The Australian government has revealed it is considering using new sanctions powers against cyber-attackers for the first time, sparking calls for the Medibank hackers to be the initial targets.
The Magnitsky-style sanctions laws that were introduced in Australia a year ago include a world-leading measure to allow travel bans and asset freezes on those deemed responsible for “significant” cyber-attacks.
In an unusually frank disclosure, the Department of Foreign Affairs and Trade confirmed it had now provided advice to the minister, Penny Wong, about using these cyber-related powers.
“Yes,” it said in a newly tabled response to a Senate question on notice. “The department routinely provides advice to ministers on possible sanctions measures, including cyber sanctions.”
A Dfat spokesperson told Guardian Australia the legislation allowed for sanctions to be imposed in relation to significant cyber incidents, and the government “keeps its sanctions settings under consideration”.
But the government would not speculate about specific listings in advance, the spokesperson added.
The shadow minister for cybersecurity, James Paterson, said he was “encouraged and hopeful that the government will go down this path”.
“Of course, the opposition would provide very strong bipartisan support for any cyber sanctions they want to announce,” said Paterson, who extracted the confirmation through the Senate estimates process.
Paterson said the most likely starting point for such sanctions would be cyber incidents that have already been publicly attributed by the Australian government, including the Russian criminals responsible for the Medibank hack.
“In the words of the government, these criminals have done things that other cybercriminals are unwilling to do, which is target people’s personal health information and release it on the dark web to punish people,” he said.
“That crosses a number of lines. This is not run of the mill – this is especially egregious – and it has to be backed up with action against them.”
To date, the government has not named the individuals it believes responsible for the “totally reprehensible” publication of sensitive health information taken from Medibank, understood to include procedures claimed by policyholders related to the termination of pregnancy and miscarriages.
But the Australian federal police commissioner, Reece Kershaw, has said he is in possession of intelligence that hackers in Russia were responsible for the Medibank data breach. “To the criminals – we know who you are,” he said in November.
Paterson conceded the hackers were unlikely to come to Australia on holiday so would not be directly affected by travel bans, but this should not stop the Australian government from “using every tool we have available” to deter malicious cyber activity.
“We should be making the world a smaller and less welcoming place for them,” he said.
“If we don’t put a price on it we’re going to have more of this behaviour.”
Other cyber incidents to have been attributed by the Australian government include the targeting of Queensland government-owned electricity generator CS Energy by the Russian-aligned Conti ransomware group in November 2021.
Last year the Morrison government joined with allies to accuse China’s ministry of state security of malicious cyber activity by exploiting vulnerabilities in the Microsoft Exchange software.
Since the Albanese government came to office, its Australian Cyber Security Centre has linked the Iranian government’s Islamic Revolutionary Guard Corps to the “active” targeting of Australia, UK, US and Canadian organisations.
Last weekend Wong announced she was using another part of the Magnitsky sanctions laws to target Iran’s morality police and Iranian and Russian individuals linked to human rights abuses.
On Monday Dfat summoned Iran’s top diplomat in Canberra to register deep concern over the execution of an anti-government protester. It is the sixth time Dfat has taken this step since the crackdown on protests began in September.
A spokesperson said the Australian government would “continue to make representations to Iran over its egregious human rights abuses and use of the death penalty”.
