The Australian Parliament enacted on Monday a cybersecurity legislative package to bolster national cyber defenses and resilience. The package includes the Cyber Security Act 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024, and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024. The Cyber Security Act will execute seven initiatives initially introduced under the Cyber Security Strategy.
“The Australian government is delivering on its commitment to secure Australia’s cyber environment and protect our critical infrastructure,” Tony Burke, Minister for Cyber Security, said in a statement. “The government has passed into law Australia’s first standalone Cyber Security Act, a key pillar in our mission to protect Australians from cyber threats. This package forms a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber landscape.”
The legislation mandates security standards for smart devices; mandatory obligations on certain businesses to report ransomware and cyber extortion payments; a ‘limited use’ obligation that restricts how cyber security information voluntarily provided to the National Cyber Security Coordinator can be used and disclosed; and the establishment of a Cyber Incident Review Board to conduct post-incident reviews into significant cyber security incidents.
The Cyber Security Act is set to enhance protections for Australians and businesses, address existing cyber risks, and improve the Government’s understanding of the threat landscape to guide protections, incident responses, and future policies.
Key measures include:
- Mandating security standards for smart devices connected to the internet or networks (commonly known as Internet of Things (IoT) devices);
- Requiring mandatory reporting for entities affected by cyber incidents, including those receiving ransomware demands and opting to make payments or provide benefits;
- Imposing a ‘limited use’ obligation on how cyber incident information shared with the National Cyber Security Coordinator can be used and shared with other government bodies, including regulators; and
- Establishing a Cyber Incident Review Board to conduct post-incident analyses of significant cybersecurity events.
Ransomware and cyber extortion are major cybercrime threats in Australia, encrypting systems or threatening data release unless a ransom is paid. Effective threat intelligence requires data on incidents, types of ransomware, exploited vulnerabilities, and whether payments were made.
The legislation mandates reporting to the Department of Home Affairs for entities making ransomware payments, addressing underreporting issues. Currently, only 20 percent of victims report attacks, limiting government insight into impacts. The mandatory reporting aims to balance regulatory impact and industry burden, enhancing government understanding and enabling tailored advice to improve cyber resilience and response.
The Cyber Security Act calls for a mandatory report to be made in three instances. These include when a cyber security incident has occurred, is occurring, or is imminent and has had, is having, or could reasonably be expected to have, a direct or indirect impact on a reporting business entity; an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, to benefit from the incident or the impact on the reporting business entity; and the reporting business entity provides, or is aware that another entity, directly related to the reporting entity, has provided payment or benefit to the extorting entity that is directly related to the demand.
This obligation will commence, at least six months after the Cyber Security Act receives royal assent or such earlier date set by proclamation. The reporting obligation applies broadly to any organization that is a responsible entity for a critical infrastructure asset; and any other private sector organization carrying on business in Australia with an annual turnover exceeding the threshold to be specified, but likely to be A$3 million.
Ransomware reports are to be made within 72 hours of payment and a failure to comply will result in a civil penalty of 60 penalty units (currently A$93,900). However, there exist restrictions on how the information provided in such reports can be used or further disclosed by the government.
The limited use obligation within the Cyber Security Act applies to information submitted to the National Cyber Security Coordinator by an entity during the incident response phase of a cybersecurity incident. This obligation also extends to entities acting on behalf of the affected party. If an incident response service provider is involved, any information shared with the National Cyber Security Coordinator is similarly protected.
Additionally, any government agency receiving this information is restricted to using it solely for the intended purpose. Importantly, the information provided is not admissible in regulatory proceedings. However, the limited use obligations do not prevent law enforcement or regulators from utilizing their existing powers to collect and use this information for regulatory or law enforcement activities. The Cyber Security Act does not specify a time limit for how long the information remains under the limited use obligation.
“The Government’s view is that not only are Government agencies such as the Australian Signal Directorate well placed to assist organisations in responding to cyber incidents, but greater information on current threats may prevent other organisations being subject to similar incidents,” Corrs Chambers Westgarth, an Australian commercial law firm detailed in a Monday statement. “This limited use protection responds to feedback received from the business community that disclosing information about a data breach to government cyber agencies may risk exposing the organisation to further regulatory or enforcement action, or to adverse publicity and litigation.”
The statement added that the concern is that if the disclosure was determined to be contrary to the organization’s best interests, then there is a risk that directors would be in breach of their duties in approving the disclosure, exposing directors to potential enforcement action from ASIC. “The Cyber Security Act does not go so far as to create a safe harbour but does limit the purposes for which information contained in a ransomware payment report or voluntarily provided to the NCSC in the context of a significant cyber security incident can be used or disclosed, e.g. to assist the reporting entity in responding to the incident.”
The Cyber Security Act expressly states that the provision of information does not affect any claim of legal professional privilege over the information contained in that information. While this limited-use protection should provide organizations with greater comfort when disclosing information to the government, it is not a safe harbor and there are some notable gaps in the protection it affords.
Obligations that the entities have include that they may choose not to respond to requests for information from the National Cyber Security Coordinator; entities cannot share information received from the National Cyber Security Coordinator under the limited use obligation and cannot use that information for any reason other than the purpose it was shared; and they with existing cyber security incident reporting obligations cannot use this voluntary information sharing to replace mandatory reporting requirements.
Earlier this month, Australia’s Cyber and Infrastructure Security Centre (CISC) published the second edition of the Critical Infrastructure Annual Risk Review as part of Critical Infrastructure Security Month. The version focuses on current and emerging risks to Australia’s critical infrastructure throughout 2024, which faces constant threats of disruption that, if unaddressed, could significantly impact essential services relied upon by Australians. It also addresses the threats and hazards to Australia’s critical infrastructure, tackling emerging and ongoing national security and economic stability risks.
Before that in October, Australian cybersecurity agencies joined its U.S., and other international partners to publish a guide describing six principles that guide the creation and maintenance of a safe, secure critical infrastructure OT (operational technology) environment. Titled ‘Principles of Operational Technology Cybersecurity,’ the document outlines that safety is paramount; knowledge of the business is crucial; OT data is valuable and needs to be protected; segment and segregate OT from all other networks; the supply chain must be secure; and people are essential for OT cyber security.