In the recent years, cyberattacks on Australian businesses have distinctly increased.

The scale of these attacks, which have affected high-profile companies like MediSecure, Optus, and Latitude, underscores the growing problem of cybercrime. With it has ransomware attacks, and the prices that are being asked. This has prompted a response from the government, to keep an eye on the ransom payments that are made in secret. 

The Australian Cyber Security Centre (ACSC) reported a staggering frequency of cyber incidents, with notifications occurring on average once every six minutes during the 2022/23 period. Ransomware attacks alone have surged roughly five-fold since the onset of the COVID-19 pandemic, reflecting a broader increase in cyber threats. 

 These statistics are alarming, but they do not show the full picture – it is likely that billions of dollars are annually going towards ransom payments. This, at the end of it, gets reinvested back into further attacks and thus exacerbating the threat landscape further. 

 In response to the crisis, the Australian government has released the Cybersecurity Act - a landmark piece of legislation aimed at improving transparency and accountability in dealing with ransomware attacks. The new law mandates that 1,000 entities involved in "critical infrastructure," including sectors like energy, healthcare, and banking, must report ransom payments. 

 However, the broader reporting requirements remain inconsistent and often ignored, as highlighted by a recent survey. 

  The survey reveals a paradox: while 72% of respondents claim their organizations adhere to a public "do not pay" policy, 54% admitted that their employers had paid a ransom in the past six months. Moreover, 60% of those surveyed indicated their organizations might pay over USD 1 million in ransom, with one-third open to payments exceeding USD 3 million. 

Critics argue that the new rules could predominantly affect small businesses, to the point of shutting some down. Despite this, the government is still going forward with their efforts to increase visibility and control over ransomware payments.  

One positive development in the legislative package is the proposal to establish a "Cyber Incident Review Board," modeled after similar bodies in the aviation industry. This board would facilitate learning from major breaches and help improve response strategies. "Australia is playing catch-up in this area, and it's crucial that we implement systems akin to those already in place in the US and the UK," says Professor Weaver, a cybersecurity expert. 

However, a critical gap is shown in this approach - the need for new regulations to prevent the accumulation of excessive data, which she refers to as "data lakes." Reducing the amount of unnecessary data collected and retained by businesses and government entities could mitigate the risks associated with data breaches and limit the impact of future incidents. 

In summary, while Australia's new cybersecurity law represents a significant step forward in addressing the ransomware epidemic, there are still challenges to overcome. Balancing transparency, regulatory compliance, and data management will be key to strengthening the nation's cyber defenses and protecting its critical infrastructure from future attacks.