The Australian government has unveiled a comprehensive cybersecurity bill aimed at bolstering national defenses against cyberattacks and ransomware threats.
The Cyber Security Bill 2024, introduced by Cyber Security Minister Tony Burke, outlines a series of legislative reforms, including:
- Mandatory Ransomware Reporting: Businesses that pay ransomware attackers will be legally obligated to report the incident to the government. This data will be crucial in understanding the scope of the ransomware threat and developing targeted solutions.
- Limits on Information Sharing: To encourage businesses to report ransomware incidents, the bill restricts how the National Cyber Security Coordinator and the Australian Signals Directorate (ASD) can use or share this information. This aims to address concerns about intelligence agencies hindering incident response efforts.
- Security Standards for Smart Devices: The bill will establish mandatory cybersecurity standards for smart devices, aiming to address the current lack of basic security protections in these increasingly popular products.
- Independent Cyber Incident Review Board: Inspired by the US Cyber Safety Review Board, a new independent board will review significant cyber incidents like the recent Optus, Medibank, and MediSecure breaches. The board’s findings will be used to improve organizational practices and prepare for future attacks.
- Strengthening Critical Infrastructure Security: The Security of Critical Infrastructure Act (SOCl) will be updated to empower regulators to compel critical infrastructure entities to address serious security deficiencies. The act’s coverage will also broaden to include secondary assets and data systems associated with critical infrastructure, along with an “assistance framework” to handle non-cyber incidents impacting these systems.
Minister Burke emphasized the urgency of these reforms, highlighting the financial burden of ransomware on Australian businesses and the national security risks posed by cyberattacks.
The bill also streamlines the regulatory environment by transferring obligations for telecommunications asset owners from the Telecommunications Act to the SOCl Act.
The proposed legislation reflects the Australian government’s commitment to becoming a global leader in cybersecurity by 2030. The bill is expected to face further discussion and potential amendments before becoming law.