New Legislation Enhances Cybersecurity Reporting and Device Standards in Australia
On November 26, 2024, the Australian Parliament passed significant cybersecurity legislation aimed at enhancing the nation’s defenses against cyber threats. The new law, known as the Cyber Security Act, serves to formalize government efforts to improve reporting of ransomware payments, establish mandatory cybersecurity standards for connected devices, and bolster protections for critical infrastructure.
This legislation is a response to increasing cyberattacks that have targeted a variety of industries within Australia, reflecting a global trend of heightened cyber risk. The introduction of the Cyber Security Act is part of a comprehensive legislative strategy designed to mitigate risks associated with cybercrime and bolster the nation’s resilience against evolving threats.
Cybersecurity Minister Tony Burke described the passage of the Cyber Security Act as a landmark reform in the government’s eight-year strategy to position Australia as the safest nation against cyber threats by 2030. The act represents a pivotal step in creating a robust legal framework that enables Australia to confront the complexities of the modern cyber landscape with greater clarity and confidence.
A key element of the new legislation is its provision empowering the minister to establish compulsory cybersecurity standards for smart devices manufactured or sold within Australia. Government agencies are also granted the authority to test these devices for vulnerabilities and mandate their removal from the market if any security flaws are detected, thus minimizing the attack surface for potential cyber adversaries.
The act imposes a restriction on how government cybersecurity agencies can utilize information gathered during investigations of reported incidents. Specifically, data collected will only be used for the purpose of investigating discrete incidents, thereby protecting businesses from potential legal repercussions stemming from their disclosures. This measure is intended to facilitate more transparent information sharing between victim organizations and government entities, which is critical in responding effectively to cybersecurity incidents.
Incorporating feedback from extensive consultations initiated in December, this legislative package aims to align Australia’s cybersecurity laws with the Australian Cyber Security Strategy. The government articulates that improved transparency regarding ransomware payments made by businesses will provide valuable insights into the economic and social implications of such attacks, a necessary step towards more effective national cybersecurity strategies. Historically, only 20% of organizations reported ransomware payments under the voluntary disclosure framework, highlighting a significant gap in understanding this threat.
Furthermore, the Cyber Security Act establishes a Cyber Incident Review Board. This board will conduct thorough, no-fault analyses of major cybersecurity events, offering recommendations to aid organizations in enhancing their preventative measures and responses to future incidents.
Amendments to the existing Security of Critical Infrastructure Act 2018 will extend the government’s oversight to include categorizing certain data storage systems as critical infrastructure. This change obliges owner-operators to adhere to regulations that enhance the security and resilience of these vital assets. Additionally, the government will now hold the authority to direct operators of critical infrastructure in response to cybersecurity incidents.
As businesses globally face an uptick in targeted cyber attacks employing tactics outlined in the MITRE ATT&CK framework—including initial access and privilege escalation—Australia’s proactive legislative measures signal a determined shift towards fortifying defenses against such threats. The ongoing evolution of cyber crime necessitates a united front, and Australia’s latest legislation represents a crucial step in building a more secure digital landscape.
