This week, the Albanese government introduced legislation that it hopes will revolutionise Australia’s cyber security preparedness and protect businesses and consumers from cybercrime.
If passed, the legislation will be Australia’s first standalone cyber security act.
In a statement, the Department of Home Affairs said: “We are currently facing a heightened geopolitical and cyber threat environment, placing pressure on our collective cyber resilience and security.
"The protection of our cyber security and critical infrastructure is vital to Australia’s national security and economic stability.
“This week, subject to the passage of this legislation, Australia will have its first standalone Cyber Security Act to ensure strong laws and protections are in place through a clear legislative framework.
“The Cyber Security Legislative Package will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, addressing legislative gaps to bring Australia in line with international best practice and take the next step to ensure Australia is on track to become a global leader in cyber security.”
A focus on Ransomware
The laws focus on victims of ransomware attacks—malicious software used by cyber criminals to block access to data until a ransom is paid. The catch is that often victims of ransomware attacks do not regain their data despite paying the ransom.
Under the new law, victims of ransomware attacks must report any payments to authorities, helping the government track these activities and assess financial losses.
The legislation also imposes new obligations on the National Cyber Security Coordinator and the Australian Signals Directorate, restricting how these entities can use information provided by businesses on cyber incidents, with the aim of encouraging more open reporting.
Organisations in critical infrastructure sectors, such as energy, transport, communications, health and finance are now required to strengthen systems securing individuals' personal data.
Additionally, the Cyber Incident Review Board’s investigative powers will be expanded, allowing it to conduct "no-fault" investigations after significant cyberattacks. Insights from these reviews, anonymised to protect victims' identities, will be shared to improve cyber security practices.
The legislation also introduces minimum cyber security standards for smart devices, such as watches, televisions and speakers, to ensure secure default settings, unique passwords and regular updates.
A long-overdue step
There has been a 23% surge in cyber incidents over the past year.
High-profile breaches like the 2022 Optus data compromise, affecting 11 million Australians, have underscored the urgency for new legislation.
Authorities warn that cyber threats in Australia are escalating rapidly, with over 94,000 incidents reported in the last financial year—a 23% increase, equating to around one report every six minutes.
Prime Minister Anthony Albanese has described the new laws as a "wake-up call" for businesses.
"The creation of a Cyber Security Act is a long-overdue step for our country and reflects the government's deep concern and focus on these threats," Cyber Security Minister Tony Burke said in a statement ahead of the laws being tabled.
"This legislation ensures we keep pace with emerging threats, positioning individuals and businesses better to respond to and bounce back from cyber security threats.
"To achieve Australia's vision of being a world leader in cyber security by 2030, we need the unified effort of government, industry and the community."
Broader implications
While these laws aim to enhance national security, they may create compliance burdens for businesses, particularly smaller ones and could increase costs for consumers. Balancing national security with business operations and privacy rights will be crucial for successful implementation.
In summary
These measures will address gaps in current legislation to:
- mandate minimum cyber security standards for smart devices;
- introduce mandatory ransomware reporting for certain businesses to report ransom payments;
- introduce a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD); and
- establish a Cyber Incident Review Board.
The package will also progress and implement reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act). These reforms will:
- clarify existing obligations in relation to systems holding business critical data;
- enhance government assistance measures to better manage the impacts of all hazards incidents on critical infrastructure;
- simplify information sharing across industry and Government;
- introduce a power for the Government to direct entities to address serious deficiencies within their risk management programs; and
- align regulation for the security of telecommunications into the SOCI Act.