Industry responds to passing of Australia’s Cyber Security Act

Australia has passed its first standalone Cyber Security Act, granting the government additional powers, introducing new ransom reporting requirements and launching the long-discussed “limited-use” obligation for the Australian Signals Directorate (ASD) and the National Cyber Security Coordinator, among other things.

In the announcement of the bill passing, Cyber Security Minister Tony Burke said collaboration between government and industry is crucial, something that forms a large part of the new legislation.

“Close cooperation between government and industry is one of our best defences against malicious cyber activity. In the wake of a cyber security incident, businesses need to know that they can call on government to quickly get the support they need,” he said.

However, industry response to the act is missed, with some thinking it doesn’t go far enough.

Here is what industry had to say about Australia’s Cyber Security Act:

Sarah Sloan
Head of government affairs and public policy, ANZ and Indonesia, Palo Alto Networks

“Palo Alto Networks welcomes the passage of the Australian government’s landmark Cyber Security Act 2024, which represents the nation’s first comprehensive cyber security legislation. This pivotal step provides not only critical protections for Australia’s cyber resilience and safeguarding of critical infrastructure but also establishes a foundational framework for future government initiatives as the threat landscape continues to evolve.

“We commend the government’s commitment to close collaboration with industry in addressing these challenges and appreciate their responsiveness to industry feedback. These reforms will significantly enhance national cyber resilience by increasing visibility into ransomware activities, enabling greater cyber threat information sharing, improving risk management for critical assets, strengthening cyber security standards for consumer IoT devices, and providing stronger government support to affected organisations. Notably, this legislation achieves these advancements while maintaining a balanced and pragmatic regulatory approach.

VIEW ALL

“A key feature of the act is the establishment of the Cyber Incident Review Board (CIRB), an independent body tasked with conducting no-fault, post-incident reviews of major cyber security events. This board will be instrumental in driving shared learnings across sectors and enhancing Australia’s collective cyber defences. As strong advocates for industry involvement in the CIRB, we are pleased to see provisions for the inclusion of private sector members not just as expert advisors but also as potential standing participants. We continue to champion the inclusion of cyber security and incident response professionals on the CIRB, whose global, cross-sector experience provides invaluable insights into managing cyber threats and incidents effectively.

“Palo Alto Networks looks forward to supporting this vital initiative, fostering deeper collaboration between government and industry, and helping to implement these reforms effectively. Together, we can ensure a safer and more resilient digital future for Australia.”

Simon Howe
Area vice president – ANZ, ExtraHop

“The Cyber Security Act embraces collaborative efforts and fosters a culture of cyber resilience. It provides a robust framework to further advance the priority and focus of cyber security within Australian organisations. Mandatory reporting of ransomware payments is a material change [that] will provide consumers and businesses with transparency in their dealings with organisations.

“The expansion of assets captured under the SOCI Act will also further reinforce resilience in critical infrastructure and government agencies operating in the region. With more opportunities and guardrails to reduce cyber risk and ensure smooth operation of essential services, the Cyber Security Act will bolster Australia’s wellbeing.”

Ajay Unni
CEO, StickmanCyber

“I welcome the introduction of tougher security standards for the supply and manufacture of smart devices, but this should go further into software and SaaS providers that store, process and transmit sensitive data.

“The strategy behind the new Cyber Incident Review Board seems poor. They have limited powers and can only be imposed when the affected party does not voluntarily allow a post-incident review. Businesses are already under the pressure with audits, security questionnaires, incident response preparation and compliance.

“When an incident occurs, this is yet another burden on organisations [that] must now allow an external third party from the government to get involved.”

Pieter Danhieux
Co-founder and CEO, Secure Code Warrior

“Australia’s new Cyber Security Act (2024) is a vital step forward in protecting our critical infrastructure and assets. With state-sponsored cyber threats, organised cyber crime and espionage on the rise all over the world, now is the time for us to abandon complacency and move forward together with a precision, preventative approach to securing our digital future.

“In addition, the new regulatory guidance surrounding the security of IoT devices has been a long time coming, but signals a global trend towards manufacturer accountability for insecure software. Enforcement of compliance and transparency are crucial steps in the right direction, but ultimately, software vendors need to embrace their role in leading the charge against exploitable vulnerabilities by investing in security upskilling for developers, and managing the inherent risk untrained personnel bring to the table. With DevSecOps dictating that security is a shared responsibility, enablement and ongoing guidance should be central to every enterprise security program and beyond.”

Gareth Cox
Vice president of sales APJ, Exabeam

“Exabeam is encouraged [by] the progress of cyber security reform in Australia and the framework put in place with the new Cyber Security Act. Exabeam’s Threat Detection Incident Response Survey, launched in conjunction with IDC earlier this year, found that 60 per cent of companies stated they only had 62 per cent visibility into their IT environments.

“Increasingly, in order to adhere to the new legislation, organisations will need to call upon the expert guidance of vendors and consultants to support deployment of a data-driven, multi-layer cyber security strategy for aspects of the legislation such as critical infrastructure security and IoT device security which will require proactive threat detection, incident response and overall data governance.”

Anthony Daniel
Regional director, Australia, New Zealand and the Pacific Islands, WatchGuard Technologies

“The introduction of these new cyber security reforms by the Australian federal government is a significant development for businesses across the country. With the increasing frequency and sophistication of cyber threats, it’s critical that organisations not only meet the new compliance requirements but also adopt a proactive, risk-based approach to cyber security.

“The legislation’s emphasis on mandatory reporting of cyber incidents, as well as stronger obligations for protecting critical infrastructure, will require businesses to invest in robust cyber security frameworks, threat detection systems, and incident response plans. For many organisations, this will mean revisiting their cyber security posture and ensuring that they are prepared to handle emerging risks.

“While the reforms present challenges, they also provide an opportunity for Australian businesses to align with global best practices and build resilience against cyber attacks. The regulatory landscape will likely continue to evolve, and companies that prioritise cyber security as a core business function will be better positioned to manage the risks and benefits of an increasingly digital world. Ultimately, this legislation is a wake-up call for Australian businesses to take a more proactive stance on cyber security, not only to comply with the law but to protect their reputation, assets, and customer trust in a rapidly changing threat landscape.”

Ashwin Ram
Cyber security evangelist, Office of the CTO, Check Point Software Technologies

“The Cyber Security Bill 2024 represents a step forward in helping Australian organisations enhance their cyber resilience.

“One of key areas covered in this bill is the introduction of compliance with security standards for smart devices. This is particularly critical, as last year, the Check Point Research Team recently reported a 41 per cent increase in the average number of weekly attacks per organisation targeting IoT devices compared to previous years, a trend that is likely to persist. With 63 per cent of enterprises, 92 per cent of industrial organisations, and 82 per cent of healthcare organisations relying on IoT, networks are inundated with unmanaged IoT devices, each serving as a potential entry point for hackers and exposing companies to cyber attacks. Securing IoT devices is challenging due to the diverse vulnerabilities they present, such as legacy operating systems, hard-coded or weak passwords, and unpatched software.

“The Cyber Security Bill 2024 is attempting to address some of these issues by mandating that manufacturers ensure devices meet security standards if they are intended for sale in Australia, while also requiring them to provide necessary documentation and security features. Additionally, suppliers will only be permitted to sell devices that comply with these standards. These measures collectively aim to close critical security gaps for internet-connected devices used in Australia.

“Another key provision of this bill requires entities affected by ransomware incidents to report payments made to cyber extortionists within 72 hours. This requirement is designed to improve transparency and enable a more coordinated response to such threats. Businesses will need to provide detailed information, including the payment made, the nature and impact of the cyber security incident, the extortion demand, and any communications with the threat actor about the incident or payments.

“As a result, Australian organisations must review and update their incident response playbooks and refine their reporting processes to ensure they can efficiently collect and share ransom payment information with the relevant Commonwealth body.”

Osh Ranaweera
Connect and secure solutions manager, Atturra

“With the recent updates to the Australian Cyber Security Bill, it’s clear that the Australian government is focusing heavily on national security. The introduction of IoT security standards and cyber incident security reporting reinforces this focus, with the legislation zooming in on the importance of where data lives. Indeed, network and service provider security incidents that were part of the Telecommunication Act 1997 and consolidated under the SOCI Act outline these efforts.

“Today, businesses play a critical role in the leakage of sensitive data, and this is of importance to national security. A major emphasis now on SOCI will ensure that business data security is regulated and governed, and this can only be of benefit to the country, businesses and consumers.”

Morey Haber
Chief security adviser, BeyondTrust

“Australia’s recent enactment of comprehensive cyber security legislation marks an incremental advancement in protecting the nation’s digital infrastructure. This legislation introduces mandatory reporting of cyber incidents, establishes stringent penalties for non-compliance, and defines clear responsibilities for organisations. These measures are essential for any cyber security maturity model and are intended to strengthen Australia’s electronic defences against the escalating frequency and sophistication of cyber attacks.

“However, the legislation’s coverage could be enhanced by providing clear definitions in several key areas:

1. Critical infrastructure: The current definition encompasses sectors like energy, water, and transportation. This may not be sufficient as the digital landscape advances. Indeed, it is imperative to broaden this scope to include emerging sectors such as cloud service providers, data centres, financial organisations, and medical care services. These entities are integral to national security and economic stability of every nation, and their inclusion, by definition, would help ensure a more comprehensive approach for the situation.

2. Internet of things (IoT): The legislation should expand IoT devices to include OT (operational technology) as well. Attacks against manufacturing and physical automation devices are increasingly prevalent and often vulnerable to cyber attacks due to simplicity, age, and lack of best practices like patch management. By establishing specific security standards and protocols for IoT and OT devices, future legislation can mitigate attack vectors, thereby enhancing overall cyber security.

3. Ransomware: While the legislation has specific requirements for disclosure of ransomware payments, it is a well-established security best practice to never pay a ransomware settlement. Organisations should strive to mitigate the risks of ransomware by following the Essential Eight and verify disciplines like backup / recover, privileged access management, least privileged access, and application control all work correctly to avoid a ransomware incident. While disclosure may be required, more focus should be focused on prevention and recovery versus details of disclosure if all appropriate steps are taken first.

“By refining these aspects, Australia’s cyber security legislation can provide a more comprehensive and dynamic framework for public sector and private industry coverage against modern cyber attacks.”

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.