Share this article on:
Following lessons learnt from the 2023–2030 Australian Cyber Security Strategy, the government is currently deliberating on the nation’s first standalone Cyber Security Act.
The new legislation, if passed, will make it mandatory for those who pay ransom to report it, set new cyber standards for smart devices, and launch the long discussed “safe harbour” protections, among other things.
The legislation will also launch a Cyber Incident Review Board, which will include the input of the industry, which have largely shown support for the new bill.
Here’s what industry leaders had to say about the new legislation.
Sarah Sloan
Head of government affairs and public policy, ANZ and Indonesia, Palo Alto Networks
We commend the Australian government for its ongoing commitment to strengthening Australia’s policy and legislative response to cyber security in the face of an ever-evolving threat landscape. As cyber adversaries increase in speed, scale and sophistication, it is crucial that Australia’s approach adapts accordingly to strengthen our national cyber resilience. We also welcome the government’s collaborative approach in shaping these legislative measures.
Of note, we welcome the revised ransomware reporting regime, which focuses on the reporting of ransomware payments and now applies to entities with an annual turnover of $3 million or more – a change that aligns with the Privacy Act reporting requirements and ensures a broader range of entities are now required to report to enhance our collective visibility. We also welcome the government clarification that the reporting obligation applies only to the entity that has paid the ransomware and the obligation cannot be transferred to third parties.
Finally, we fully support the establishment of the Cyber Incident Review Board, which, importantly, will include industry engagement. We continue to advocate for the inclusion of cyber security and incident response companies on the board who have a whole-of-economy view of cyber threats and lived experience of how incidents play out across different sectors.
We look forward to continuing our support for the government in driving cyber security uplift across the Australian economy.
Lyn Nicholson
General counsel, Holding Redlich
The new Cyber Security Bill 2024 provides much-needed clarity and resources to help businesses navigate these growing threats. The framework for mandatory reporting of ransomware payments will provide businesses with a safe haven to report incidents without fear of unintended adverse consequences, this, in turn, will enhance the government’s understanding of the ransomware landscape and ability to assist businesses to respond to emerging threats.
This legislative package includes the expansion of government assistance measures, allowing the government to step in during serious cyber incidents, under authorisation from the Minister for Home Affairs. These changes provide a clear mechanism for the government to direct entities to take specific actions or refrain from certain conduct.
To ensure lessons from significant incidents, such as recent prominent data breaches, are properly assessed and integrated into future protections, this reform also includes a new independent Cyber Incident Review Board and clarifications around obligations for managing business-critical data.
A comprehensive approach to cyber security reform, as set out in the bill, begins the important work flagged under the 2023–2030 Australian Cyber Security Strategy.
Jake Moore
Global cyber security adviser, ESET
A Cyber Security Act is a huge progressive step forward, especially when cyber crime moves at such a fast pace. Cyber criminals are quick to react to technological changes and are able to take advantage of what is available to them while the iron is hot. People and businesses often need huge support before, during, and after a cyber attack, so this new standalone act will offer a trusted framework right when it is required.
Other nations, such as the UK, are slowly venturing into this new space with similar online safety acts offering guidance to those affected by cyber crime. To fully protect Australian businesses, this act will need to follow through with continual support and resources, offer the most up-to-date advice, and guide those at risk to safety. With cyber criminals able to rapidly attack large businesses, simply having a national act of support can often be enough to mitigate the larger risks even if full regulation is slow off the mark and prosecutions are low.
Andy Garth
Director of government affairs, ESET
The Australian government has laid its proposed Cyber Security Bill 2024 before the Australian Parliament as policymakers seek to enhance cyber resilience in the face of relentless and evolving cyber attacks.
Australia remains a significant target for state actors and criminal groups due to its geopolitical and economic importance. Its role as a key player in the Indo-Pacific makes it a prime focus for state-sponsored cyber activities, mainly from other regional powers such as China. Economically, Australia’s role as a major global economy makes it attractive to financially motivated cyber criminals. Like many advanced nations, Australia’s reliance on digital infrastructure and the growing adoption of smart technologies expose critical vulnerabilities, similar to challenges faced globally. These weaknesses are especially apparent in sensitive sectors such as healthcare, telecommunications, and finance, as seen in the recent Medibank data breach, which led to Australia’s first cyber sanctions.
In the last year, ESET telemetry has detected a variety of cyber criminal activity, with phishing attacks being the most prominent, followed by detections of malicious javascripts. ESET has also seen Chinese-aligned cyber espionage groups targeting organisations in Australia, including Mustang Panda, notorious for attacking governmental institutions in Europe and Asia.
The urgency of the Cyber Security Bill lies in the government’s comprehensive strategy (2023–2030) to strengthen Australia’s defenses and the trust of their citizens in the products they use. The proposed bill reflects on lessons learned to address future threats. This includes establishing a Cyber Incident Review Board to facilitate public-private sector collaboration and provide the government with actionable recommendations, and setting baseline cyber security standards for IoT devices.
However, one of the act’s most notable provisions beyond what is seen elsewhere in the EU, US, UK, etc., is the mandatory reporting of ransom payments, with the threat of civil liabilities imposed for non-compliance. [This measure targets the growing ransomware threat, but allows for a broader discussion on this growing threat]. The government has opened a consultation on this; it will be interesting to see the progress of the bill through Parliament and how it might impact legislation elsewhere.
For businesses, a trend is clearly emerging – more attacks, more attackers, and more vulnerabilities to exploit – leading to increased cyber risk and more regulation. This bill is an important step. In striving to enhance cyber resilience, regulators have the difficult balancing act of raising resilience whilst not overburdening businesses, especially SMEs, with bureaucracy and unnecessary costs.