Share this article on:
The federal government has released a consultation paper on a range of amendments to Australia’s cyber security laws.
The Department of Home Affairs has released a consultation paper proposing a raft of new laws and powers for the minister in charge of the department.
One of the key proposals is to give the minister the power to order critical infrastructure operators to take or cease a particular action concerning a cyber attack and to order companies to replace credentials such as passports if they are compromised in a data breach.
Other proposed new legislation includes building secure-by-design principles into smart devices and making ransomware reporting both obligatory and fit for purpose for businesses. The paper also proposes “limited use obligation” for how the Australian Signals Directorate and National Cyber Security Coordinator can use information shared about a cyber attack and establishing a Cyber Incident Review Board.
“The department is seeking input from industry on the design and implementation of a Cyber Incident Review Board (CIRB),” the paper said. “It is proposed that the CIRB would conduct no-fault incident reviews to reflect on lessons learned from cyber incidents, and share these lessons learned with the Australian public.”
A second section of the consultation paper focuses on changes to the Security of Critical Infrastructure Act 2018, including the aforementioned powers to be given to the Minister for Home Affairs. Other amendments to the act include making information sharing easier in the case of “high-risk, time-sensitive incidents” and improving cyber security requirements for telcos. In addition, data held by critical infrastructure operators would also be considered as coming under the powers of the SOCI Act, with all that implies to how it is handled and protected.
“Australians rely on critical infrastructure to deliver the essential services crucial to our way of life,” the paper said. “Our critical infrastructure ecosystem provides essential goods and services that underpin Australia’s national security, defence, and socioeconomic stability.”
“However, we currently face a heightened geopolitical and cyber threat environment, which means that our critical infrastructure is increasingly under threat. Cyber attacks on our critical infrastructure can be highly lucrative for malicious state actors and cyber criminals. ASD’s Annual Cyber Threat Report 2022–23 reported that ASD responded to 143 cyber incidents related to critical infrastructure. This represents approximately 13 per cent of their cyber incident reporting for this period.”
The paper makes particular reference to the 2022 Optus and Medibank hacks as examples of attacks on critical infrastructure.
"The consultation paper is the next step in implementing the Australian Cyber Security Strategy to boost the nation’s cyber security through genuine public-private partnerships with business and the community," said Minister for Home Affairs Clare O'Neil in a statement.
"The consultation paper seeks input from Australian citizens and businesses to shape the future of our nation's cyber security and critical infrastructure protection laws."
You can read the full consultation paper here, and any submissions on the proposals can be made here. Submissions close on 1 March 2024.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.