FiledIMAGE - Fotolia

Australia bolsters cyber defences with security bill

Legislation tackles IoT security and establishes a Cyber Incident Review Board to bolster Australia’s cyber resilience

Australia introduced a new cyber security bill this week in a move to overhaul the nation’s cyber security framework, addressing key areas including security standards for internet-of-things (IoT) devices, mandatory reporting of ransomware incidents, and the creation of a Cyber Incident Review Board.

The government said the bill will provide “a clear legislative framework for contemporary, whole-of-economy cyber security issues, positioning the Australian government to identify and respond to new and emerging cyber security threats”.

Moving from a voluntary to a mandatory code of practice for IoT devices, the bill aligns with UK legal definitions and requirements to minimise industry burden. Manufacturers will be required to provide a compliance statement declaring adherence to relevant security standards, with support provided for a defined period.

The legislation’s scope extends beyond internet protocol (IP) devices to encompass products connecting bidirectionally with internet-connectable devices, regardless of the connection type, unless the device only connects to one other device at a time.

This broadened definition encompasses connected vehicles, a timely issue given recent concerns around data collection by car manufacturers. The bill’s explanatory memorandum noted how “smart devices can be used to collect significant volumes of potentially sensitive data about users with or without the awareness of consumers”.

Security standards for device classes will be adaptable through rules established under the legislation, allowing for exemptions for specific products or categories.

The secretary of home affairs will have the power to issue enforcement notices for non-compliance, including product recalls.

Meeting security expectations

Tony Burke, Australia’s minister for home affairs and cyber security, said: “This measure not only will bring us into line with international best practice, but also will provide Australians with peace of mind that the smart devices we’ve come to rely on meet our expectations around security.

“Standards implemented under this power will be designed to enhance consumer security, such as prohibiting the use of universal default passwords on smart devices, not to create backdoors for government agencies.”

Vaughan Shanks, co-founder and CEO of Cydarm Technologies, welcomed the move, noting that this could stop web cameras from spying on people and home routers from joining botnets and being used as a residential proxy to exfiltrate data in advanced persistent threats.

The legislation will also require organisations to report ransomware and cyber extortion payments in a bid to improve visibility of these issues in the Australian economy. Businesses exceeding a specified annual turnover (currently A$3m) must report such payments within 72 hours or face penalties. Information shared will have limited permitted uses, such as assisting the affected business and supporting security agencies.

Similarly, information provided voluntarily to the National Cyber Security Coordinator in relation to a significant cyber security incident and then shared with other government agencies will be subject to a “limited use” obligation.

Corresponding limited-use obligations are included in the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill for the ASD, addressing the reluctance of some entities to cooperate fully, out of fear that the information they provide may be used against them in future regulatory or law enforcement proceedings.

However, law firm Ashurst warned that “these protections won’t necessarily prevent criminal investigations”, but “if properly understood and operationalised in incident response playbooks, can allow more effective and responsible engagement with cyber agencies, with less friction”.

Read more about cyber security in Australia

The newly established Cyber Incident Review Board will conduct no-fault, post-incident reviews of significant cyber security events. The board, comprising public service members and industry experts, will provide recommendations to improve national cyber resilience. While possessing the power to compel document production from non-government entities, the board can only request information from commonwealth or state bodies.

“The board will ensure that we’re learning from these cyber incidents and improving Australian organisations’ practices, policies and procedures,” said Burke.

Simon Bush, CEO of the Australian Information Industry Association, said while his organisation does not agree with all aspects of the new legislation, the government cannot be faulted for its consultative approach where it has listened to industry concerns and narrowed the scope of some of the new regulations to make them more targeted and effective.

Sarah Sloan, head of government affairs and public policy at Palo Alto Networks, commended the government for its ongoing commitment to strengthening Australia’s policy and legislative response to cyber threats.

“As cyber adversaries increase in speed, scale and sophistication, it is crucial that Australia’s approach adapts accordingly to strengthen our national cyber resilience,” she said. “We also welcome the government’s collaborative approach in shaping these legislative measures.”

Burke emphasised the bill’s role in a broader cyber security legislative reform package, alongside the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, adding that the package will “collectively strengthen our national cyber defences and build cyber resilience across the Australian economy”.

Read more on IT legislation and regulation

CIO
Security
Networking
Data Center
Data Management
Close