dollar a year scourge for our nation. A jobs and investment destroyer when we can least afford it.
Our major allies are treating this threat with the urgency it deserves. The United States Department of Justice has established a dedicated ransomware taskforce providing the same level of centralised law enforcement coordination and attention to the issue that it does to terrorism.
FBI Director Christopher Wray compared the recent wave of ransomware attacks and the challenges they present to 9/11. US President Joe Biden is also set to raise this in a bilateral meeting with Russian President Vladimir Putin at the weekend.
By contrast, the Morrison Government’s primary response to the threat of ransomware amounts to little more than victim blaming. It tells Australian organisations they need to take additional steps to protect themselves from these increasingly sophisticated and resourced organised criminal gangs operating with impunity from the other side of the world.
In an article in the Australian Financial Review on Thursday the Assistant Minister for Defence, Andrew Hastie, accused me of “denigrating” our security agencies by calling for his government to do more on ransomware. Far from it. The issue isn’t our agencies ,who are some of the world’s best and do outstanding work, it’s a lack of urgency and leadership from the Morrison government.
The debate about how best to defend against ransomware certainly begins with individual organisational IT security, but that’s far from the end of the conversation.
Labor’s Shadow Assistant Minister for Cyber Security Tim Watts
When Anne Neuberger, the U.S. Deputy National Security Adviser for Cyber and Emerging Technology, recently issued a memo to business leaders about what the Biden Administration was asking the business community to do in the fight against ransomware, she began by talking about what the U.S. government itself was doing to combat the threat.
She told business leaders that the Biden Administration was “disrupting ransomware networks, working with international partners to hold countries that harbour ransomware actors accountable, developing cohesive and consistent policies towards ransom payments and enabling rapid tracing and interdiction of virtual currency proceeds”.
Unfortunately, the Morrison government can’t tell Australian business leaders that it is doing its part.
Since February, Labor has been calling for the Morrison government to develop a national ransomware strategy to ensure that government is doing all it can to combat these attacks across its policy, regulation, law enforcement, diplomacy and defence capabilities. We released a discussion paper outlining the options available to government in this fight to kick start the conversation.
We’ve said that, at a minimum, this strategy should include the creation of a mandatory notification scheme for ransomware payments, allowing our law enforcement and intelligence agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups. We’ve also said that we need to get serious about using our signals capabilities to disrupt cybercriminals and deter attacks on Australian targets.
To date, these ransomware crews have been able to target Australian organisations with impunity.
We learnt at Senate Estimates in the last fortnight the Morrison government hasn’t deployed these considerable offensive cyber capabilities against the criminals who attacked the Nine Network or the hospital networks in Victoria and Queensland. We also learnt that there has only been one Australian prosecution for a ransomware attack in the last 12 months. The AFP told us they have no dedicated taskforce to coordinate law enforcement actions on this issue.
The age of impunity for ransomware crews menacing Australian business must end.
This weekend the G7 summit will take place in Cornwall. The Biden Administration has rightly placed ransomware on the agenda, with National Security Adviser Jake Sullivan saying that he wants to see an “action plan” on the international response to ransomware out of the meeting.
The Prime Minister has an opportunity in Cornwall to move beyond the blame game on ransomware and demonstrate he’s on the side of Australian business against this threat. There are no silver bullets in the fight against ransomware. Everyone has a role to play. It’s time the Australian government did its bit and developed a national ransomware strategy.
Tim Watts is Labor’s Shadow Assistant Minister for Cyber Security and the federal Member for Gellibrand.
Labor has called on the federal government to get on the cyber offensive and “release the hounds” on global ransomware gangs following a series of high profile cyber-attacks against Australian companies and hospitals.
Last week Australia’s largest meat processor JBS Foods was forced to shut down its local operations for a day following a ransomware attack against the global company that the US government has said originated from a Russian criminal organisation.
Days later, the US Department of Justice confirmed that it would be upping its investigations of ransomware attacks to a similar level as terrorism.
“It’s a timely reminder of the economic cost of the scourge of ransomware – it’s a jobs and investment destroyer when the economy can least afford it. It also highlighted the urgent need for the Morrison government to adopt a national ransomware strategy to combat these attacks,” Mr Watts said.
“The JBS Foods barbeque stopper should be a wake-up call for the Morrison government to finally take responsibility.”
Tim Watts
Mr Watts said the government should be proactive in its fight against ransomware gangs, and its spy agencies should be actively trying to disrupt these organisations.
In Senate Estimates last week it was revealed that the Australian Signals Directorate (ASD) did not take any offensive operations against those responsible for the cyber-attack on Nine, despite appearing to know who was behind it.
“As part of a national ransomware strategy, the Morrison government needs to get serious about using its signals capability to disrupt cybercriminals and deter attacks on Australian targets,” he said.
“To date, these ransomware crews have been able to target Australian organisations with impunity. No wonder we’ve seen these attacks increasing in their scale and frequency. In general, the position of the Morrison government is not to tell us or the cybercriminals targeting Australia what they are doing to disrupt them. A secret deterrent is no deterrent at all.”
The ASD should create a “target list” of the top 10 ransomware groups targeting Australia and ramp up efforts to disrupt their operations, he said.
“The scourge of ransomware has become an intolerable burden on our nation – a $1 billion annual burden, collectively. It’s time that we said enough is enough. It’s time to release the hounds on these ransomware crews,” Mr Watts said.
“Ransomware groups should fear the consequences of being added to ASD’s targeting list. We need to end the age of impunity for ransomware attacks and teach these ransomware groups that there are consequences for targeting Australian organisations with ransomware attacks and that these attacks are not worth the potential benefits.
“The Morrison government has left Australian governments, businesses and community groups to combat these international ransomware groups for too long,” Mr Watts said.
“It’s time it took responsibility, did its job and developed a national ransomware strategy. These groups are the modern day pirates, and it’s time we treated them that way.”
The government should establish a mandatory ransomware notification scheme similar to the existing data breach requirements, shadow cybersecurity spokesperson Tim Watts says.
Speaking on a webinar hosted by CyberCX chief strategy officer and former Australian Cyber Security Centre (ACSC) head Alastair MacGibbon, Mr Watts called on the federal government to play a bigger role in combating the growing threat of ransomware.
While not recommending that making ransom payments to cyber attacks be made illegal, Mr Watts did say there should be a “price of entry regulatory regime” where companies or individuals who are subject to a ransomware attack should have to report it to authorities.
“The mandatory data breach legislation is about telling individuals their information has been compromised. I think we need a parallel regime that says if you’re going to make a ransomware payment, we’re not going to ban you from doing that but we are going to require that before doing that you call up the ACSC, and we’re going to give you a standard form you have to fill out,” Mr Watts said.
Tim Watts: Australia needs a ransomware notification scheme
This form will include actionable threat intelligence about the ransomware threat, including who may be behind it, the cryptocurrency wallet used to receive the ransomware payment and the evidence of the compromise.
“That’ll make sure that it is available to government, but that also through the system people can protect themselves too. If you move quickly enough there’s the possibility law enforcement could take action against crypto-exchanges before the money is pulled out of them,” Mr Watts said.
“That’s the world we should be aiming to get to in terms of the law enforcement response.”
In March the government’s cyber advisory group released a ransomware report calling on Australian businesses to implement basic cybersecurity practices to mitigate the risk, but Mr Watts labelled this a “missed opportunity”.
The shadow cybersecurity minister said there needs to be a mindset change within Australian agencies and law enforcement to combat the “age of impunity” around ransomware attacks.
“Law enforcement is not doing enough. We’ve got some great talent within our law enforcement agencies but if you look at the institutional arrangements in Australia, the AFP have told us that in response to ransomware they’ll get involved only if it involves a Commonwealth entity, a piece of critical infrastructure or it is affecting the national economy,” Mr Watts said.
“We should be ambitious, we should want to be a part of those international posses that are going after these crews. I want us to be at the top of those press releases, I want to send a signal to these people that if you come after Australian organisations, we’re going to keep chasing you.”
These calls were backed by Mr MacGibbon, who said law enforcement should be looking to “throw sands in the gears of ransomware gangs” with a similar approach to its tactics against the international drugs trade.
“I’m critical of them in this space. I often think it’s not dissimilar to trying to disrupt the international drug trade, where police post people to the countries that are either transit countries or the nations that are the source of these drugs,” Mr MacGibbon said.
“Australian police post staff there in order to throw sand in the gears. We’re not trying to get rid of them but we’re trying to make it harder for them.”
Aggressive nationally and internationally coordinated strategies are needed to tackle the growing threat of ransomware, according to an expert taskforce that included the US, UK and Canadian government cyber agencies.
Australia was not part of the taskforce and the federal government is yet to develop a national ransomware strategy, leading to calls from Labor that Australia is being left behind.
A coalition of global experts assembled by business group, the Institute for Security and Technology (IST), on Thursday released a strategic framework for combatting ransomware, which has quickly grown into a “serious national security threat and a public health and safety concern”.
“This global challenge demands an ‘all hands on deck’ approach, with support from the highest levels of government,” the IST report said.
A coordinated international response is needed to the growing threat of ransomware.
The framework calls for coordinated global action to deter and disrupt ransomware attacks, and help organisations prepare for attacks and respond to them. According to the report, ransomware victims paid attackers more than US$350 million last year, more than triple the amount in 2019, and the average downtime from an attack was three weeks.
“The immediate physical and business risks posed by ransomware are compounded by the broader societal impact of the billions of dollars steered into criminal enterprises, funds that may be used for the proliferation of weapons of mass destruction, human trafficking, and other virulent global criminal activity,” the IST report said.
The number one goal of the framework proposed by the group is to deter ransomware attacks through a “nationally and internationally coordinated, comprehensive strategy” which would be led by the US.
Labor has welcomed the report but says it highlights Australia’s increasingly isolated position of not prioritising the threat of ransomware at a national level.
The Australian Cyber Security Centre has said that ransomware is the “highest threat” facing Australian businesses and governments in the cyber domain. But the government’s 2020 national cybersecurity strategy mentions it only twice; once in quoting a submission to the report and once advising where victims can report it.
In March, a government advisory group released a report on ransomware urging businesses to implement basic cyber security. But it did not include any recommendations for government or any calls for new policies.
Earlier this month, Australia signed a new communiqué with Five Eyes partners which included a commitment to share lessons on ransomware and, where possible, align national policies, public messaging and industry engagement.
In response to the IST report, shadow minister for Home Affairs Kristina Keneally and shadow assistant minister for cybersecurity Tim Watts said the government is being left behind on ransomware.
“While our major security partners are recognising the need for a plan to tackle this billion-dollar scourge plaguing business, we have yet to hear the Morrison Government’s strategy to address this critical threat to Australia’s economy and society,” a joint statement said.
“Just in the last week we’ve seen ransomware attacks on two Brisbane hospitals and a Geelong secondary school. This followed the major ransomware attack on the Nine Network last month.”
The IST’s ransomware taskforce included cyber industry leaders, academics, and representatives from the UK National Crime Agency, US Cybersecurity and Infrastructure Security Agency, US Federal Bureau of Investigation, U.S. Secret Service and the Royal Canadian Mounted Police’s National Cybercrime Coordination Unit.
Two years after promising “tough” new penalties for data breaches, the government is still yet to actually introduce the reforms, despite acknowledging at the time that the current scheme “falls short”.
In March 2019, Attorney-General Christian Porter and then-Communications Minister Mitch Fifield unveiled a new penalty regime under the Privacy Act, in the wake of the Facebook and Cambridge Analytica data scandal.
The government said it would increase the current maximum penalty for a data breach from $2.1 million to $10 million, or 10 per cent of the company’s annual domestic turnover.
Data breach? The urgency about penalising data breaches has left the building
The reforms would also see the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers with new penalties of up to $63,000 for companies and $12,600 for individuals who fail to assist to resolve a breach.
A spokesperson for the Attorney-General’s department said draft legislation for the reforms would be released for consultation in May, after it was initially promised in the second half of 2019.
In Senate Estimates on Tuesday, representatives from the Attorney-General’s department said this delay was due to the focus on COVIDSafe and “other priorities”.
This is despite the draft legislation being promised well before the onset of the COVID-19 pandemic.
At the time, the federal government said that the “existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations”. These protections and penalties are still in place now, two years later.
Shadow assistant minister for cybersecurity Tim Watts criticised the delay, pointing to the fact the OAIC is still yet to seek a financial penalty for a data breach under the current scheme.
“In typical Morrison government fashion, despite tough talk and media fanfare these reforms were announced but never delivered,” Mr Watts said.
“The Attorney-General has acknowledged the problem but two years on has failed to get on with the job of making the necessary changes.”
At a Senate Estimates hearing on Tuesday night, Attorney-General’s deputy secretary Sarah Chidgey said the legislation had now been “substantially” drafted ahead of its release in the coming months.
“The team that works on the legislation and the Privacy Act review has also dealt with other priorities, for example the COVIDSafe legislation. That took quite a significant effort to deal with some of those issues,” Ms Chidgey told the Senators.
The department is undertaking a significant review of the Privacy Act following the competition watchdog’s digital platforms inquiry. The review was launched in late 2019. Submissions to this review have been used to inform the data breach penalties legislation, the department said.
The final report from this review is expected to be handed to the government by October.
Australian Information Commissioner Angelene Falk said she would welcome the increase in her powers to match those of the Australian Competition and Consumer Commission, and in the Europe Union’s General Data Protection Regulation (GDPR).
It’s fair to say that the GDPR does contain additional rights and obligations and it’s to that end that I’ve made a submission to the government’s review of the Privacy Act and made some recommendations that we ought to consider some of those international developments,” Ms Falk said at Estimates.
“I welcome changes and improvements to the regulatory toolkit that I currently have and I’m looking forward to the legislation that goes to these matters and the progress of the review that more broadly is being conducted by the department.”
The Online Safety Bill will not be passed by Parliament until May at the earliest, despite the rushed process behind the federal government’s controversial legislation.
The Online Safety Bill, which extends the eSafety Commissioner’s takedown scheme to Australian adults and allows for the issuing or removal notices for content deemed to be R18+ or higher and the ordering for sites or apps to be blocked if they fail to comply, was introduced to the Senate last week.
There are significant concerns around the legislation, including the discretion it hands the eSafety Commissioner, its potential impact on sex workers and activists and the potential to further undermine encryption.
The eyes have it? The Online Safety Bill is still before parliament
The government revealed a number of amendments to the legislation following negotiations with the Opposition, centred around improved transparency and reviews of the sweeping new powers.
But the bill wasn’t brought on for debate and was not passed before Parliament rose for the sitting week. With Senate Estimates this week and the Easter break, Parliament does not return for a full sitting week until the end of May, presenting the next opportunity for the Online Safety Bill to be passed into law.
Shadow assistant minister for cybersecurity Tim Watts said the Opposition would continue to work with the government on the proposed amendments during this delay.
“Despite significant delays and much media spruiking the government still hasn’t been able to deliver legislation that adequately addresses serious stakeholder concerns,” Mr Watts told InnovationAus.
“It’s been two and a half years since the Briggs Review recommended a new Online Safety Act. Instead of getting on and delivering it, the government has been spruiking the Bill in the media as if it were already law for two years.”
The government could have used this extra time to consult on the legislation and address the issues around it, Electronic Frontiers Australia board member Justin Warren said.
“It is disturbing that the government plans to hand a large amount of largely unchecked power to a single person when it hasn’t even figured out how to safely use that power,” Mr Warren told InnovationAus.
“The current Commissioner told the Senate that ‘this is the sausage being made right now’. ‘Move fast and break things’ is what got us in this mess in the first place,” Mr Warren said.
“These are not new issues, so it is entirely reasonable for us to expect the government to have figured out these details before asking for more power. It’s just another example of the government not doing its homework and then rushing to turn in something, anything, at the last moment. Australians deserve better.”
The short process from revealing draft legislation to introducing it into Parliament has led to a number of issues, Mr Warren said.
“EFA is very disappointed that the government has ignored the detailed and constructive feedback on the bill from a broad and diverse cross-section of Australian society. When this many people, who frequently disagree with each other, are all telling you you’ve got it wrong, you should pay attention,” he said.
“The hasty drafting of the legislation has removed a variety of oversight mechanisms and safeguards that already exist, while extending Australia’s outdated censorship regime to cover private, person-to-person messages.”
The two-month delay comes after a rushed process where the government only provided three working days for stakeholders to make submissions to a senate committee inquiry into the bill.
A draft version of the Online Safety Bill was unveiled in December last year, with a consultation process running over the Summer break to 14 February.
Despite receiving nearly 400 submissions, the government introduced the bill to the lower house just 10 days later.
The submissions also weren’t made public until after the legislation was introduced to Parliament.
The bill was quickly referred to a Senate committee, with further submissions due just three working days later.
The committee soon gave the legislation the green light, and it was passed by the House of Representatives last week with bipartisan support.
Labor voted in favour of the bill but raised a number of concerns and flagged further amendments in the upper house.
The government announced it would be amending its own legislation in the Senate, requiring the reporting on the use of the powers by the eSafety Commissioner, and for the formulation of a reviews scheme within the office.
Tim Watts said the timeframe around the legislation “undermined confidence” in it.
“It is disappointing that the government has proved incapable of conducting a process that satisfies stakeholders in terms of process and substance,” Mr Watts said in Parliament.
The Greens will be voting against the legislation because it is “poorly drafted and could lead to widespread, unintended consequences”.
