Earlier this week, Cyber Security Minister Tony Burke proposed new legislation to the lower house that would result in the country’s first standalone Cyber Security Act.

The new legislation will introduce mandatory reporting for those who paid threat actors ransom, minimum cyber security standards for smart devices, and the establishment of a Cyber Incident Review Board, all as part of seven sections of the 2023–2030 Australian Cyber Security Strategy.

“The creation of a Cyber Security Act is a long-overdue step for our country and reflects the government’s deep concern and focus on these threats,” Minister Burke told the media.

“This legislation ensures we keep pace with emerging threats, positioning individuals and businesses better to respond to, and bounce back from cyber security threats.

“To achieve Australia’s vision of being a world leader in cyber security by 2030, we need the unified effort of government, industry and the community.”

VIEW ALL

A key factor of the new legislation is the introduction of “limited-use” or “safe harbour” legislation, which will encourage organisations to come forward after a cyber attack and share details with government agencies by limiting their use of the information shared to assisting the organisation and developing strategies to mitigate cyber attacks in the future.

The government will not be able to immediately use the shared information for regulatory action against the organisation.

Additionally, the Cyber Security Act would introduce a new government power that will force critical infrastructure operators to deal with major flaws in their risk management programs. These include organisations in the defence industry, financial markets, transport, utilities such as power and water, groceries, and communication.

The power could see companies forced to hand over information to the government or see the minister direct the actions of critical infrastructure providers when dealing with a major cyber incident.

Furthermore, the regulation of telecommunications security will be shifted under the Security of Critical Infrastructure (SOCI) Act.

In the 2022–2023 year alone, the Australian Signals Directorate (ASD) said it responded to 143 incidents “by entities who self-identified as critical infrastructure”, a dramatic increase from the 95 reported the previous years.

Additionally, the Australian Cyber Security Centre (ACSC) said that over the same period, Australia suffered 94,000 reports of cyber attacks, equating to one every six minutes.