The Albanese government today introduced long-awaited legislation to parliament which is set to revolutionise Australia’s cyber security preparedness.

The legislation^[1], if passed, will be Australia’s first standalone cyber security act. It’s aimed at protecting businesses and consumers from the rising tide of cyber crime.

So what are the key provisions, and will it be enough?

What’s in the new laws?

The new laws have a strong focus on victims of “ransomware” – malicious software cyber criminals use to block access to crucial files or data until a ransom has been paid^[2].

People who pay a ransom do not always regain lost data^[3]. The payments also sustain the hacker’s business model.

Under the new law, victims of ransomware attacks who make payments must report the payment to authorities. This will help^[4] the government track cyber criminal activities and understand how much money is being lost to ransomware.

The laws also involve new obligations for the National Cyber Security Coordinator^[5] and Australian Signals Directorate^[6]. These obligations restrict how these two bodies can use information provided to them by businesses and industry about cyber security incidents. The government hopes this will encourage organisations to more openly share information knowing it will be safeguarded.

Separately, organisations in critical infrastructure – such as energy, transport, communications, health and finance – will be required to strengthen programs used to secure individuals’ private data.

The new legislation will also upgrade the investigative powers of the Cyber Incident Review Board^[7]. The board will conduct^[8] “no-fault” investigations after significant cyber attacks. The board will then share insights to promote improvements in cyber security practices more generally. These insights will be anonymised to ensure the identities of victims of cyber attacks aren’t publicly revealed.

The legislation will also introduce new minimum cyber security standards for all smart devices^[9], such as watches, televisions, speakers and doorbells.

These standards will establish a baseline level of security for consumers. They will include secure default settings, unique device passwords, regular security updates and encryption of sensitive data.

This is a welcome step that will ensure everyday devices meet minimum security criteria before they can be sold in Australia.

A long-overdue step

Cyber security incidents^[10] have surged by 23% in the past financial year, to more than 94,000 reported cases. This is equivalent to one attack every six minutes.

This dramatic increase underscores the growing sophistication and frequency of cyber attacks targeting Australian businesses and individuals. It also highlights the urgent need for a comprehensive national response.

High-profile cyber attacks have further emphasised the need to strengthen Australia’s cyber security framework. The 2022 Optus data breach is perhaps the most prominent example. The breach compromised the personal information of more than 11 million Australians, alarming both the government and the public, not to mention Optus.

Cyber Security Minister Tony Burke says^[11] the Cyber Security Act is a “long-overdue step” that reflects the government’s concern about these threats.

Prime Minister Anthony Albanese has also acknowledged recent high-profile attacks as a “wake-up call^[12]” for businesses, emphasising the need for a unified approach to cyber security.

The Australian government wants^[13] to establish Australia as a world leader in cyber security by 2030. This goal reflects the government’s acknowledgement that cyber security is fundamental to national security, economic prosperity and social well being.

References

1. ^{^} legislation (www.aph.gov.au)
2. ^{^} until a ransom has been paid (theconversation.com)
3. ^{^} do not always regain lost data (www.austrac.gov.au)
4. ^{^} will help (cybercx.com.au)
5. ^{^} National Cyber Security Coordinator (www.homeaffairs.gov.au)
6. ^{^} Australian Signals Directorate (www.asd.gov.au)
7. ^{^} Cyber Incident Review Board (publicspectrum.co)
8. ^{^} conduct (bn.nswbar.asn.au)
9. ^{^} smart devices (thenightly.com.au)
10. ^{^} Cyber security incidents (www.abc.net.au)
11. ^{^} says (www.abc.net.au)
12. ^{^} wake-up call (iapp.org)
13. ^{^} The Australian government wants (www.homeaffairs.gov.au)
14. ^{^} Mick Tsikas/AAP (www.aph.gov.au)
15. ^{^} compliance (cybercx.com.au)