Australia proposes Cyber Security Bill to strengthen cybersecurity across public and private sectors

On Wednesday 9 October 2024, the Australian Government tabled the Cyber Security Bill 2024 (Cth) (the Bill) in Federal Parliament. While the Security of Critical Infrastructure Act 2018 (Cth) already imposes cybersecurity obligations on owners and operators of critical infrastructure, the Bill is the first Australian law specifically designed to strengthen cybersecurity across the whole of the Australian public and private sectors.

The law introduces a series of measures which seek to strengthen cybersecurity in Australia, many of which are novel by international standards. The Act:

• mandates security standards for certain products sold in Australia that directly or indirectly connect to networks;
• requires entities making ransomware payments to report those payments to the National Cyber Security Coordinator, a recently established office within the Department of Home Affairs responsible for leading the coordination and triaging of cyber security incident response across the whole of the Australian Government;
• allows entities impacted by a cyber security incident to voluntarily share information with the Australian Government about the incident, and encouraging information-sharing by providing that any such information may only be used and disclosed for limited purposes, and is not admissible as evidence in proceedings against the entity that provided it;
• facilitates the sharing of information about cyber security incidents by the Australian Government to State and Territory Governments for limited purposes; and
• establishes a Cyber Incident Review Board, which has the power to conduct reviews in relation to major cyber security incidents, and make recommendations to Government and industry about actions that can be taken to prevent, detect, respond to or minimise the impact of similar incidents in the future.

Security standards for connectable products

The Bill provides that the Minister may make rules which provide a security standard for a product which connects to the internet or a network (a “connectable product”) and is sold in Australia. This would include mobile phones and computing and networking equipment, but also other internet-connected devices such as security cameras, home assistant devices, sensors, appliances and motor vehicles.

If the rules provide a security standard for a connectable product:

• manufacturers must manufacture the connectable product in compliance with the requirements of the security standard, if they are aware, or ought to be aware, that the connectable product will be sold in Australia;
• a supplier must supply the connectable product with a statement of compliance;
• a supplier must not supply the connectable product in Australia if it does not comply with the security standard if they are aware, or ought to be aware, that the connectable product will be sold in Australia; and
• manufacturers and suppliers must comply with any other requirements of the security standard (for example, to publish information about the connectable product).

Connectable products that do not meet the security standards may be subject to mandatory recall from sale in Australia.

Ransomware payment reporting

The Bill imposes a reporting obligation on an entity which is impacted by a ransomware attack, and who has made a ransomware payment, or is aware that another entity has made a ransomware payment on their behalf to a threat actor.

The reporting obligation will only apply to entities with an annual turnover above a threshold which is yet to be determined.

The ransomware payment report must be made to the Australian Signals Directorate (or such other Government body specified in the rules) within 72 hours of the ransomware payment being made, and must include:

• the contact and business details of the entity that made the payment;
• details of the cyber security incident, including its impact on the entity;
• details of the demand made by the threat actor;
• details of the ransomware payment;
• details of any communications with the extorting entity relating to the incident, the demand and the payment; and
• any other details required by the rules.

An entity which fails to notify a ransomware payment may be subject to a civil penalty of up to AUD19,800.

Voluntary reporting of information

The Bill provides that an impacted entity may voluntarily report information to the National Cyber Security Coordinator (NCSC) in relation to “significant cyber security incidents”. A significant cyber security incident means there is a material risk that the incident has could reasonably be expected to seriously prejudice the social or economic stability of Australia or its people, the defence or national security of Australia, or could reasonably be expected to be, of serious concern to the Australian people.

The NCSC’s role is to lead the coordination and triaging of action in response to a significant cyber security incident across the whole of the Australian Government.

Cyber Incident Review Board

The Bill establishes the Cyber Incident Review Board, a body responsible for conducting reviews in relation to significant cyber security incidents (as defined above) or other cyber security incidents which involve novel or complex methods or technologies.

The Cyber Incident Review Board will have powers to compel entities to produce information and documents to assist a review.

Following a review, the Cyber Incident Review Board will publish its report and make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, cyber security incidents of a similar nature in the future.

Limits on the use of reported information

Finally, the Bill limits the purposes for which information provided by entities under the Bill - ransomware payment reports made the Australian Signals Directorate, information voluntarily reported to the NCSC in relation to a significant cyber security incident, and Information provided to the Cyber Incident Review Board - may be used by the Australian Government. Permitted purposes include responding to, mitigating or resolving the incident, assisting the entity to respond to the incident, and conducting criminal proceedings. The accompanying Intelligence Services Reform Bill 2024 (Cth) limits the purposes for which the Australian Signals Directorate may on-share information it receives under the Bill.

The Bill also provides that information provided by entities under the Bill:

• may not be used for the purposes of investigating or enforcing any contravention by the reporting entity of a Commonwealth, State or Territory law;
• is not admissible in evidence in most criminal and civil proceedings against the reporting entity; and
• does not constitute a waiver of any legal professional privilege in that information.

These provisions aim to make entities more willing to share information in relation to cyber security incidents by reducing the risk that such information will be used against them in any way.