A landmark Cyber Security Bill 2024 (Cth) (‘Cyber Bill’) was read in parliament on 09 Oct 2024. If the bill is passed, it would be Australia’s first standalone Cyber Security Act.
Australia has been hit with a spate of major cybersecurity incidents in recent years. This is war in cyber space and there is a part for all to play. The government proposes a legislative package of reforms with the Cyber Bill as one; the other reforms include amendments to the Intelligence Services Act 2001 (Cth) (‘ISA’) and the Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI’).
The Cyber Security Legislative Package (the ‘Package’) will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, to address legislative gaps that will put Australia’s cyber security in line with international best practice and become a global leader in cyber security.
The Package aims to strengthen our cyber defences, prepare for contingencies, and build resilience across the whole of economy.
Below is a summary of the proposed changes:[1]
1. Mandatory Reporting of Ransomware Incidents
The Cyber Bill will make it mandatory for entities that meet a certain revenue threshold to report to the Department of Home Affairs if they make a ransomware or cyberextortion payment of money, or an in-kind benefit, in connection with a cyber security incident. This is to provide the government with insight into the occurrence of cybercrime, which has not always been reported by the victims, and to provide help. The turnover threshold for the entities has not been spelt out but will be specified in the rules. It is believed that it will follow the Privacy Act 1988 (Cth) threshold for reporting entities, which is an annual turnover of greater than $3 million.
i. Penalties for Failure to Report
For entities with mandated reporting obligations, failing to report within 72 hours after making a ransomware payment or becoming aware a ransomware payment has been made will draw fines with a maximum civil penalty of 60 penalty units (currently $18,780).
ii. Ransomware Incidents
Cyber-attacks by threat actors involve embedding malicious software (‘ransomware’) designed to cripple digital infrastructure, by encrypting files, so they cannot be accessed, and then demanding a ransom from the victim organisation.
When critical files cannot be accessed, the disruptions can be costly to businesses. It also means the exposure of important information and data to criminals with a possibility for sensitive commercial and personal information to be released and sold on the dark web.
Despite the threat, the government, including the Australian Cyber Security Centre (‘ACSC’), strongly advise entities against paying a ransom, as it does not ensure the recovery of sensitive data and may encourage the threat actors to strike again.
iii. Limited Use Obligation
Under the Cyber Bill, reporting entities who provide information to the Department of Home Affairs will be protected by the “limited use obligation”. This will restrict how cyber security incident information can be used and shared with other government agencies, including regulators.
Some entities have brought their legal counsel to interact with the government because they are afraid the information provided may be circulated amongst other government agencies and regulators and used against them in future proceedings.
The limited use obligation in the Cyber Bill complements the ‘limited use’ obligation proposed for the ISA via the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024.
To give effect to the limited use obligation, this Bill will legislate the role of the National Cyber Security Coordinator in relation to a cyber security incident.
2. Cyber Incident Review Board
The government also plans to set up a Cyber Incident Review Board (‘CIRB’) to examine significant cyber security incidents.
Recent high-profile data breaches involving, for example, Medibank, Optus, Latitude Financial, and MediSecure, have prompted the need to review and learn from major cyber incidents to become more resilient against future attacks.
Unlike other countries like the United States, Australia has lacked a mechanism for review. The Cyber Bill proposes to set up the CIRB as an independent advisory body, consisting of a Chair, standing members, and an expert panel to conduct post-incident reviews of major cyber security incidents in Australia.
The CIRB will only review a cyber security incident post-incident, and after the initial response mechanisms have completed. The CIRB must also be satisfied that the cyber incident, or series of cyber incidents, seriously prejudiced, is seriously prejudicing or could reasonably be expected to prejudice any one of the following, including:[2]
- Australia’s social or economic stability;
- the Australian people;
- Defence;
- national security;
- critical infrastructure asset; or
- the attacks involve novel or complex methods or technologies, and understanding the cyber incidents could enhance prevention, resilience, or response.
The Minister, the ACSC, impacted entities, or Board members may initiate reviews through written referrals.
Following their review, the CIRB will share its recommendations and reasons with both government and industry, with the aim to strengthen Australia’s collective cyber resilience.
The CIRB’s reviews will not assign blame or determine liability. CIRB reports will exclude personal, confidential, or commercially sensitive information, as well as any information that could compromise Australia’s security, defence, or international relations.[3]
3. Internet of Things (‘IoT’) Devices (Smart Devices)
If you have ever wondered whether your robot vacuum was sharing the layout of your home to a third party or if your smart car was collecting information on your whereabouts, then you will be pleased to know that new laws are being proposed to secure your smart devices.
Every Australian home or business would have at least one and usually several smart devices connected to the internet and/or to each other, including items taken for granted, such as smart phones, smart TVs, smart watches, baby monitors, virtual assistants like Alexa, and so on. Industry research estimates an average of 33.8 connected smart devices per household in Australia by 2025.[4]
i. Vulnerability of IoT/Smart Devices
Our smart devices are currently not subject to mandatory cyber security standards, nor do regulations require built-in security features be active by default, so there is a risk that these devices may be convenient targets for threat actors. These smart devices may be collecting significant amounts of personal and/or sensitive data about you with or without your awareness.[5]
The precise frequency and cost of IoT device-based cyber incidents are unknown but are potentially significant, and they contribute to the broader economic impact of cybercrime in Australia. The Australian Signals Directorate has highlighted the importance of assuring the security of smart devices in their Cyber Threat Report 2022-23, without which the approach to cyber security is inadequate.
ii. Mandating Minimum Cyber Security Standards for IoT/Smart Devices
The Cyber Bill establishes a minimum cyber security standard for IoT/smart devices. The new legislation will enforce baseline security measures, including:[6]
- Secure Default Settings: Ensuring that devices come with strong, pre-set security configurations.
- Unique Device Passwords: Requiring manufacturers to provide devices with distinct passwords to enhance security.
- Regular Security Updates: Mandating ongoing updates to address vulnerabilities as they arise.
Responsible entities will be required to provide a statement of compliance for the devices they manufacture or supply to the Australian market.
Furthermore, the Minister will have the authority to enact additional security standards swiftly.
Conclusion
With the costs of cybercrime estimated by the Australian Signals Directorate as averaging $46,000 for small businesses, $97,200 for medium businesses, and $71,600 for large businesses for each incident reported – a 14 per cent increase from previous years – not to mention the emotional distress occasioned by cyber-attacks, the troops cannot be sent out too soon.
Vocare Law is well equipped to assist our Information Technology and Software clients with a wealth of collective knowledge and experience providing insight and advice in this area. Please don’t hesitate to contact our office if you have any questions regarding the changes proposed in the new Cyber Security Bill 2024 (Cth) and forthcoming Act, contact us on 1300-VOC-LAW / 1300-862-529 or email: enquiry@vocarelaw.com.au
**The information contained herein does not, and is not intended to, constitute legal advice and is for general informational purposes only.
Footnotes
[1] https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r7250
[2] Explanatory Memorandum, Cyber Security Bill 2024 (Cth), https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id%3A%22legislation%2Fems%2Fr7250_ems_2474a1f7-f1f0-4895-9113-3b8532da3377%22
[3] Explanatory Memorandum, Cyber Security Bill 2024 (Cth), https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id%3A%22legislation%2Fems%2Fr7250_ems_2474a1f7-f1f0-4895-9113-3b8532da3377%22
[4] https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2023-30-consultation-paper.pdf
[5] Explanatory Memorandum, Cyber Security Bill 2024 (Cth), https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id%3A%22legislation%2Fems%2Fr7250_ems_2474a1f7-f1f0-4895-9113-3b8532da3377%22
[6] https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id%3A%22legislation%2Fems%2Fr7250_ems_2474a1f7-f1f0-4895-9113-3b8532da3377%22
