David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith University
The Albanese government today introduced long-awaited legislation to parliament which is set to revolutionise Australia’s cyber security preparedness.
The legislation, if passed, will be Australia’s first standalone cyber security act. It’s aimed at protecting businesses and consumers from the rising tide of cyber crime.
So what are the key provisions, and will it be enough?
What’s in the new laws?
The new laws have a strong focus on victims of “ransomware” – malicious software cyber criminals use to block access to crucial files or data until a ransom has been paid.
People who pay a ransom do not always regain lost data. The payments also sustain the hacker’s business model.
Under the new law, victims of ransomware attacks who make payments must report the payment to authorities. This will help the government track cyber criminal activities and understand how much money is being lost to ransomware.
The laws also involve new obligations for the National Cyber Security Coordinator and Australian Signals Directorate. These obligations restrict how these two bodies can use information provided to them by businesses and industry about cyber security incidents. The government hopes this will encourage organisations to more openly share information knowing it will be safeguarded.
Separately, organisations in critical infrastructure – such as energy, transport, communications, health and finance – will be required to strengthen programs used to secure individuals’ private data.
The new legislation will also upgrade the investigative powers of the Cyber Incident Review Board. The board will conduct “no-fault” investigations after significant cyber attacks. The board will then share insights to promote improvements in cyber security practices more generally. These insights will be anonymised to ensure the identities of victims of cyber attacks aren’t publicly revealed.
The legislation will also introduce new minimum cyber security standards for all smart devices, such as watches, televisions, speakers and doorbells.
These standards will establish a baseline level of security for consumers. They will include secure default settings, unique device passwords, regular security updates and encryption of sensitive data.
This is a welcome step that will ensure everyday devices meet minimum security criteria before they can be sold in Australia.
A long-overdue step
Cyber security incidents have surged by 23% in the past financial year, to more than 94,000 reported cases. This is equivalent to one attack every six minutes.
This dramatic increase underscores the growing sophistication and frequency of cyber attacks targeting Australian businesses and individuals. It also highlights the urgent need for a comprehensive national response.
High-profile cyber attacks have further emphasised the need to strengthen Australia’s cyber security framework. The 2022 Optus data breach is perhaps the most prominent example. The breach compromised the personal information of more than 11 million Australians, alarming both the government and the public, not to mention Optus.
Cyber Security Minister Tony Burke says the Cyber Security Act is a “long-overdue step” that reflects the government’s concern about these threats.
Prime Minister Anthony Albanese has also acknowledged recent high-profile attacks as a “wake-up call” for businesses, emphasising the need for a unified approach to cyber security.
The Australian government wants to establish Australia as a world leader in cyber security by 2030. This goal reflects the government’s acknowledgement that cyber security is fundamental to national security, economic prosperity and social well being.
Broader implications
The proposed laws will enhance national security. But they could also present challenges.
For example, even though the laws place limitations on how the National Cyber Security Coordinator and Australian Signals Directorate can use information, some businesses might still be unwilling to share confidential data because they are worried about damage to their reputation.
Businesses, especially smaller ones, will also face a substantial compliance burden as they adapt to new reporting requirements. They will also potentially need to invest more heavily in cyber security measures. This could lead to increased costs, which might ultimately be passed on to consumers.
The proposed legislation will require careful implementation to balance the needs of national security, business operations and individual privacy rights.
David Tuffley does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
