Australia’s first Cyber Security Act passes both houses

The Cyber Security Legislative Reforms proposed by the Australian federal government passed both houses on 25 November, during the last week of Parliamentary sittings. This follows a long process initiated by the 2023-2030 Australian Cyber Security Strategy, published in November 2023 followed by a consultation launched on 10 December of the same year.

The bill was introduced with the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 to implement measures proposed by the 2023-2030 Australian Cyber Security Strategy.

Among the proposed measures is the much-discussed ransomware reporting obligations. Minister for Cyber Security Tony Burke said in a media release the new laws:

• enable the minister for cyber security to prescribe mandatory cyber security standards for smart devices to give Australians assurance the devices they purchase aren’t putting them at risk,
• require certain businesses to report ransom payments, so our cyber experts can build a better picture of the threat landscape,
• give effect to a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD) to facilitate rapid and open sharing of information during a cyber security incident,
• establish a Cyber Incident Review Board (CIRB) to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia and make concrete recommendations to aid in the prevention, detection, response, and minimisation of cyber incidents in the future.

“I also welcome the limited-use provisions in this legislation, which will provide assurance to entities that the information they disclose to government about cyber incidents will not be used against their interests in the future,” Senator and Shadow Minister for Cyber Security James Paterson said. “We need seamless, time-sensitive sharing of information between government and business when there is a cyberattack. We can’t afford for any CISO or their CEO to hesitate to pick up the phone to the ACSC and share what they know.”

Patterson said that it is important to learn the right lessons from major incidents and apply these lessons. “Two years on from the data breaches suffered by Optus and Medibank, we are still in the dark about the specifics of what led to these incidents, how they were managed and what companies can learn from the incidents to guard against future cyberattacks of a similar nature.”

The Cyber Security Bill 2024 was introduced on 9 October and was later recommended for urgent parliamentary approval on 19 November by the Parliamentary Joint Committee on Intelligence and Security (PJCIS).

Burke said the package also progresses reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act) that will:

• Clarify existing obligations in relation to systems holding business critical data,
• Expand existing last resort powers to enable government assistance to manage the impacts of all hazards incidents on critical infrastructure,
• Simplify information sharing across industry and government’,
• Enable the government to direct entities to address serious deficiencies within their risk management programs​
• Integrate regulation for the security of telecommunications into the SOCI Act.

“The Government has passed into law Australia’s first standalone Cyber Security Act, a key pillar in our mission to protect Australians from cyber threats,” Burke said. “This package forms a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever changing cyber landscape.