Australia's cyber security landscape continues to adapt to the threat of increasingly sophisticated cyber crime. In an attempt to strengthen its regulatory frameworks, the Federal Government released the 2023-2030 Australian Cyber Security Strategy: Legislative Reforms Consultation Paper (the Consultation Paper). The Consultation Paper seeks to advance the Federal Government's ambitions of becoming a global cyber security leader by 2030, as illustrated in its 2023-2030 Australian Cyber Security Strategy (Strategy) and associated 2023-2030 Australian Cyber Security Action Plan (Action Plan) (see our previous article Australia's roadmap to global cyber leadership for background information about the Strategy and Action Plan).
At its core, the Consultation Paper seeks feedback on:
- four proposed legislative initiatives that would have broad application across all organisations, including regarding the reporting of ransomware attacks and payments; and
- five proposed measures that amend the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), and which are of relevance to organisations that operate critical infrastructure assets.
Organisations wishing to provide a submission must do so by 5.00pm AEDT, Friday 1 March 2024.
Broad cyber security legislative reforms
In light of recent major data breaches and the increasing frequency of these incidents, the Federal Government intends to promote four proposed legislative reforms aimed at regenerating confidence within Australian businesses through strengthening cyber resilience nationally. At a high level, these four proposals involve:
- adopting mandatory secure-by-design standards for Internet of Things (IoT) devices;
- implementing no-fault, no-liability ransomware reporting obligations;
- a limited-use obligation for utilisation by the Australian Signals Directorate (ASD) and National Cyber Security Coordinator (Cyber Security Coordinator); and
- the establishment of the Cyber Incident Review Board (CIRB).
Legislative proposal 1: Secure-by-design standards for IoT devices
This proposal seeks to design a mandatory cyber security standard for consumer-grade IoT devices. The Federal Government proposes to adopt the first three principles of the ETSI EN 303 645 standard, which mandates cyber security for relevant IoT devices in the Australian market. This approach aligns with international standards (for example, the United Kingdom's Product Safety and Telecommunications Infrastructure Act 2022) and specifically requires entities to:
- ensure that smart devices do not have universal default passwords;
- implement an avenue to receive reports of cyber vulnerabilities in smart devices; and
- provide information on minimum security update periods for software in smart devices.
A regulatory function will be established within the Department of Home Affairs for the purposes of monitoring the implementation and ongoing compliance of the proposed standard.
Legislative proposal 2: Ransomware reporting obligations
The second legislative proposal seeks to implement no-fault, no liability mandatory reporting obligations for ransomware incidents and payments to address the significant underreporting of ransomware and cyber extortion attacks. According to the Government:
- the no-fault aspect encourages impacted entities to report an incident without the fear of being attributed blame by the relevant government agency for being the subject of a cyber extortion or ransomware attack, whereas
- the no-liability aspect provides reassurance to an impacted entity that it will not be prosecuted for making a random payment.
Although earlier discussions suggested that legislative reforms would prohibit the payment of ransom following a cyber attack, the Consultation Paper confirms that the Federal Government does not propose to criminalise the payment of ransom as this could lead to unintended or undesired outcomes. The Federal Government has, however, reiterated its strong recommendation not to pay ransom amounts to cyber criminals.
This legislative proposal establishes two reporting obligations. In the event that an entity experiences a ransomware or cyber extortion attack, it would need to report to the Federal Government that it has:
- experienced a relevant attack and received a demand to make payment to decrypt its data or prevent its data from being sold or released; or
- made a ransomware or extortion payment.
If the impacted entity pays a ransom, it would be required to make separate reports relating to each of the two limbs specified (i.e. one for receiving a demand and a separate one for making a payment). To ensure operational and regulatory consistency, the Federal Government has suggested a similar reporting timeframe as currently prescribed for other cyber-related reporting obligations (e.g. the SOCI Act's requirement to report cyber incidents within 72 hours).
Furthermore, in its consideration of the types of entities that should be subject to these new reporting obligations, the Federal Government has noted its hesitation in increasing the regulatory burden on Australian businesses and the subsequent disproportionate impact these new obligations would have on smaller businesses with limited resourcing to discharge them. As a potential compromise, the Consultation Paper suggests limiting the scope of application by introducing threshold requirements. For instance, reporting obligations may be restricted to businesses with an annual turnover of more than $10 million per year.
In relation to enforcement, the Consultation Paper proposes the implementation of a proportionate compliance framework (i.e. a civil penalty provision) for non-compliance with the obligations. However, criminal penalties will not be imposed in the event of non-compliance.
Legislative proposal 3: Limited-use obligation for utilisation by the ASD and the Cyber Security Coordinator
To further increase transparency between impacted entities and the Federal Government following a cyber incident, the Consultation Paper suggests the implementation of a limited-use obligation to be utilised by the ASD and the Cyber Security Coordinator. This obligation would encourage impacted entities to voluntarily provide information to the ASD and the Cyber Security Coordinator about a related cyber incident. In regards to the limited-use aspect, such information disclosed by the impacted entity would only be used for specific cyber security purposes and would not be utilised by regulatory agencies for compliance action (such as investigations) against the impacted entity.
Some of the permitted purposes suggested in the Consultation Paper include:
- assisting the impacted entity in preventing, responding to and mitigating the cyber security incident;
- facilitating consequence management after a cyber incident;
- identifying potential cyber security vulnerabilities and taking steps to prevent further incidents; and
- informing relevant ministers and government officials of the fact of a significant cyber security incident.
To further encourage impacted entities to disclose information following a cyber incident, the Government has sought suggestions, in submissions, as to other incentives and assurances that could be made available to impacted entities.
Legislative proposal 4: Cyber Incident Review Board
The final legislative proposal seeks to establish the CIRB, which would be tasked with conducting no-fault reviews of 'significant' cyber incidents. Whether a cyber incident would be considered 'significant' will depend on various factors, such as the technical severity and complexity of the cyber incident and the level of public interest surrounding the incident itself. In its essence, this legislative proposal attempts to analyse the root causes of various cyber incidents for the purpose of disseminating key lessons to the broader Australian community and strengthening national cyber resilience.
Some of the proposed key functions of the CIRB would include:
- conducting no-fault, post-incident reviews of cyber incidents for the purposes of obtaining a factual understanding of the cyber incident and analysing the actions undertaken by the impacted entities and government agencies prior and subsequent to the cyber incident itself; and
- publicly sharing findings and best practice learnings from 'significant' cyber incidents which may involve making public reports and appropriate recommendations.
As a point of clarification, the Consultation Paper highlights that the CIRB would not be an enforcement, intelligence or regulatory body. Submissions have been requested on the question of whether the CIRB should possess limited information gathering powers, or have no power to compel impacted entities to provide relevant information but request an impacted entity to voluntary provide information.
Proposed amendments to the SOCI Act
The second part of the Consultation Paper focusses on Australia's critical infrastructure laws. Specifically, the Federal Government is seeking to clarify and uplift obligations relating to the protection of critical infrastructure assets, by implementing five measures that amend the SOCI Act. Broadly, the five measures are as follows:
- clarifying an array of obligations for critical infrastructure entities to safeguard data storage systems containing 'business-critical data';
- introducing 'last resort' consequence management powers for the Minister for Home Affairs to authorise directions to a critical infrastructure entity;
- simplifying information sharing, through revising the 'protected information' definition within the SOCI Act, to optimise a critical infrastructure entity's ability to respond to high-risk and time-sensitive incidents;
- providing the Secretary of Home Affairs (Secretary) (or a relevant Commonwealth regulator) the power to direct a critical infrastructure entity to amend its risk management program to address material deficiencies; and
- consolidating security requirements for the telecommunications sector.
In proposing such amendments, the Federal Government is seeking to avoid duplication of relevant obligations and to ensure the SOCI Act requirements are complementary with adjacent regulatory frameworks (such as the Privacy Act 1988 (Cth)).
A detailed breakdown of each proposed amendment is set out below.
SOCI measure 1: Protection of critical data in 'business critical' data storage systems
Recent trends highlight an increasing number of cyber incidents impacting non-personal data (i.e. various forms of encryption keys, algorithms and operational system codes) held by critical infrastructure entities within data storage systems. In response to this trend, the Consultation Paper sets out the following two proposed amendments:
- section 5 of the SOCI Act: inclusion of data storage systems holding 'business critical data' in the definition of 'asset'; and
- section 6 of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (CIRMP Rules): inclusion of risks to data storage systems holding ‘business critical data’ and the systems that access the data as ‘material risks’.
These amendments would compel critical infrastructure entities to undertake consideration of the data storage systems that hold 'business critical data' in their vulnerability assessments, including proactively identifying and mitigating against risks to relevant data storage systems.
SOCI measure 2: 'Last resort' consequence management power
Many businesses struggle to effectively respond to the high-risk and fast-paced nature of cyber threats. This is particularly problematic in the context of critical infrastructure assets, given the potentially broad and severe impact of such cyber incidents on the Australian community.
Currently, government assistance powers under Part 3A of the SOCI Act are confined to the duration of the cyber event and do not extend to the aftermath (and consequences) of such incidents. In response to these limitations, the Federal Government seeks to establish 'last resort' powers within Section 3A of the SOCI Act. These powers would assist critical infrastructure entities to manage the aftermath of a cyber incident. Such powers would only be exercisable by the Minister for Home Affairs if no other existing powers are available to support a swift and efficient response.
Various safeguards and principles have been proposed to ensure this power is used appropriately. These include:
- a direction can only be given where it is to address a consequence of an event that has occurred, is occurring or is imminent, and has had, is having or is likely to have, a relevant impact on critical infrastructure; and
- through consultation with relevant government entities, the Minister must be satisfied that no existing regulatory system of the Commonwealth, a state or a territory could be used to provide a practical and effective response to the incident.
SOCI measure 3: Simplifying information sharing between government and industry stakeholders
The Consultation Paper proposes two broad amendments to clarify information sharing provisions within the SOCI Act. The current provisions are considered convoluted, which may ultimately hinder the ability of such entities to be agile in their response. In particular, the proposed amendments seek to clarify for critical infrastructure assets when they may disclose protected information for risk mitigation or operational purposes, and to clarify government agencies' information sharing rights.
As part of these proposals, further clarification will be provided on:
- the definition of 'protected information' under the SOCI Act, which will be amended to ensure entities take a 'harms-based approach' (i.e. consideration of potential risk to the security of the asset, commercial interests, the Australian public, etc) when disclosing information; and
- the authorisation provided to entities to disclose information for the broader purpose of the continued operation of, or mitigation of risk to, an asset (as opposed to disclosure of information for ensuring compliance with a specific provision under the SOCI Act). Such disclosure will be balanced with other pertinent security considerations through this 'harms-based' approach to disclosing information under the SOCI Act.
SOCI measure 4: Review and remedy powers
The fourth proposal seeks to introduce a formal, written directions power within Part 2A of the SOCI Act to enable the Secretary (or a relevant Commonwealth regulator) to compel a critical infrastructure entity to rectify deficiencies within its critical infrastructure risk management program (CIRMP). The power is enlivened where:
- following consideration of the relevant facts and an entity's compliance with SOCI Act obligations and delegated legislation, the Secretary (or a relevant Commonwealth regulator) has formed a reasonable belief that the CIRMP is deficient;
- the deficiency carries a material risk to the socioeconomic stability, defence, or national security of Australia;
- there is a significant or credible threat to national security; and
- the Secretary (or a relevant Commonwealth regulator) is satisfied that the direction will likely compel an effective response to address the relevant risk posed by the deficient CIRMP.
Prior to issuing the direction, the Secretary or regulator will need to give the relevant critical infrastructure entity written notice which, amongst other things, sets out the proposed actions that must be taken by the entity to remedy its non-compliance.
SOCI measure 5: Consolidation of telecommunication security requirements
There are several obligations imposed onto the telecommunications sector which span across the Telecommunications Act 1997 (Cth) (Telecommunications Act) and the SOCI Act. To minimise confusion that may arise from multiple regulatory regimes, the Federal Government seeks to align the standards imposed on telecommunication providers (which are generally considered critical infrastructure entities for the purposes of the SOCI Act). Specifically, the proposal will consolidate the following amendments under a new 'Telecommunications Security and Risk Management Program' in the SOCI Act:
- transfer the security obligations (in particular, the security obligation and notification obligation) under Part 14 of the Telecommunications Act to the SOCI Act; and
- relevant 'SOCI-like' obligations under the Telecommunications Act will be repealed and transferred to the SOCI Act.
Reference to a harmonised 'Cyber Security Act'
The Consultation Paper refers to the Federal Government's consideration of a 'Cyber Security Act' which harmonises a broad suite of domestic cyber security legislation into a unified legislative instrument. Whilst the Consultation Paper addresses regulatory gaps within in-force legislation, a unified legislative instrument has not been ruled out.
Advancing Australia's leadership in cyber security
The Consultation Paper includes a comprehensive set of measures that seek to catapult Australia to the forefront of international cyber security laws. A key theme throughout the Consultation Paper is the need for increased collaboration between the public and private sector in the ongoing battle against increasingly sophisticated malicious cyber actors. However, similar to the Strategy and Action Plan, the Consultation Paper is ambitious. Whether such ambitious are fulfilled may depend on the quality of submissions received from key stakeholders and the Federal Government's subsequent approach to such submissions. Nonetheless, the Federal Government is responding to the evolving cyber landscape by:
- addressing cyber-related gaps within its regulatory frameworks; and
- strengthening the security of Australia's critical infrastructure assets.
Organisations wishing to provide a submission must do so by 5.00pm AEDT, Friday 1 March 2024. MinterEllison will closely monitor the evolution of these issues following the closure of submissions and provide further updates on key developments.
As a leader in cyber security, MinterEllison provides integrated legal, cyber risk, and technology consulting services. This integrated capability enables us to advise and navigate our clients through the challenging and complex cyber security risk landscape. Please contact us if you would like assistance managing your cyber risks, or in preparing a submission in response to the Consultation Paper.