Industry responds to the Australia's Cyber Security Act

The new legislation, if passed, will make it mandatory for those who pay ransom to report it, set new cyber standards for smart devices and launch the long discussed “safe harbour” protections among other things.

The legislation will also launch a Cyber Incident Review Board, which will include the input of industry, who have largely shown support for the new bill.

Here’s what industry leaders had to say about the new legislation.

Sarah Sloan
Head of Government Affairs and Public Policy, ANZ and Indonesia, Palo Alto Networks

We commend the Australian Government for its ongoing commitment to strengthening Australia’s policy and legislative response to cyber security in the face of an ever-evolving threat landscape. As cyber adversaries increase in speed, scale and sophistication, it is crucial that Australia's approach adapts accordingly to strengthen our national cyber resilience. We also welcome the Government's collaborative approach in shaping these legislative measures.

Of note, we welcome the revised ransomware reporting regime which focuses on the reporting of ransomware payments and now applies to entities with an annual turnover of $3 Million or more - a change that aligns with the Privacy Act reporting requirements and ensures a broader range of entities are now required to report to enhance our collective visibility. We also welcome the Government clarification that the reporting obligation applies only to the entity that has paid the ransomware and the obligation cannot be transferred to third parties.

Finally, we fully support the establishment of the Cyber Incident Review Board, which importantly will include industry engagement. We continue to advocate for the inclusion of cyber security and incident response companies on the board who have a whole-of-economy view of cyber threats and lived experience of how incidents play out across different sectors.

We look forward to continuing our support for the Government in driving cybersecurity uplift across the Australian economy.

VIEW ALL

Lyn Nicholson
General Counsel, Holding Redlich

The new Cyber Security Bill 2024 provides much-needed clarity and resources to help businesses navigate these growing threats. The framework for mandatory reporting of ransomware payments will provide businesses with a safe haven to report incidents without fear of unintended adverse consequences, this in turn will enhance the government's understanding of the ransomware landscape and ability to assist businesses to respond to emerging threats.

This legislative package includes the expansion of government assistance measures, allowing the government to step in during serious cyber incidents, under authorisation from the Minister for Home Affairs. These changes provide a clear mechanism for the government to direct entities to take specific actions or refrain from certain conduct.

To ensure lessons from significant incidents, such as recent prominent data breaches, are properly assessed and integrated into future protections, this reform also includes a new independent Cyber Incident Review Board and clarifications around obligations for managing business-critical data.

A comprehensive approach to cybersecurity reform as set out in the Bill begins the important work flagged under the 2023-2030 Australian Cyber Security Strategy.

Jake Moore
Global Cyber Security Advisor, ESET

A cybersecurity act is a huge progressive step forward especially when cybercrime moves at such a fast pace. Cybercriminals are quick to react to technological changes and are able to take advantage of what is available to them while the iron is hot. People and businesses often need huge support before, during and after a cyberattack so this new standalone act will offer a trusted framework right when it is required.

Other nations, such as the UK, are slowly venturing into this new space with similar online safety acts offering guidance to those affected by cybercrime. To fully protect Australian businesses, this act will need to follow through with continual support and resources, offer the most up to date advice and guide those at risk to safety. With cybercriminals able to rapidly attack large businesses, simply having a national act of support can often be enough to mitigate the larger risks even if full regulation is slow off the mark and prosecutions are low.

Andy Garth
Director of Government Affairs, ESET

The Australian Government has laid its proposed Cyber Security Bill 2024 before the Australian Parliament as policymakers seek to enhance cyber resilience in the face of relentless and evolving cyber attacks.

Australia remains a significant target for state actors and criminal groups due to its geopolitical and economic importance. Its role as a key player in the Indo-Pacific makes it a prime focus for state-sponsored cyber activities, mainly from other regional powers such as China. Economically, Australia’s role as a major global economy makes it attractive to financially motivated cybercriminals. Like many advanced nations, Australia's reliance on digital infrastructure and the growing adoption of smart technologies expose critical vulnerabilities, similar to challenges faced globally. These weaknesses are especially apparent in sensitive sectors such as healthcare, telecommunications, and finance, as seen in the recent Medibank data breach, which led to Australia’s first cyber sanctions.

In the last year, ESET telemetry has detected a variety of cybercriminal activity with phishing attacks being the most prominent, followed by detections of malicious javascripts. ESET has also seen Chinese-aligned cyberespionage groups targeting organisations in Australia, including Mustang Panda, notorious for attacking governmental institutions in Europe and Asia.

The urgency of the Cyber Security Bill lies in the Government’s comprehensive strategy (2023-2030) to strengthen Australia's defenses and the trust of their citizens in the products they use. The proposed bill reflects on lessons learned to address future threats. This includes establishing a Cyber Incident review Board to facilitate public-private sector collaboration and provide the government with actionable recommendations, and setting baseline cybersecurity standards for IoT devices.

However, one of the Act’s most notable provisions beyond what is seen elsewhere in the EU, US, UK, etc, is the mandatory reporting of ransom payments, with the threat of civil liabilities imposed for non-compliance. [This measure targets the growing ransomware threat, but allows for a broader discussion on this growing threat]. The Government has opened a consultation on this, it will be interesting to see the progress of the bill through parliament and how it might impact legislation elsewhere.

For businesses, a trend is clearly emerging - more attacks, more attackers, and more vulnerabilities to exploit -, leading to increased cyber risk and more regulation. This bill is an important step. In striving to enhance cyber resilience, regulators have the difficult balancing act of raising resilience whilst not overburdening businesses, especially SMEs, with bureaucracy and unnecessary costs.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.