Australia announces its first standalone Cyber Security Bill 2024, which will enforce smart device standards and mandate ransomware payment reporting.
On October 9th, the Australian government introduced the Cyber Security Bill 2024, which is the country’s first standalone cybersecurity act. The Bill addresses several initiatives that appeared earlier in the recently amended Security of Critical Infrastructure Act 2018 (SOCI Act) as well as the 2023-2030 Australian Cyber Security Strategy, which was also released under the same administration. The strategy’s main goal is to make Australia a world leader in cybersecurity in 2030, through the development of six cyber shields: strong businesses and citizens, safe technology, world-class threat sharing and blocking, protected critical infrastructure, sovereign capabilities, and resilient region and global leadership. While the new act won’t cover all of the cyber shields, it will meet at least half by strengthening businesses and citizens, making technology safer, and fortifying cyber-related leadership.
The Bill will require smart devices to meet minimum cybersecurity standards, certain businesses to report ransomware payments, set up a ‘limited use’ rule for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD), and establish a Cyber Incident Review Board. Smart devices (products that can connect to the Internet or any similar network) will need a statement of compliance assuring that they meet the cybersecurity standards (like encryption of sensitive data) in order to be used in Australia. The law mirrors the European Union’s Cyber Resilience Act, which was recently adopted and requires digital products in the EU market to uphold cybersecurity standards and for their manufacturers to be scrupulous at handling the product’s security during its development.
The Cyber Security Bill puts a spotlight on the ransomware issue. Particular entities that make a ransom payment to threat actors (or arrange for the ransom payment through another entity) will be required to report the cybersecurity incident, the amount the actors demanded, as well as how much was actually paid to law enforcement within 72 hours of the payment - reminiscent of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which also mandates ransomware payment reports, although the payment report must be made within 24 hours under CIRCIA.
These ransom requirements can help authorities work on the third cyber shield; with the information from each incident, the government can block relevant threats and share intelligence about them with others. To ensure that companies that experience cyber incidents feel comfortable sharing information about them, the National Cyber Security Coordinator and the Australian Signals Directorate (ASD) have a ‘limited use’ obligation so that any information voluntarily shared about a cyber incident is protected.
The Cyber Incident Review Board will examine critical cyber incidents (after they have ended) that may affect the social or economic stability of Australia, its national security, or its defense. They will also review incidents that feature new or complex technologies to improve Australia’s resilience, or any incident that could be of “serious concern” to Australian people. The Board can order entities to produce documents about the cyber security incidents and may impose a civil penalty if they do not comply.
While this bill shows Australia’s commitment to cybersecurity, it’s remarkable that their first standalone cyber law wasn’t released until now. Australia has been struggling with cybersecurity incidents for a long while. In the 2023-2030 Australian Cyber Security Strategy, Clare O’Neil, then serving as the minister for Home Affairs and the Minister for Cybersecurity, said that “After a decade of malaise, Australia has fallen behind.” Unfortunately, that statement was not an exaggeration - according to a report from the National Australia Bank (NAB), “two-thirds of Australians have experienced a cyber attack or data breach in the past 12 months”, while “less than a quarter say they follow basic cybersecurity practices consistently.” If Cyber Security Bill 2024 is passed, it will be a tremendous step in the right direction.