By Cam Hao Ren
Cyber security has become a serious concern, as the world keeps moving further into the digital age. The risk of cyber security breaches and occurrences of cyber crime in Australia is on the rise.
Cyber crime has always been an issue, but it has been increasing in the past few years. Factors like the COVID-19 pandemic forcing organisations to shift to remote work, as well as the rapid advancement of technology over the past decade have exacerbated issues.
As a result of increasing cyber security breaches, the Australian Government is introducing its first-ever standalone Cyber Security Act. This legislation is the result of the government’s ‘commitment to enhancing the security and resilience of Australia’s cyber environment and critical infrastructure.’
This legislation is a huge step in Australia’s progression towards improving cybersecurity. The changes will require the input of politicians and IT experts, and those with a Masters in Data Analytics alike.
The Cyber Security Legislative Package will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, addressing legislative gaps. The goal is to bring Australia in line with the best international practices and pave the way for the country to be a global leader in cyber security.
The Cyber Security Legislative Package
The Cyber Security Legislative Package refers to multiple Bills that were introduced into the Australian Federal Parliament on 9 October 2024. The Bills included in the legislative package are listed below.
- the Cyber Security Bill 2024 (Cyber Security Bill)
- the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (SOCI Bill)
- the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (IS Bill)
Together, these Bills make up the Cyber Security Legislative Package. If passed, these Bills will implement reforms indicated in the Australian Government’s greater, three-phase 2023-2030 Australian Cyber Security Strategy and the related Consultation Paper.
The Parliamentary Joint Committee on Intelligence and Security has commenced an inquiry into the proposed legislative package. It includes submissions from the government, civil society, and corporate stakeholders—due by 25 October 2024.
Summary of changes
The Cyber Security Legislative Pack will likely have bipartisan support and will be implemented soon. It will have an impact on organisations, individuals, and the technology industry as a whole in Australia.
The new Cyber Security Bill will include new regulations, like mandatory reporting for ransomware, and standards for smart devices. We’ve outlined a few of the main features of the Bill below.
- Introducing a mandatory 72-hour reporting obligation for businesses when they are affected by a cyber security incident, receive a ransomware payment demand, and make a payment or give benefits in connection to a cyber security incident.
- Commonwealth bodies that are receiving ransomware payment reports will be subject to a ‘limited use obligation’. This obligation restricts the disclosure or use of ransomware reporting information.
- The Cyber Security Bill will establish an independent board to review significant cyber security incidents and provide recommendations.
- The new Cyber Security Bill is looking to set out new, mandatory security standards for smart devices. Entities that intend to supply or manufacture smart products to which the rules apply will need to comply with the security requirements.
Detailed information regarding the new Cyber Security Bill, as well as the SOCI Bill and IS Bill, are available on the Australian Government Department of Home Affairs official website.
Mandatory standards for smart devices
Under the new Cyber Security BIll, the relevant Minister will have the power to mandate security standards for internet or network-capable devices. Currently, smart devices are not subject to any mandatory cyber security standards in Australia.
Smart devices, like smart TVs, smartphones, home assistants, and even baby monitors, not having mandatory cyber security standards have been a growing concern. They play a massive role in daily Australian life, from work to leisure, communication, and transactions.
This new Cyber Security Bill will enforce a requirement that all smart device manufacturers and suppliers active in the Australian market will have to meet the mandated security standards, as well as produce statements of compliance for confirmation.
If an organisation fails to comply, the Secretary of Home Affairs will have the power to issue enforcement notices. Potential enforcement actions include compliance notices, stop notices, and recall notices.
Why are mandated security standards important?
The mandated security standards as proposed in the legislative package, are still to be determined. If it goes through, however, it would mark a historic moment in Australian cyber security history.
Introducing mandatory security standards for smart devices is critical for protecting user privacy, enhancing the country’s cyber security, and ensuring the safety of the broader digital ecosystem.
Smart devices have become a hub for almost everything in our daily lives. From general banking and finance to handling sensitive business data to private emails and messages. A cyber security incident on a smart device can lead to life-changing, long-lasting impacts.
Mandatory security standards ensure manufacturers are always striving to prioritise safety, and also hold them accountable. Standards will prevent companies from being able to cut corners and provide a legal framework to enforce security requirements.
Smart devices, like phones, are also integral to many critical infrastructures across Australia. This includes healthcare facilities and transportation networks. By mandating security standards, it also acts as a measure to help protect and guard critical infrastructure from cyber attacks.
Recently, Australia has also proposed mandatory guardrails for artificial intelligence. Between the Cyber Security Legislative Package and mandatory AI regulations, the country’s goal to become a leader in safe technology use is looking promising.