On 9 October 2024, the Minister for Cyber Security and Leader of the House, the Honorable Tony Burke MP tabled the Cyber Security Bil 2024 aimed at enhancing national security and protecting businesses from cyber threats. In introducing the Bill, Minister Burke explained that the Bill addresses whole-of-economy cybersecurity issues and positions the government to respond to new and emerging threats, including the ability to counter ransomware and cyber extortion. The key measures proposed by the Bill include:
- Mandatory 72-hour reporting obligation for entities who receive a ransomware demand and make a payment in connection with that cyber security incident;
- ‘Limited use’ obligation restricting the information provided to the National Cyber Security Coordinator (NCSC) during a cyber incident, being provided to another Commonwealth body for investigation or enforcement not related to the Bill.
- Establishing a Cyber Incident Review Board (CIRB) to conduct no-fault post-incident reviews of significant cyber security incidents. The Board is modelled on similar bodies, including the U.S. Cyber Safety Review Board, and will also make recommendations for both government and organisations to enhance Australia’s cyber resilience.
- Enabling the government to establish mandatory security standards for smart devices. The aim is to bring Australia into line with international best practice and enhance consumer security, such as prohibiting universal default passwords on smart devices.
The Bill has been referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry and report. Submissions were only open for two weeks, and public hearings took place on 31 October and 1 November. A number of the submissions have identified issues and made recommendations for amendments, including the Law Council of Australia, which has recommended that ‘the Bill should clarify that material identified as subject to legal professional privilege is not subject to reporting requirements. Further, there should be consistent and clear statutory safeguards that the disclosure of privileged information (whether required or voluntarily provided) does not amount to a subsequent waiver of privilege.’
Access the Cybersecurity Bill here
