Australian Cyber security ACT 2024 | Summarised Explanatory
?Why is the Bill necessary?
Australia’s cyber security landscape is evolving quickly, with malicious activities targeting Australia becoming more frequent and sophisticated. The Cyber Security ACT is designed to provide a clear legislative framework to help address broad, whole-of-economy cyber security issues, positioning the Australian Government to respond to new and emerging cyber security threats.
1.????? Internet of Things (IoT) Devices (Smart Devices)
Smart devices, such as smart TVs, smart watches, home assistants and baby monitors are ubiquitous in Australian homes and businesses and increasingly prevalent in Australia for everyday transactions, communication, work and leisure. Industry research forecasts show an average of 33.8 connected smart devices per household in Australia by 2025. At present, smart devices are not subject to mandatory cyber security standards, nor are there regulations to require built-in security features be active by default. Despite this, smart devices can be used to collect significant volumes of potentially sensitive data about users with or without the awareness of consumers.
Under the powers that will be established by the Bill the relevant Minister can mandate security standards as Ministerial rules for smart devices, which are defined in the Bill as relevant connectable products
Security standards specified by the Minister in rules can apply to all devices that meet the definition of relevant connectable product, or be limited to a subset, type, or class of devices to be defined in the relevant standard under rules. This approach allows government to keep pace with evolving technology and protect Australians from cyber security incidents by responding with security standards for specific devices as the threat picture for those devices becomes clearer.
Responsible entities defined under the Bill when enacted will be required to provide a statement of compliance for the devices they manufacture or supply to the Australian market. If responsible entities who are not the manufacturer of the device intend to supply a device in Australia, they can request the relevant information from the device manufacturer or get the product tested and a statement of compliance prepared by a verified third party.
This Bill will also establish an enforcement and compliance regime that will provide the Secretary of Home Affairs the ability to issue enforcement notices to responsible entities if they cannot provide a statement of compliance for a specific device or the statement cannot be verified. These enforcement notices are:
2.????? Mandatory Reporting for Ransomware and Cyber Extortion Payments
Clear threat intelligence concerning ransomware or cyber extortion requires up-to-date data about cyber security incidents. This includes the number of ransomware and cyber extortion incidents impacting Australia. More specifically, information about the type of ransomware used, the vulnerabilities that are being exploited, the overall impact of an incident and whether a ransom or extortion payment was made by the victim is necessary to enable government to better understand the impact of ransomware and cyber extortion on Australian businesses and the Australian economy.
The Bill when enacted will establish a mandatory reporting obligation requiring entities that meet a specified threshold to report to the Department of Home Affairs if they make a ransomware or cyber extortion payment of money or an in kind benefit in connection with a cyber security incident.
The Bill when enacted will require a mandatory report to be made when:
领英推荐
Reports will be made to the Department of Home Affairs through a portal available on cyber.gov.au, which is administered by ASD's Australian Cyber Security Centre (ACSC). These reports are required to be made within 72 hours of the payment being made, or the reporting entity becoming aware of the payment being made.
?3.????? Limited Use Obligation on Cyber Incident Information Voluntarily Reported to the Coordinator
ASD and the National Cyber Security Coordinator play a pivotal role in responding to cyber security incidents and timely engagement by industry is essential to ensuring cyber security incidents can be mitigated and managed as soon as possible. However, ASD has observed that cyber security incident reporting and engagement between industry and the Government during a cyber security incident has plateaued.
There have been some instances of cyber security incident response and recovery being treated as a legal issue, with some entities routinely bringing legal counsel to engage with the Government directly, out of fear that any information they provide may be circulated amongst Government agencies and to regulators, to be used against them in future regulatory and law enforcement proceedings.
The Bill when enacted will establish a ‘limited use’ obligation that restricts how cyber security incident information provided to the National Cyber Security Coordinator during a cyber security incident can be on-shared to and used by other Australian Government entities, including regulators.
Currently, the National Cyber Security Coordinator is significantly impeded by the inability or reluctance of certain affected entities to voluntarily engage and share information to assist in the response, fearing regulatory and law enforcement action.
Any information that an impacted entity or entity acting on behalf of an impacted entity provides to the National Cyber Security Coordinator during the incident response phase of the incident, either by the entity’s own initiative or in response to a request by the National Cyber Security Coordinator is covered by the limited use obligation.
4.????? Cyber Incident Review Board
Recent high-profile and high-impact cyber security incidents, such as the Optus data breaches in 2022 and 2023, the Medibank data breach in 2022 and the MediSecure data breach in 2024 highlight that government and industry need to do more to effectively learn lessons from cyber security incidents and prepare contingencies for future attacks.
This Bill establishes the Board as an independent, advisory body with a clear remit to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. Following such a review, the Board will also disseminate recommendations to both Government and industry to strengthen Australia’s collective cyber resilience. This is particularly important for driving constant improvement within both the public and private sectors as cyber-enabled interference grows.
To effectively carry out these functions, the Board will be enabled with limited information gathering powers to compel information from entities involved in the cyber security incident under review, only where voluntary requests for information have been unsuccessful.
The CIRB will prepare a report detailing recommendations and the reasons for those recommendations. The report will not apportion blame or provide means to determine the liability of an entity in relation to a cyber security incident. The report will also not include personal information, information that is confidential or commercially sensitive, or information that could cause damage to the security, defence, or international relations of the Commonwealth.