The Australian government rolled out Wednesday a Cyber Security Legislation Package to enhance the security and resilience of Australia’s cyber environment and critical infrastructure. Subject to the passage of the ‘Cyber Security Bill 2024’ legislation this week, Australia will have its first standalone Cyber Security Act to ensure strong laws and protections through a clear legislative framework. The proposed bill prescribes minimum security standards for smart devices, ransomware reporting obligations, ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD); and a Cyber Incident Review Board.
The Cyber Security Bill 2024 comes as the federal government is currently “facing a heightened geopolitical and cyber threat environment, placing pressure on our collective cyber resilience and security. The protection of our cyber security and critical infrastructure is vital to Australia’s national security and economic stability.”
The Cyber Security Legislative Package will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, addressing legislative gaps to bring Australia in line with international best practices and take the next step to ensure Australia is on track to become a global leader in cyber security. These measures will address gaps in current legislation to mandate minimum cyber security standards for smart devices; introduce mandatory ransomware reporting for certain businesses to report ransom payments; introduce a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD); and establish a Cyber Incident Review Board.
The package will also progress and implement reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act). These reforms will clarify existing obligations concerning systems holding business-critical data; enhance government assistance measures to better manage the impacts of all hazards incidents on critical infrastructure; simplify information sharing across industry and government; introduce a power for the government to direct entities to address serious deficiencies within their risk management programs; and align regulation for the security of telecommunications into the SOCI Act.
The measures in the Australian legislative package were informed by an extensive consultation process, including the release of the Cyber Security Legislative Reforms Consultation Paper in December 2023 and targeted consultation on an Exposure Draft package last month. This unified effort of government, industry, and the community will be better positioned to prevent and respond to emerging threats and support the protection of Australia’s cyber environment and critical infrastructure now and in future.
The Cyber Security Bill 2024 mandates that manufacturers and suppliers of smart devices comply with specified security standards, which is an important move for businesses involved in the production or distribution of smart devices. Non-compliance can result in compliance notices, stop notices, and recall notices. These measures are designed to ensure that smart devices are secure and do not pose a risk to users.
To date, Australia’s voluntary approach to smart device security is fragmented and insufficient. In 2020, the Government introduced a voluntary Code of Practice, ‘Securing the Internet of Things for Consumers’, which set out guidance for smart device manufacturers and suppliers aligned to an existing European standard. In 2021, a government study of manufacturers’ uptake of the voluntary Code of Practice revealed low levels of adoption across the country.
Since then, smart devices have become more ubiquitous in Australia, in large part due to advancements in technology that lower costs for consumers, provide greater availability and choice, and address the growing need for connectivity. During public consultation on the development of the Bill, there was consensus among the Australian government, industry, and consumers, to support a mandatory approach to uplift the cyber security of smart devices in Australia.
The Cyber Security Bill 2024 will also establish an enforcement and compliance regime that will provide the Secretary of Home Affairs the ability to issue enforcement notices to responsible entities if they cannot provide a statement of compliance for a specific device or the statement cannot be verified. These enforcement notices are compliance notices, where a receiving entity is required to take specified steps or actions to address an identified issue of non-compliance; stop notices, where a receiving entity will be required to stop or refrain from doing a particular action; and recall notices, where a receiving entity will be required to take specified steps to arrange for the return of the product to the entity or the manufacturer of the product.
On ransomware reporting obligations, the Cyber Security Bill 2024 prescribed that entities impacted by cyber security incidents and making ransomware payments must report these payments within 72 hours. The overall aim of this obligation is to improve the detection and response to ransomware incidents, thereby reducing their impact. Failure to report can result in civil penalties.
The Cyber Security Bill 2024 when enacted will require a mandatory report to be made when a cyber security incident has occurred, is occurring or is imminent and has had, is having, or could reasonably be expected to have, a direct or indirect impact on a reporting business entity. Also, when an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity to benefit from the incident or the impact on the reporting business entity. The reporting business entity provides or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.
The Bill, when enacted, uses the definition of a cyber security incident from the SOCI Act, with a small modification to include interception of communication. This ensures that when information is intercepted, an extortion demand is received and a payment is made with that information, those incidents will be captured by the Bill.
The Cyber Security Bill 2024 when enacted will establish a ‘limited use’ obligation that restricts how cyber security incident information provided to the National Cyber Security Coordinator during a cyber security incident can be shared to and used by other Australian Government entities, including regulators. The obligation complements the ‘limited use’ obligation proposed to be inserted into the Intelligence Services Act 2001 (ISA), via the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024.
ASD and the National Cyber Security Coordinator play a pivotal role in responding to cyber security incidents and timely engagement by industry is essential to ensuring cyber security incidents can be mitigated and managed as soon as possible. However, ASD has observed that cyber security incident reporting and engagement between industry and the government during a cyber security incident has plateaued. This suggests an overall reduction in comprehensive and/or timely reporting and engagement between industry and the government, limiting the help the Government can offer in responding to a cyber security incident and harming cyber security outcomes for Australia.
There have been some instances of cyber security incident response and recovery being treated as a legal issue, with some entities routinely bringing legal counsel to engage with the government directly, out of fear that any information they provide may be circulated amongst government agencies and to regulators, to be used against them in future regulatory and law enforcement proceedings. This problem remains an active barrier to timely engagement between industry and the government.
The limited use obligation, as outlined in this Bill, is intended to assure industry and other entities that when they require the help of the Australian Government to manage the consequences of a cyber security incident, they can receive it promptly, and in a meaningful way.
To give effect to the limited use obligation, this Bill will legislate the role of the National Cyber Security Coordinator concerning a cyber security incident. The National Cyber Security Coordinator has a pivotal role in cyber security incident response, by coordinating and triaging whole-of-government action in response to significant cyber security incidents. This may include collaboration with industry and the private sector, as well as State and Territory governments (through the National Coordination Mechanism).
The National Cyber Security Coordinator will also inform the Minister of Cyber Security and the Government in relation to whole-of-government action taken in response to a cyber security incident. Currently, the National Cyber Security Coordinator is significantly impeded by the inability or reluctance of certain affected entities to voluntarily engage and share information to assist in the response, fearing regulatory and law enforcement action.
The Cyber Security Bill 2024 also seeks to establish a Cyber Incident Review Board, such as the Cyber Safety Review Board (CSRB) in the U.S. The Board as an independent, advisory body with a clear remit to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. Following such a review, the Board will also disseminate recommendations to both Government and industry to strengthen Australia’s collective cyber resilience. This is particularly important for driving constant improvement within both the public and private sectors as cyber-enabled interference grows.
To effectively carry out these functions, the Board will be enabled with limited information gathering powers to compel information from entities involved in the cyber security incident under review, only where voluntary requests for information have been unsuccessful.
The Minister for Cyber Security will have an oversight role about the appointments and dismissals of the Chair and standing members of the Board, as well as approving Terms of Reference for individual reviews. The Board will otherwise be independent and is not subject to direction from any person or body, including by the Minister for Cyber Security, in the performance of its functions.
“The Cyber Bill is part of a legislative package of reforms that also includes amendments to the Intelligence Services Act 2001 and the Security of Critical Infrastructure Act 2018,” law firm A&O Shearman identified in a Wednesday publication. “Organisations should determine if they are subject to the Cyber Bill and if they are, they should, among other things, make sure to implement security standards in compliance with the specified security measures currently provided for in the Cyber Bill, and make sure they can comply with the ransomware reporting obligations including the timelines foreseen in the Cyber Bill.”
Earlier this month, Australian cybersecurity agencies joined its U.S., and other international partners to publish a guide describing six principles that guide the creation and maintenance of a safe, secure critical infrastructure OT (operational technology) environment. Titled ‘Principles of Operational Technology Cybersecurity,’ the document outlines that safety is paramount; knowledge of the business is crucial; OT data is valuable and needs to be protected; segment and segregate OT from all other networks; the supply chain must be secure; and people are essential for OT cyber security.