Cyber Security Bill passed into Law on Wednesday
November 27, 2024 |
The Cyber Security Bill has had very quick progress through the Parliament. It was introduced last month, on 9 October 2024, had its second reading debate in the House of Representatives on 19 November, and was passed in the Senate on Monday 25 November 2024. It is part of a parcel of bills, the others being the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, to amend the Security of Critical Infrastructure Act 2018.
The Bills were supported by the Coalition.
The Ministers Second Reading speech states:
That this bill be now read a second time.
In introducing this legislation, I acknowledge the work done in its development from the former Minister for Home Affairs, now the Minister for Housing, and also acknowledge the work of the very large number of members of the Department of Home Affairs in the cybersecurity section, who have worked for some years in the development of the legislation in the national interest that I present to the House today.
This bill, alongside the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, form the cybersecurity legislative reforms package. This package will collectively strengthen our national cyber defences and build cyber-resilience across the Australian economy.
This suite of legislative reforms will implement key initiatives under the 2023-2030 Australian Cyber Security Strategy. This is a significant step in achieving the Australian government’s vision of becoming a world leader in cybersecurity by 2030.
To achieve this vision, Australia needs a clear legislative framework that addresses whole-of-economy cybersecurity issues and positions us to respond to new and emerging threats. We need a framework that enables individuals to trust the products they use every day. We need a framework that enhances our ability to counter ransomware and cyberextortion. We need a framework that enhances protections for victims of cyber incidents and encourages them to engage with government, and we need a framework that enables us to learn lessons from significant cybersecurity incidents so that we can be better prepared going forward.
The Cyber Security Bill provides this framework under one holistic piece of legislation.
The first measure under this bill will ensure that Australians can trust their digital products by enabling the government to establish mandatory security standards for smart devices. Australians love the convenience of smart devices at home, but consumers need to know that smart devices are still safe devices. These devices currently often lack basic cybersecurity protections. To date, smart devices have not been subject to mandatory cybersecurity standards or regulation in Australia. We’ve fallen behind our international counterparts in this regard. This measure not only will bring us into line with international best practice but also will provide Australians with peace of mind that the smart devices we’ve come to rely on also meet our expectations around security. Standards implemented under this power will be designed to enhance consumer security, such as prohibiting the use of universal default passwords on smart devices, not to create backdoors for government agencies.
The bill’s second measure will help build our understanding of the ransomware threat that continues to cause large-scale harm to the Australian economy and national security. In 2023 it was estimated that Australian businesses who paid in response to ransomware attacks paid an average of $9.27 million. This issue needs to be tackled. Mandatory reporting of ransomware payments will crystalise our picture of how much is being extorted from businesses via ransomware attacks, whom these payments are being made to and how. With these timely and comprehensive insights, the government will be better able to develop the resources, tools and supports that are most useful to industry and help break the ransomware business model. Together, we can work to prevent future ransomware crises and equip businesses to bounce back following an incident.
The Cyber Security Bill’s third measure seeks to support and assure Australian organisations as they respond to a cybersecurity incident.
Close cooperation between government and industry is one of our greatest defences against malicious cyber activity.In the wake of a cybersecurity incident, businesses need to know that they can call on government to quickly get the support they need. However, we understand that businesses can also be anxious to ensure that the information they provide isn’t going to be inappropriately on-shared or, worse, used against them.
This bill affirms the role of the National Cyber Security Coordinator to coordinate whole-of-government cyber incident response efforts. It also seeks to increase trust and engagement between business and government during an incident by limiting the circumstances under which the coordinator can use and share information that has been voluntarily provided by an affected entity. This measure complements the limited-use measure that was put in place for the Australian Signals Directorate through theIntelligence Services and Other Legislation Amendment (Cyber Security) Bill, which I’ll introduce in a moment. With these measures, businesses will have greater comfort to report cyber incidents and gain the assistance they need in order to respond to and recover from cyber incidents.
The fourth measure in the Cyber Security Bill establishes the Cyber Incident Review Board. This board will be an independent advisory body able to conduct no-fault postincident reviews of significant cybersecurity incidents. The Optus and Medibank breaches of 2022 and the more recent MediSecure data breach demonstrate the urgent need for government and industry to collectively learn lessons from high-impact cybersecurity incidents and to prepare contingencies for future attacks. Building upon the success of the United States Cyber Safety Review Board, the Cyber Incident Review Board will review the circumstances that led to a significant cybersecurity incident, form findings and provide recommendations for both government and industry to enhance our nation’s cyber resilience. The board will ensure that we’re learning from these cyber incidents and improving Australian organisations’ practices, policies and procedures.
These four measures form the Cyber Security Bill. Together with the other bills in this package, this bill will equip both government and industry with the awareness and resilience to better protect Australians from cybersecurity threats. It will provide a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever changing cybersecurity landscape.
The government will refer this bill and the others in the package to the Parliamentary Joint Committee on Intelligence and Security and will consider any recommendations that the committee makes.
In forming the measures within this bill and the broader package, significant stakeholder consultation has been undertaken. After releasing the cyber legislative reforms consultation paper on 19 December 2023, the Department of Home Affairs led over 30 public town hall meetings, deep-dive sessions and bilateral engagements. The department received over 130 written submissions in response to the consultation paper, detailing feedback on the measures proposed. This robust co-design process has ensured the measures detailed within the bills in this package strike the right balance to achieve our security outcomes without placing undue burden on business.
I extend my thanks to all the staff at the Department of Home Affairs for their incredibly hard work in developing this bill. I’m pleased that a number of them are able to be in the chamber to see it presented to the parliament. I commend the bill to the chamber.
TIm Watts stated:
I’m very pleased to take the opportunity to speak on the Cyber Security Bill 2024 today. I first raised the issue of ransomware in this parliament more than seven years ago, in 2017. It has long been an area of interest and concern to me—including during the last parliament, when I was the shadow assistant minister for cybersecurity. I should also acknowledge that it’s an area of interest for others here in this chamber today. In that term, I introduced a private member’s bill dealing with these issues, the Ransomware Payments Bill 2021, which would have formed a policy foundation for a coordinated government response to the threat of ransomware.
As Assistant Minister for Foreign Affairs, I was pleased to work with the then cybersecurity minister, the member for Hotham, on the international chapter of the 2023-2030 Australian Cyber Security Strategy, launched in November last year. This recognised that the evolving challenges of cyberspace required us to work with our international partners to uphold international law and norms of responsible state behaviour in cyberspace and to impose costs on bad actors that make cyberspace less safe and less secure. The strategy sets out how we will improve cybersecurity, manage cyber-risks and better support Australians and Australian businesses in cyberspace. This includes reinforcing our cyberdefences; strengthening our resilience, or our ability to bounce back from cyber incidents; deterring and responding to malicious actors; and working closely with international partners—reducing the returns to bad actors targeting Australia with cybercrime and increasing the costs to them of targeting our businesses.
This bill delivers on measures promised by our government in that strategy. It takes necessary steps to ensure that Australians and Australian businesses can enjoy the full benefit of the internet, while keeping us safe. There’s an urgent need for this bill. The previous government did little to address these threats. When I introduced the private member’s bill on ransomware from opposition, the Australian Cyber Security Centre had identified ransomware as the greatest cyberthreat facing Australian business, but the current Leader of the Opposition—the previous home affairs minister and defence minister—has never even used the word ‘ransomware’ in parliament.
Last year, ransomware was still the most destructive cybercrime threat to Australians, causing up to $3 billion in damages to the Australian economy, and ransomware attacks are only becoming more prevalent in our world. This bill will lay the foundation for a co-ordinated strategy to fight ransomware. It will introduce a mandatory reporting obligation for entities that are affected by a cyber incident, receive a ransomware demand and elect to make a payment or give benefits in response to that demand. This is essential for us to be able to develop a fuller picture of ransomware attacks in Australia and the scale of the threat, enabling a more coordinated government response.
Even prior to this bill, the Albanese Labor government was already taking steps to tackle ransomware. Australia has led the International Counter Ransomware Task Force since January 2023, driving international cooperation on countering ransomware, including through information and intelligence sharing, and facilitating collaboration with law enforcement. We provided an additional $75 million to the AFP to boost the Hack the Hackers program. This is an investment that will equip the police, who are responsible for fighting cybercrime, with the skills and capabilities needed to disrupt these actors and protect the community.
The Australian Federal Police and the Australian Signals Directorate established Operation Aquila in November 2022 to investigate, target and disrupt cybercriminal syndicates. Ransomware threat groups were a priority, and under Operation Aquila the AFP and ASD, with other agencies and international partners, were able to link Mr Aleksandr Ermakov to the breach of the Medibank Private network. Following very substantive efforts across these agencies, in an Australian first, we used Australia’s cybersanctions powers on Mr Ermakov for his role in the cyberattack earlier this year.
Our cybersanctions framework was established to deter and frustrate cybercriminals, to impose costs on them for their activities. It enables us to sanction a person or entity in relation to a significant cyberincident with a targeted financial sanction and/or travel ban. This disrupts their ability to conduct their business by limiting their access to the financial system, including crypto exchanges, and their ability to travel overseas. It also reveals their identity and their tradecraft, exposing cybercriminals who trade in anonymity, and makes it more difficult for them to conduct their activities. Frankly, being sanctioned is bad for business. Cybersanctions are now a key tool for us to consider when responding to significant cyberincidents.
I am pleased that since sanctioning Aleksandr Ermakov we have also sanctioned a further four Russian cybercriminals and imposed cybersanctions on three people for their involvement in the Evil Corp cybercrime group: Maksim Viktorovich Yakubets, Igor Olegovich Turashev and Aleksandr Viktorovich Ryzhenkov. They had senior roles in Evil Corp. I called for Mr Yakubets to be sanctioned during debate in this place during the introduction of the Magnitsky legislation in 2021. I said at that time:
… Maksim Yakubets, the leader of the Evil Corp ransomware group in Russia, has been sanctioned by the US government. He drives a fluoro camouflaged Lamborghini with the licence plate ‘Thief’. That kind of impunity needs to end.
So it was particularly satisfying to see the Australian government sanction him last month. We have also sanctioned Dmitry Khoroshev for his senior leadership role in the LockBit ransomware group.
We have taken clear steps to deter cybercriminals from targeting Australians. The Australian Cyber Security Centre also provides ransomware guidance to help Australians and businesses protect themselves and respond to ransomware attacks. They are available to provide assistance 24/7. One key piece of advice from the ACSC, and something that I have said here in this place before, is that you should never pay a ransom, ever. Paying a ransom does not guarantee that you will regain access to your information or prevent further disruption. It doesn’t guarantee that your data won’t be sold or leaked. But it does provide criminal organisations with further resources and incentivises further cybercrime, putting even more Australians at risk.
This is why we need a coordinated approach to tackling ransomware. We need a whole-of-nation effort to improve the government’s threat picture to inform additional protections, current incident response procedures and future policy. That is what this bill does. It will not completely solving the ransomware issue. There are no silver bullets here. But it is a critical step. We understand that cybersecurity incidents can be sensitive issues. Targets of cyberattacks may be reluctant to report them. But we need to understand the cyberthreat landscape so the government can more effectively assist organisations with their incident responses as well as providing them with the information they need to protect themselves before these incidents occur.
The reporting of cybersecurity incidents by members of the public and Australian businesses is crucial in this respect. That is why this bill will establish a limited use obligation that will restrict how information provided to us during a cybersecurity incident will be used to give Australians and Australian businesses confidence that the information they provide will be used appropriately. We are committing to protect the information that these businesses and Australians share with government by using and sharing it only with the government agencies and regulators where necessary and only for the purpose of assisting the incident responses. This is because the Albanese Labor government wants to work with you to protect you.
This bill will also establish the power to mandate security standards for smart devices that are internet or network connected. These devices, like smart TVs, smart watches, baby monitors and home assistants, have become integral parts of our everyday lives, and our usage of and reliance on them continues to grow. Indeed, there are estimates that there will be more than 21 billion IoT devices connected to the internet globally by 2030. We want Australians to be confident in the safety of the digital products they buy, but at the moment there aren’t any mandated cybersafety standards applied to IoT products. We saw the destructive capability of these IoT products during the Mirai botnet incident some years ago. So it is essential that the government makes sure that they are safe for Australians.
Australian households and businesses are bearing the financial costs and negative societal effects of persistent and preventable cybersecurity incidents. We want to build trust in digital products so we can live in a country where safe digital products are the norm, and that’s what this bill will help to build. The establishment of a cyber incident review board to conduct postincident reviews of significant cybersecurity incidents will help ensure Australia is well placed to better prevent, detect and respond to incidents in the future, and that mechanism will assess what happened in cybersecurity incidents of national importance. It will improve public understanding about what occurred and, by doing so, it should encourage the rest of the community to learn from the incident and uplift all of our cybercapabilities together, proving our national cyber-resilience.
Now, building cyber-resilience is a shared global challenge, and Australia’s security and prosperity are linked to our regions, so our efforts do not end at our national borders. Our flagship Cyber and Critical Technology Cooperation Program works across the Indo-Pacific to help countries maximise the opportunities and mitigate the risks related to cyberspace and critical technologies to enhance the resilience of the region. Last year I announced the establishment of the Pacific Cyber Rapid Assistance for Pacific Incidents and Disasters, the RAPID teams, to help respond to cybercrises in the Pacific when Pacific governments request the assistance of the Australian government. It’s been a resounding success and warmly welcomed in the region.
In many respects Australia is already a leader in cybersecurity, but this bill will ensure that Australia has a world-leading, robust cybersecurity regime going forward. The time to act is now, and I commend this bill to the House.
Andrew Wallace stated
I rise to speak on the Cybersecurity Bill 2024 and related bills, which I spoke about only yesterday in tabling the report. After World War II began, Hitler’s propaganda chief, Joseph Goebbels, said of the Allies:
They left us alone and let us slip through the risky zone, and we were able to sail around all dangerous reefs. And when we were done, and well armed, better than they, then they started the war!
Today, stretching from the Baltic Sea to the Korean Peninsula, once again a dark alliance of great powers has festered, working for many years to dismantle the global rules based order and, with it, Australia’s democracy.
‘Foreign interference corrodes our democracy, sovereignty, economy and community,’ as Mike Burgess, the Director-General of Security, put so well in his annual threat assessment in February. As deputy chair of the Parliamentary Joint Committee on Intelligence and Security, I know how deeply our competitors seek to embed themselves in our democracy, and one of their greatest tools is the mobilisation of cybercapabilities. Australian families and businesses know how dangerous a cyber incident can be. We all remember the Cambridge Analytica incident from January to June 2024 alone. The Office of the Australian Information Commissioner saw 527 more notifications of cyberbreaches, impacting thousands of Australians. A third of these were what we call phishing attempt, a quarter were ransomware attacks and a fifth of these were brute-force hacking or malware attacks.
While most incidents don’t make the front-page news, Australians will recall a number of recent incidents. We saw the Medibank and AHM cyber incidents, which resulted in Australians’ sensitive health and identifying information being leaked. This large-scale attack was one in a recent string of large-scale attacks hitting Optus and Latitude Finance. The ProctorU remote education service was hacked, with 444,000 people’s data linked to the dark web. The Australian National University in 2018 fell victim to a sophisticated attack which impacted thousands of students, accessing data that was nearly 20 years old. In 2019 our very own parliament was hacked. The then head of the Australian Signals Directorate, or ASD, Mike Burgess, confirmed that cybercriminals using phishing methods sought to gain entry into the government’s network, admitting that a small amount of data was taken. Thank God for parliament’s cybersecurity unit—no sensitive data was accessed.
Australians from all walks of life know that cyberinsecurity puts lives and livelihoods at risk. Stephane Nappo from CISO said:
It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.
The impact of cyberinsecurity can be devastating, and Australian small and family businesses know this to be true as well. A former member of the US Homeland Security Council, Ted Schlein, said:
… there are only two kinds of companies in the world, those who have been breached and know it and those that have been breached and don’t know it.
Sole proprietors, subcontractors, family restaurants, vendors, digital agencies and doctors’ clinics all have access to sensitive financial, personal and legal data. And data is the treasure which digital pirates seek to loot.
At this point I want to acknowledge the great work of an organisation called IDCARE, which is based in my electorate. IDCARE is a not-for-profit organisation that does tremendous work across Australia, helping tens of thousands of people a year when they have had their digital identities stolen or corrupted. I want to send a shout-out to Dave Lacey and his team at IDCARE and encourage people that, if they have been hacked, if their data has been stolen, if their identity has been stolen, they shouldn’t waste any time; they should get on the phone to IDCARE and get some help as soon as they possibly can.
This legislation is so very important. The three bills we’re debating are designed to mandate minimum cybersecurity standards for smart devices; to introduce mandatory ransomware reporting for certain businesses to report ransom payments; to introduce limited-use obligations for the National Cyber Security Coordinator and the Australian Signals Directorate, or ASD; to establish a cyber incident review board and clarify, simplify, streamline, and align existing obligations, regulations and government assistance measures.
Once again, this important legislation to bolster Australia’s national security comes on the back of the hard work and advocacy of the coalition. Yet again we are leading the government from opposition when it comes to keeping Australians safe. We put legislation on the table for ransomware action on more than one occasion. Labor obfuscated, dithered and delayed before finally relenting, just like they did on social media reform. The issues in this bill are no different. In the Cyber Security Bill 2024, the proposed mandatory standards for smart devices are welcome, but they are long overdue. This proposal was first canvassed by the former coalition government in our 2021 cybersecurity strategy discussion paper. The same can be said about limited-use obligations. The coalition first called for legislated limited-use obligations on 22 March 2023.
We called for the construction of a cyber incident review board, identifying that our country needed a mechanism to conduct objective investigations following significant cyber incidents. In line with recommendation 5 of the PJCIS report, the coalition is committed to seeing members of the Cyber Incident Review Board drawn from industry, academia and the Public Service. As the PJCIS outlined in our report tabled just yesterday:
While it is appropriate for senior public servants—including representatives of relevant statutory agencies such as ASD—to be included on the CIRB and in the exercise of its powers, the Committee has heard from some of a desire to also include representatives external to government.
Coalition members expect that the government will, along with addressing the remainder of the 13 recommendations of the PJCIS, take action accordingly to address our concerns and the concerns raised by small businesses and Australia’s higher education sector. It is action that Australians and their businesses expect on matters as important as these. If this careless Labor government had moved more quickly with these reforms, it may have gone some way to boosting the willingness of businesses to share information with ASD in a timely and meaningful way.
The consultation process that preceded this legislation proves that the small business community and private sector are beginning to understand their role and responsibilities, as well as the threats and opportunities, when it comes to Australia’s national security. What this process shows is that industry is ready to engage with the government and this parliament in developing policy, building capacity and responding to Australia’s security threats. It’s clear to me that the Australian business community is well and truly ready to contribute to the development of a national security strategy.
While I am pleased to see the government getting on board with the coalition’s groundbreaking work to bolster Australia’s cybersecurity, more must be done. We can’t keep patching up our national security framework with quick fixes, bumper-sticker announcements and piecemeal bills. Cybersecurity, foreign interference, bribery, money laundering, border security and immigration, military secrets, scam prevention and social media reform are all important areas of legislation which the parliament has considered over the last few years, a number of them spearheaded by the coalition. But it’s time to look at the bigger picture and begin developing and implementing a comprehensive national security strategy which is responsive, forward thinking and meaningful—not just a bandaid fix. Security should be built in, not a bolt-on in response to some media coverage or public incident. It’s time for an integrated strategy that would engage Australian industry, academia, the community and all governments in developing a comprehensive plan to bolster Australia’s self-reliance, sovereignty and security. Our AUKUS partners have implemented their own national security strategies, while our government has cut back on border security, crippled the space and defence industry, and dithered and delayed on cybersecurity.
Once again, I want to pay tribute to the late, great Jim Molan AO DSC, former senator and major-general, whose fierce advocacy for a grand national security strategy continues to inspire so many, including me. We can talk all we want about a defence strategy, a defence industry plan, a cybersecurity strategy or a ransomware action plan, but to what end? As Jim Molan said:
How can there be a defence strategy without an overarching and comprehensive national security strategy? What good is it to have a brilliant defence strategy without national liquid fuel, industry, pharma, science and technology, manpower, diplomacy and stocking policies …
We learnt during COVID that Australia is behind the eight ball when it comes to global supply of essential goods and services. Medicines and medical equipment; veterinary medicine for livestock; fuel for transport; manufacturing; power; defence; food and primary produce; space defence; biosecurity; market stability; cybersecurity; and land, sea and air defence are all important components of Australia’s integrated national security. It’s time that we addressed them as a whole and not in part, not in a piecemeal fashion.
I would like to take this opportunity to commend my colleagues in the PJCIS. I have served on many, many committees in this place. I’ve chaired many of them and I’ve deputy-chaired many of them, and I can honestly say that the PJCIS has the highest workload of any committee that I have ever served on. It is not unusual for the PJCIS to be working on 14 inquiries at any one point in time.
I want to extend a shout-out to the former chair, the member for Wills. I said this yesterday and I’ll say it again: the member for Wills is a good man who believes in the importance of the security of this nation. I think the member for Wills has been through a rough trot in recent times, and I wish him the best in his new role. I also want to give a shout-out to the new chair, Senator Raff Ciccone, who has already demonstrated a terrific grasp on the issues that we deal with in this committee. I look forward to working with him, as I do with all members of the committee.
The PJCIS is too important a committee to get bogged down in petty politics. There is no greater obligation on any member who serves in this place than to keep Australians safe. The PJCIS is really at the tip of that spear in ensuring that our security and intelligence agencies do what they say they’re going to do and act in accordance with the law, and I’m very proud to be a part of it.
I thank Australian industry for their ongoing vigilance when it comes to cybersecurity, although there’s much more work to be done. I call on this government to take seriously its responsibility to protect Australians and secure our future. It’s well over time to introduce a comprehensive integrated national security strategy. Now let’s just get it done.
Andrew Charlton stated:
In July this year I was given the honour of being appointed the Special Envoy for Cyber Security and Digital Resilience by the Prime Minister. In this role I’ve had the opportunity to speak with dozens of stakeholders—from micro tech startups to multinational corporations, from sole operators to ASX 200 companies, from individual victims of cybercrime to international government counterparts. What I’ve learnt from these discussions is that cybersecurity is a critical issue that needs to be addressed at different scales with different groups and at different levels of technicality. Unlike other national security issues, the uplift of Australia’s cybersecurity is a team sport. It cannot be done by government alone. It requires an interconnected and engaged group of stakeholders from across public and private sectors, working together towards the common goal of ensuring that Australian citizens and businesses can live, work and learn safely and securely online.
The legislative reforms that we’re debating today take some key steps towards a digitally secure and safe future. It’s another significant reform that this government is bringing forward to unlock the gains that the digital economy can provide for all Australians, following work across government, such as the Attorney-General’s privacy reforms, the Treasury’s anti-scam reforms and the communications portfolio’s misinformation and disinformation reforms. This package includes our nation’s first cybersecurity act, which, together with reforms to the Intelligence Services Act, contains four critically important measures.
First, the bill will create a framework for setting mandatory security standards for smart devices. At the end of 2023 there were 109 million smart devices in Australia, there being at least one device in 73 per cent of Australian homes. By the end of 2027, there are likely to be 353 million devices in Australia, worth over $2.1 billion to the Australian economy. The Cyber Security Bill will create a framework by which any smart device sold in Australia will meet three security requirements. Firstly, each device will be sold with its own unique password, ensuring that a widescale cyberattack cannot be perpetrated on the owners of a particular piece of technology. Secondly, each device will have fault-reporting capabilities so that manufacturers have the information needed to remedy and identify vulnerabilities. Thirdly, each device will come with the information the purchaser needs to know about regularly updating the software in their device, so that any cyber vulnerabilities in software are removed as soon as possible. These critical changes will create a baseline of cybersecurity standards across Australia’s smart device market, making our everyday lives safer and more secure.
Second, the cybersecurity bill creates a requirement for businesses above a prescribed level of annual turnover to report ransomware payments to government. Ransomware remains one of the most destructive types of cybercrime in Australia, with the capacity to cripple digital infrastructure through the encryption of devices, files and folders, rendering essential computer systems inaccessible or inoperable.
This reform is not the government stepping back from its advice that a ransom should never be paid. That is still our advice. Ransoms fund further criminal activity, and there is no guarantee that, if you pay a ransom, your network or information will be handed back. In fact, for many businesses, if they pay a ransom they’re giving a signal to the market of their willingness to pay, putting themselves at risk of further and subsequent attacks. Instead, what the government is saying with this requirement is that we want to make sure we have a full picture of the ransomware threat in Australia.
There has been some public commentary that this reporting obligation will create unnecessary stress for small businesses that may be captured under the $3 million annual threshold, but the 72-hour timeframe for making a report only starts from the time that that ransom is paid, which may be some time after the incident itself occurs, and it will only be enforced in cases of egregious noncompliance. The penalty for noncompliance is not a punitive measure for acts done in good faith, as the bill clearly outlines.
Whilst those on the other side think that we should just be slapping an economy-wide ban on making any ransomware payment, the Albanese government wants to build an evidence base upon which a decision can be made. Having a thorough understanding of ransomware payments in Australia allows the Australian government to build a tailored package of assistance and guidance for victims, to assist in law enforcement and the disruption of threat activities, and, in future, to have the data to make an evidence based decision on whether a ransomware ban is suitable for Australia. This is evidence based policy, not shooting from the hip.
The third measure in the cybersecurity bill and in the amendments to the Intelligence Services Act will create a limited-use obligation whereby certain information provided by victims of a cyberattack to the National Cyber Security Coordinator and her office, or to officers from the Australian Signals Directorate, will not be able to be used for other purposes. This is incredibly important. The purpose of this limitation is to safeguard in the early stages of an incident, where information is being generated in real time and is unable to be verified. The Cyber Security Coordinator is responsible for leading whole-of-government coordination in response to significant cybersecurity incidents. Lieutenant General Michelle McGuinness is responsible for providing advice to the Minister for Cyber Security and other elected representatives that they need to direct government activities in response to a large-scale cyber incident. The coordinator and staff from her office need to receive contemporaneous information about an incident in order to perform this vital role.
In addition, ASD have the significant technical expertise to assist Australian businesses to respond to a cyberattack. They are the cyber firefighters, who need to receive technical information in real time to address an attack. That is why this piece of legislation is so important, because recent experience is that victims of a cyber attack have been hesitant to provide this vital information because of the risk of that information being lawfully provided by ASD to other Australian government regulators such as ASIC, OAIC and APRA and used against them. Government receives incident reports from a company’s general counsel, when they really need to have a direct dialogue with the chief information security officer on technical details to best employ their assistance and expertise.
These limited-use provisions will create a limitation on how information provided to the Cyber Security Coordinator or to ASD will be able to be shared, by creating requirements for these officials not to share the information except in specific and prescribed circumstances. It doesn’t mean that regulators with cybersecurity requirements to enforce are excluded from ever receiving that information, but it does mean that the OAIC, ASIC, APRA and numerous other government regulators will only be able to receive information for their regulatory purposes from the entity under their existing powers. Limited use will enable the cyber coordinator to receive the real-time information necessary to provide government support in a time of crisis. It means that ASD, our cyber firefighters, can receive the information they need in a timely way to help put out a cyber incident.
The final measure in the Cyber Security Bill 2024 is to legislate the Cyber Incident Review Board, which will conduct postincident reviews of nationally significant cyber incidents. The board will conduct inquiries and make reports to industry and government on a no-fault basis to improve Australia’s collective cybersecurity outcomes. The board will operate independent from government and have the capacity to conduct reviews on its own motion, on referral from the minister or from the cyber coordinator, or at the request of the victim of a cyber attack. It will have suitable powers to require the production of information, but information provided to the board will not be admissible in civil or criminal proceedings against the entity. Whilst reviews of previous cyber incidents can and have been conducted under government executive powers, legislating this board will create clear duties and obligations about the conduct of reviews and the treatment of information provided or generated in the course of a review. It promotes transparency of this important function and will provide public advice about an incident, with the aim of providing collective cybersecurity practices for all Australians.
This package of legislative reforms also builds on Australia’s world-leading critical infrastructure security regulatory system, making three critical improvements identified as part of the government’s Australian Cyber Security Strategy. This strategy’s aim is to make Australia a world leader in cybersecurity by the end of 2030. The first measure expressly includes business-critical data as part of a critical infrastructure asset under the Security of Critical Infrastructure Act, the SOCI Act. As the customers and clients of Optus, Medibank and Latitude Financial, amongst numerous others, are now all too aware, the security of information that our critical infrastructure organisations collect and store to operate in our economy is just as important as keeping the lights on. It is just as important for the security requirements under the SOCI Act to apply in respect of business-critical data that our critical infrastructure assets hold to conduct their businesses not just in relation to the goods and services that they provide.
Let’s take the water services sector as an example. The current SOCI Act would apply to a critical water asset—a water or sewerage system delivering services to at least 100,000 connections. Requirements have been applied to critical water assets under the SOCI Act to ensure that the physical, personnel, cyber and information risks associated with these assets are managed appropriately. What this amendment will do is ensure that business-critical data that a critical water asset operator holds to provide water and sewerage services, whether that be sensitive operational plans or customer information, is captured as part of these requirements. And when we’re talking about better securing digital data, we’re talking about meeting and, hopefully, exceeding cybersecurity requirements.
This bill also makes important reforms to clarify the security regulation of critical telecommunication assets—some of the most important assets to the way we live, learn and work online. The previous government did not sort through the patchwork of legislative requirements under the SOCI Act and the Telecommunications Act, which resulted in recommendations from the Parliamentary Joint Committee on Intelligence and Security directing government to do this. Their failure to act has created unnecessary ambiguity for industry and has limited the ability to ensure compliance. What the Albanese government is doing, after conducting a thorough and inclusive co-design process with industry and customer advocates, is creating a clear path forward to ensure our telecommunications networks remain secure without regulatory duplication, and we’ve clearly articulated the security requirements for our telcos and carriage service providers.
Finally, the SOCI Act reforms expand the scope of some, but not all, of the powers known as the government assistance measures. As currently enacted, those powers enable the government to work with industry to respond directly to a serious cybersecurity incident. What recent cybersecurity incidents have taught us is that government assistance to industry is not just necessary to respond to an incident. Assistance is also required to manage the consequences coming from an incident. Cyber vulnerabilities can often be detected and removed quickly, but the impacts of unauthorised access to systems and data may need to be managed for some time afterwards.
What I’ve heard from consultations with cybersecurity professionals, data centre providers and government officials is that a cybersecurity incident of significant national impact to Australia is not just probable; it’s inevitable. The United States had the Colonial Pipeline incident in 2021, leading to large-scale petrol shortages on the east coast over six days, creating significant economic, social and personal impact. Over half of the UK’s National Health Service was brought to its knees in the 2017 WannaCry ransomware attack. Patient records could not be accessed for several days, resulting in delayed surgeries and ward closures. Ukraine has experienced wave after wave of cyberattacks—switching off its power grid in the middle of the 2017 winter, leaving thousands of Ukrainians in the cold—as well as a number of subsequent attacks associated with its war with Russia.
Australia is not immune from these types of attacks and incidents in the future. In fact, we’ve already had large-scale data spills, such as Optus and Medibank Private, that have had a significant impact on Australians. While none of those incidents created the significant widespread economic and social impacts that have been experienced elsewhere, I want to make sure the Australian government can ably assist our critical infrastructure to respond to an incident of this scale, whether it be to stop the incident from occurring or to make sure that the consequences of the incident can be managed appropriately.
This is a package of key reforms necessary to support the continued uplift of Australia’s collective cybersecurity. I want Australian citizens and businesses to be best placed to take every opportunity in the digital economy, something that cannot occur without being safe and secure online. I commend these bills to the Chamber.
Michael McComack stated:
If ever we had cause for alarm over cybersecurity, it was just the other day—5 November, in fact—when the Guardian published an article headed ‘Is your air fryer spying on you? Concerns over “excessive” surveillance in smart devices’. The article, penned by UK Technology Editor Robert Booth, said:
Air fryers that gather your personal data and audio speakers “stuffed with trackers” are among examples of smart devices engaged in “excessive” surveillance, according to the consumer group Which?
According to the article:
The organisation tested three air fryers, increasingly a staple of British kitchens, each of which requested permission to record audio on the user’s phone through a connected app.
The piece went on:
Smart air fryers allow cooks to schedule their meal to start cooking before they get home.
In this day and age of limited time and people very busy in their lives, it’s a great idea. It’s smart. It’s the use of technology to meet a busy schedule.
Not all air fryers—
the Guardian said—
have such functionality but those that do often use an app installed on a smart phone.
Which? found the app provided by the company Xiaomi connected to trackers for Facebook and a TikTok ad network.
I’ll digress a little. We’ve been told of the dangers of using TikTok, and, for any member of parliament who does use TikTok—I appreciate that it’s a way of getting through to the younger generation—it is an absolute folly. Your information will be collected and sent where you don’t need or want it to be.
The piece continues:
The Xiaomi fryer and another by Aigostar sent people’s personal data to servers in China, although this was flagged in the privacy notice, the consumer testing body found.
I would defy that too many people actually read the fine print. If you are like me, once you get a device, you open the packaging and—as many blokes do—the last thing you have a look at are the instructions of how to put it together. You just put it together as best you can and plug it in the wall and hope that it works.
The article said:
Its tests also examined smartwatches that it said required ‘risky’ phone permissions—in other words giving invasive access to the consumer’s phone through location tracking, audio recording and accessing stored files.
We know that so much of our information is collected. We know that so much of that data is stored. What we don’t know is who is doing it and why and what they are going to use it for in the future.
I well recall, when I was second in charge of the National Security Committee—and I’m not giving away state secrets—some of the hacks that came across the table. Indeed, very sophisticated players from certain very large countries were able to infiltrate local councils, large and small, and businesses, large and small, in Australia. This is of great concern. We should be very worried, getting very prepared and making sure that we are doing everything we can to solidify our cybersecurity. In this day and age, the hackers, those players who would otherwise part our money and us, are getting better at what they do. Being able to be tracked and followed on everything that you do online through our cooking now is, indeed, a worry.
The article said:
In a response to Which?, Xiaom said respecting user privacy was among its core values and it adhered to UK data protection laws.
Ha! Yeah, right! It claimed it didn’t sell any information to third parties, but that just beggars belief. Why would a company need to store data on an air fryer? Maybe to find out whether you are frying chips or vegetables or what, perhaps, you are cooking. No. You can’t be that gullible. We can’t be having these sorts of devices. If you’ve got one of those, you are being tracked. We know that. We appreciate that. People should do everything they can to ensure that they are not scammed.
I had the member for Whitlam, the minister responsible for scams, do a forum in my electorate. It was a very good thing. A lot of older people attended that. They are all too often overrepresented in the statistics of those people who have had money taken through nefarious ways and means. I was appreciative of the minister coming to Wagga Wagga to share his views and what the government is doing. The government can always do more. I appreciate that. Never before in history has cybersecurity been so important. Wherever you are and whatever you are doing, you are likely to be in the vicinity of a smart device with connectivity to the internet. It is not just computers and smartphones; we have smart TVs, smart fridges, smart lights, smart cameras and so much more. Indeed, a growing number of devices in homes are connected to the internet, including camera enabled doorbells and, as I mentioned, smart TVs. It’s remarkable progress. Who would have thought 20 years ago that technology would become as prevalent and perhaps as invasive as it is today? Indeed, iPhones really only go back to 2008. Remember the bricks that some people used to carry around that used to be mobile phone technology? You may all be familiar with Apple’s Siri, Amazon’s Alexa and Google Assistant. They’re always listening in in case you ever have a question to ask. If you talk about a product or a topic, only to see advertisements then popping up on your internet feed as though somebody, somewhere, somehow, someway was listening in, of course, they are. We know that for a fact. Every time you use something connected to the internet, your data is being collected, it’s being tracked and it’s being used—and it’s not always by people you should or could trust. Sometimes it’s for good, to improve efficiency and the relevance of search results. Yes, that’s correct. But every time this data is collected about you, it can be used for nefarious causes—particularly when data breaches occur and your data gets into the wrong hands.
By 2025, cybercrime is estimated to cost the world $10.5 trillion. In Australia, as of 2021, the University of New South Wales estimate cybercrime cost $42 billion—that’s $42,000 million—to the Australian economy. That’s almost equivalent to expenditure in many, many portfolios—including Defence. This is deeply concerning. It’s cause for urgent action. That is why the coalition does support the policy intent of this package of bills.
I note these bills will give the Minister for Home Affairs the power to make mandatory security standards for smart devices. This is important. This is vital. If our air fryers can be spying on us, who knows what else is? Who would know? This is something the government must have at the forefront of its operations. People’s security is absolutely the No. 1 priority for government. How many cameras, drones and other devices do government departments use that are manufactured in China? It would be a fascinating answer. Who knows how much confidential data is being collected by foreign actors, foreign players? The Cyber Security Bill 2024 will also empower the secretary of the Department of Home Affairs to issue compliance, stop and recall notices in order to enforce the mandatory security standards regime—not such a bad thing. This is a good start to improve the security of our devices.
Even properly managed data can be breached by bad actors. That’s why it’s important that the government, via the Australian Signals Directorate, is informed of entities that have been subject to a cyberincident. This bill will ensure that entities with more than $3 million in annual turnover report cyberincidents to the ASD if they’ve made a ransomware payment or given any other benefit in connection to such an incident. The $3 million cap prevents excessive regulation on small businesses, but it does ensure that larger businesses are more likely to store your data and have the economic capacity to adhere to these regulations. That’s something that perhaps needs looking at.
Naturally, some entities may be hesitant to report and provide data to the government for fear of adverse consequences. That’s why this package establishes a limited use obligation which restricts how much information provided to the National Cyber Security Coordinator can be used or shared with other government entities. Further, this obligation will also be imposed on the ASD, which will be prevented from communicating such data for the purposes of investigating or enforcing a contravention of a Commonwealth, state or territory law other than a criminal offence against the entity subject to the cyberincident. This ensures reports and data supplied are full, honest, accurate and transparent, enabling the ASD to do its job properly, rather than struggling to obtain accurate data from entities fearful of ancillary consequences.
I have to say that we are fortunate in this country to have people who are very qualified in the space of cybersecurity. I know when the 2016 census went a little awry, Alastair MacGibbon played a very strong and powerful role. I know the role that the ASD played. I know just how important this is. We are very lucky that this nation has people in the Public Service and elsewhere who do their utmost to ensure that the bad guys don’t win. As we move into an ever-more digitally connected future, it becomes ever more imperative to enact the regulations and frameworks necessary to combat the established and emerging threats of cybercrime.
As of 2023, the Australian Trade and Investment Commission reported Australia’s tech industry to be worth $167 billion. That’s grown by 80 per cent in five years. Its growing at an exponentially fast rate. It is huge. It’s also estimated to constitute $250 billion of our gross domestic product by 2030.
It’s clear Australia must entrench its place on the world stage as a nation which is proactive and a world leader in cybersafety when it comes to digital technology, and I would like to think that, whichever party or parties occupy the government benches in Australia, the same priority and the same importance is placed on cybersecurity. I know that the government come to this place and space with good intent, and I encourage them and acknowledge them for that. It’s very clear that Australia is targeted all too often by people and nations that want to do us harm. But this bill and other measures will ensure business has the confidence to continue to invest and grow.
I have to say I well remember that, when I was in government and was on the National Security Committee of cabinet, we made the rather controversial decision at the time to not allow Huawei to have the reach that they wanted in Australia, even though they were making big inroads. They were sponsoring the Canberra Raiders National Rugby League team. But why would we want to have a foreign entity with the capability to do what they could? We can’t have our traffic lights and our hospital power systems operated by international players. Whilst I know it was a controversial decision at the time, it was the right course of action to take.
It’s not just the tech sector that these regulations are relevant to; it’s almost every business sector. Like a great octopus, players who want to and feel the need to can reach in and take anyone’s money, and no-one is safe. Every business has a website these days. Nearly everybody shops online these days. More and more people are banking online as well. It is our duty, and it is the government’s role, to ensure ordinary Australians are protected to the best of Australia’s ability and the best of the government’s ability. We must protect not just Australians but industry from cybercrime. That should be the ultimate goal: to keep Australians safe. I appreciate that that’s what the government are endeavouring to do, and they have the coalition’s support in just that.
Michelle Landry stated:
The coalition supports the policy intent of the bills, the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. As cyber threats continually evolve and the strategic environment continues to deteriorate, urgent action is required to uplift Australia’s national cyber resilience.
The reforms introduced by this package of legislation represent a logical extension of the world-leading approach taken by the former coalition government, who architected the security-of-critical-infrastructure regime and authored successive national cybersecurity strategies in 2016 and 2020. However, we continue to hold significant concerns, as do many interested stakeholders, about the government’s rushed process and limited time for parliamentary scrutiny, which increases the risk of overlooking unintended consequences and drafting errors in the legislation.
The former coalition government introduced the Security of Critical Infrastructure Act 2018, which outlined the legal obligations for entities that own, operate or have direct interests in critical infrastructure assets and included government assistance powers for serious cybersecurity threats or attacks. The former coalition government amended the SOCI Act in 2021 and again in 2022 to enhance security obligations for critical infrastructure assets and systems of national significance, including by introducing mandatory risk management programs for certain assets.
In the wake of the Optus and Medibank cyber incidents in 2022, the former Minister for Home Affairs and Minister for Cyber Security, Clare O’Neil, trashed the SOCI Act:
That law was bloody useless, not worth the ink printed on the paper when it came to actually using it in a cyber incident. It was poorly drafted.
On a separate occasion she praised the SOCI reforms, saying, ‘If you look at the work that was done on the Security of Critical Infrastructure Act in the last parliament, when I describe that law to politicians around the world their mouths are open, thinking, “How can we construct something similar in our country?”‘
It is somewhat ironic that the backbone of Labor’s much-touted cyber legislation is a modest and logical extension of the SOCI reforms introduced by the previous government. Clare O’Neil’s desperation to politicise what should be bipartisan national security policy is emblematic of Labor’s chaotic approach to national security writ large. It is good to see the government has finally seen reason as to the merits of the coalition’s world-leading SOCI reforms to the point that it has decided to double down on our approach, and we welcome the measures in the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. We welcome the limited-use provisions in the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, the ISA bill, which will provide assurance to entities that the information they disclose to government about cyber incidents will not be used against entities’ interests in the future.
The former director-general of the Australian Security Directorate, Ms Rachel Noble, publicly endorsed this concept in November 2022:
Speaking purely from ASD’s perspective, I think the safe harbour concept is a most excellent idea because, to your point, where there is ambiguity—if I’m dealing with a government, do you hand that information to other government departments or don’t you? How can I be sure that that won’t occur without my permission and so forth?
So from an operational perspective, in the heat of the incident, if you will, when we’re still trying to pull people out of the water and into the lifeboats, to have that absolute confidence for the private sector, that at the very least their operational engagement with ASD would be exempted from the inquiry of others, whether they are other government agencies or other people scrutinising the process, like we’ve seen in class action lawsuits, for example, that is very attractive to us as well.
Senator Paterson first called for a legislated limited-use obligation on 22 March 2023. I note that, if the Australian government had moved more quickly with this reform, it may have gone some way to address the declining willingness from industry to share information with ASD in a timely way, which have we witnessed in the intervening years.
The proposed mandatory standards for smart devices in the Cyber Security Bill 2024 are welcome and long overdue. This proposal was first canvassed by the former coalition government in the discussion paper, ‘Strengthening Australia’s cyber security regulations and incentives: an initiative of Australia’s cyber security strategy 2020’, released on 13 July 2021.
The need for these reports has become more acute in recent years, as we have learned more about the national security risks of internet-connected devices through successive audits, which revealed hundreds of Chinese-manufactured cameras, drones and internet-connected solar inverters in use across Commonwealth government sites. The Commonwealth government has had ample time to develop and refine this proposal, and we welcome this work finally coming to fruition.
The coalition welcomes the introduction of the legislated Cyber Incident Review Board, the CIRB. Senator Paterson originally called for this construct on 19 November 2023, noting the need for a mechanism to conduct dispassionate, objective investigations following significant cyber incidents, for the collective benefit of organisations who may be able to benefit from the lessons learned. This came after the US government announced the establishment of the Cyber Safety Review Board in 2021. Had the Australian government acted sooner to establish a construct here, it may have assisted post-incident investigations into significant incidents such as the MediSecure data breach and the CrowdStrike outage, which both occurred earlier this year.
Nevertheless, the coalition welcomes the establishment of the CIRB—however belated—noting the clarification provided during the Parliamentary Joint Committee on Intelligence and Security inquiry that standing members of the Cyber Incident Review Board do not necessarily need to be members of the public service, which will provide flexibility to include representatives external to government if the minister deems it appropriate.
While the coalition supports the policy intent of the bills, we continue to hold significant concerns about the Albanese Labor government’s rushed process and limited time for parliamentary scrutiny, which increases the risk of overlooking unintended consequences and drafting errors in the legislation. The former Minister for Home Affairs and former Minister for Cyber Security, the Hon. Clare O’Neil MP, originally announced the development of the 2023-2030 Australian Cyber Security Strategy on 8 December 2022. The cyber strategy was released on 22 November 2023 and, on 19 December 2023, the Department of Home Affairs released a consultation paper on legislated reforms arising from the cyber strategy, which informed the current bills.
The Department of Home Affairs consulted on a targeted exposure draft of the proposed legislation reform package between 4 and 11 September 2024. The government introduced the bills into the House on 9 October 2024 and referred the package to the PJCIS on the same day, with submissions due by 25 October 2024. This means that stakeholders had only two weeks to make a submission on the bills, and the PJCIS had just over a month to consider and report on the bill.
Given these reforms have been in train for close to two years, it is inexplicable that the government has seen fit to reduce the time for parliamentary scrutiny in its desperation to pass this legislation before the end of the year. Multiple stakeholders shared these concerns during the PJCIS inquiry. The government has shown a flagrant disregard for these concerns, and it remains abundantly clear that the condensed inquiry timeframe is insufficient to properly scrutinise such highly complex and consequential legislation. The PJCIS report canvases numerous concerns and potential issues already identified through this inquiry. It stands to reason that a more fulsome scrutiny process would reveal even more areas that warrant further consideration. The coalition has repeatedly cautioned against this impetuous approach, and any unintended consequences that arise in the future as a result of this rushed process lie solely with the government.
The coalition supports the policy intent of the legislative package. In the face of a complex and evolving threat environment, the Commonwealth government needs robust leaders to protect Australians from cyberthreats. Industry should also be able to engage quickly and confidently with government in responding to cyber challenges, and we welcome the limited use provisions which will go some way to facilitating this culture of cooperation. The coalition will be supporting these bills without amendment.
This legislative package comprises three bills which seek to implement reforms emerging from the 2023-2030 Australian Cyber Security Strategy. The Cyber Security Bill 2024 has four elements. It introduces a power to make mandatory security standards for smart devices, also known as Internet of Things, or IoT, devices, requiring entities to implement security standards specified by the Minister for Home Affairs. There is an accompanying enforcement and compliance regime which will allow the Secretary of the Department of Home Affairs to issue compliance, stop and recall notices.
It introduces mandatory reporting obligations, requiring entities who are affected by a cyber incident to report to the Australian Signals Directorate if they make a ransomware payment or give other benefits in connection to the cybersecurity incident, enforced by civil penalty provisions. This obligation applies to entities with an annual turnover of more than $3 million—noting this threshold can be altered by the minister—as well as entities responsible for critical minerals that are already subject to mandatory cyber incident reporting under the Security of Critical Infrastructure Act 2018.
It establishes a limited time obligation that restricts how information that is provided to the National Cyber Security Coordinator during a cyber incident can be used and on-shared by other government entities. This also enshrines the cyber coordinator role in legislation and confirms the voluntary basis by which an entity provides information.
It establishes an independent cyber incident review board, with limited information-gathering powers, to conduct no-fault reviews of significant cyber incidents and to compel information from entities involved in a cybersecurity incident under review where voluntary requests for information have been unsuccessful.
The Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 has two schedules. Schedule 1 amends the Intelligence Services Act 2001 to legislate the limited use obligation to protect information voluntarily provided to or acquired or prepared by ASD during an impacted entity’s engagement in relation to a cybersecurity incident. This mirrors the equivalent provision for the coordinator enshrined in the Cyber Security Bill and specifies permitted purposes for information sharing. The bill also prevents ASD from communicating limited cybersecurity information for the purposes of investigating or enforcing a contravention of a Commonwealth, state or territory law, other than a criminal offence, against an impacted entity.
The amendments do not impact the reporting and notification requirements of entities under existing legislation to Australian regulatory bodies; preclude other government agencies, including regulators, from seeking or acquiring such information directly from entities under existing information-gathering powers; or provide a shield or safe harbour for entities against legal liability.
Schedule 2 amends the Freedom of Information Act to exempt from FOI requests any information received by the coordinator under the limited use obligation, noting that ASD is already exempt from the FOI Act.
The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024, the SOCI bill, has six elements. It expands the definition of ‘critical infrastructure assets’ to include secondary assets which hold business-critical data and relate to the functioning of the primary asset to capture data storage systems that could impact the critical infrastructure and expands SOCI government assistant powers to facilitate the use of a last-resort directions power for the Secretary of the Department of Home Affairs when authorised by the minister for the purposes of managing both multi-asset incidents and the consequences of serious incidents which could have, are having or have had a relevant impact on one or more critical infrastructure assets. This facilitates the management of consequences stemming from all hazard incidents; however, it does not extend powers relating to intervention requests, which remain limited to cyberincidents.
It introduces a revised harms based definition of ‘protected information’ under SOCI and clarifies the operation of the secrecy and disclosure provisions, in particular to enable greater intergovernmental sharing of protected information across industry collaboration. It reduces the unnecessary burdens of these provisions on entities in the ordinary conduct of business, introduces a review-and-remedy directions power for the Secretary of the Department of Home Affairs or the relevant Commonwealth regulator which is exercisable where it has been identified a critical infrastructure risk management program is seriously deficient. It moves certain security notification obligations under the telecommunications sector security reforms, TSSRs, administered by the Home Affairs portfolio, into the SOCI act and clarifies and aligns the regulations, including by creating a new part in the SOCI act for critical telecommunications assets. This includes consequential amendments to the telecommunications interception and access act and other acts. It removes direct interest holders from administrative obligations associated with systems of national significance, SONS, to protect the identity of SONS and reduce the risk of inappropriate information disclosure.
Senator Tim Ayres stated:
This Bill, alongside the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill (ISA Bill) and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill (ERP Bill), form the Cyber Security Legislative Reforms Package that will collectively strengthen our national cyber defences and build cyber resilience across the Australian economy.
This suite of legislative reforms will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, a significant step in achieving the Australian Government’s vision of becoming a world leader in cyber security by 2030.
To achieve this goal, we must understand that cyber security is everyone’s responsibility.
Our connections online form a significant part of the lives of most Australians—they enhance the way we live, work and play, and as we continue to invest in transformative digital technologies, this will only expand. At the same time, we need to be clear about how we’re protecting Australian individuals and businesses. In order to enhance our collective cyber resilience, we need a clear legislative framework that addresses whole-of-economy cyber security issues, and positions us to respond to new and emerging cyber threats.
We need to ensure individuals can trust the products they use every day; we need to enhance our understanding of the threat of ransomware and cyber extortion so we can break the ransomware business model; we need to enhance protections for individuals experiencing a cyber incident to encourage their engagement with government; and we need to learn the lessons from cyber security incidents that have had a significant, detrimental impact on millions of Australians so that we can be better prepared going forward.
The Cyber Security Bill provides this framework, bringing together measures to achieve the Australian Government’s vision under one holistic piece of legislation.
The Bill contains four measures:
The first measure under the Bill will ensure Australians can trust their digital products by enabling the Government to establish mandatory security standards for smart devices. This measure will not only bring us into line with international best practice, but will provide Australians with peace of mind, that the smart devices we have come to rely on also meet our expectations around security.
The second measure helps to build our understanding of the ransomware threat that continues to cause large-scale harm to the Australian economy and national security. Mandatory reporting of ransomware payments will crystalise the picture of how many businesses in Australia are being extorted into making ransomware payments. With these timely and comprehensive insights the Government will be better able to develop the resources, tools and support that are most useful to industry, and help break the ransomware business model.
The third measure seeks to support and assure Australian organisations as they respond to a cyber security incident. This measure affirms the role of the National Cyber Security Coordinator to coordinate whole-of-government incident response efforts, and seeks to increase trust and engagement between business and Government during a cyber incident by limiting the circumstances under which the Coordinator can use and share information that has been voluntarily provided by an affected entity. This measure complements the limited use measure put in place for the Australian Signals Directorate through theIntelligence Services and Other Legislation Amendment (Cyber Security) Bill. With these measures, businesses will have greater comfort to report cyber incidents and gain the assistance they need to respond to, and recover from, cyber incidents.
The fourth measure in the Cyber Security Bill establishes the Cyber Incident Review Board as an independent, advisory body to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. Reflecting the success of the United States’ Cyber Safety Review Board, this new Board will review the circumstances that led to a significant cyber security incident, form findings and provide recommendations for both government and industry to enhance collective cyber resilience.
These four measures form the Cyber Security Bill. Together with the other Bills in this Package, this Bill will equip both Government and industry with the awareness and resilience to better protect Australians from cyber security threats, providing a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber security landscape.
On 9 October, the Government referred the package to the Parliamentary Joint Committee on Intelligence and Security. The Committee has now handed down its report and recommended that, subject to implementation of the recommendations in its report, the Package be passed by the Parliament. The Government agrees or agrees in principle to all thirteen recommendations in the Committee’s report.
The Government agrees to recommendations two and three, and will ensure reporting is user friendly, leveraging the existing single reporting portal. The Government will take an education-first approach, informing impacted entities of their new obligations through communications campaigns.
The Government agrees in principle to recommendation four. The Government agrees that ransomware payment reporting obligations will only apply to the extent that the ransomware incident relates to the reporting business entity’s operations in Australia. The Cyber Security Bill as drafted gives this effect and this will be clarified in guidance.
The Government agrees to recommendation five and has revised the Explanatory Memorandum. The Explanatory Memorandum as tabled in the Senate gives effect to this intention that Standing Members of the Board will not need to be members of the Australian Public Service. In line with the Committee’s report, composition of standing members will be considered further through industry consultation on the rules.
The Government agrees in principle with recommendation six, that the Minister for Cyber Security should consult with the Board before approving the Terms of Reference for each review. Consultation with the Board is built into the legislative framework and the Terms of Reference will be developed by the Board itself, prior to seeking approval from the Minister for Cyber Security.
The Government agrees with recommendation seven of the Committee’s report, and has made amendments to the Cyber Security Bill in the House of Representatives to address this recommendation. The Cyber Security Bill, as introduced in the Senate, clarifies that information obtained by the National Cyber Security Coordinator in relation to a cyber security incident, or acquired by a Commonwealth body or State body from a ransomware payment report, is not admissible against the impacted entity in certain criminal or civil proceedings.
Concomitantly, these amendments ensure that information obtained by the Cyber Incident Review Board in the performance of its functions is not admissible in evidence against the entity in certain criminal and civil proceedings. The ISA Bill has also been amended in the House of Representatives to address recommendation seven to further clarify the application of the admissibility protections conferred by the limited use obligation.
Protections afforded to individuals and information under limited use have been further clarified in the Bills, explanatory memorandum and industry guidance, to address recommendation seven.
These actions ensure Government and industry can work together to communicate with clarity and confidence, making our responses more efficient and based on real-time insights. Cooperation on a national scale is one of Australia’s greatest advantages against malicious cyber activity.
The Government agrees in principle to recommendation eight. The Government agrees any other right, privilege or immunity that a ransomware payment reporting entity has in respect to any proceedings, including legal professional privilege, will not be impacted. The Cyber Security Bill, as introduced in both chambers, provides this legal effect and the Department will ensure that this is clear to entities affected by the regime.
The Government agrees to recommendation nine, and the Department of Home Affairs will publish additional guidance on the intended interpretation and application of key definitions introduced in the Security of Critical Infrastructure Act 2018 (SOCI Act). This will be part of the comprehensive guidance being developed on the amendments being made under the ERP Bill to assist regulated entities in understanding their obligations. Consistent with previous reforms to the SOCI Act, the Department will continue to take an education-first approach to compliance, reserving compliance and enforcement action to a last resort.
The Government agrees with recommendation ten of the Committee’s report, and has amended the Cyber Security Bill in the House of Representatives. The Cyber Security Bill, as introduced in the Senate, introduces a provision that the Committee may review the operation, effectiveness and implications of the Cyber Security Act as soon as practicable after 1 December 2027.
The Government agrees to recommendation eleven. The Minister for Home Affairs will initiate an independent review under section 60A of the SOCI Act by no later than 1 November 2025.
The Government agrees with recommendation twelve, and has amended the ERP Bill in the House of Representatives to amend section 60B of the SOCI Act to extend the Committee’s ability to initiate a review into the operation, effectiveness and implications of the SOCI Act from 3 years to 5 years from Royal Assent of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act). The Government acknowledges the importance of conducting a holistic review of the SOCI Act, after the amendments being made by the ERP Bill are implemented. Together, the approach to recommendations eleven and twelve will ensure an independent review can fully assess the operation of the SOCI Act in time to inform the Committee’s next review.
The Government agrees with recommendation thirteen, and has amended the ERP Bill in the House of Representatives to repeal section 60AAA of the SOCI Act, removing the now redundant six-monthly reporting to the Committee relating to consultation undertaken by the Department on the amendments made by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 and the SLACI Act. I thank the Parliamentary Joint Committee on Intelligence and Security (Committee) for its work on this Bill through its inquiry and recommendations.
I extend my thanks to staff at the Department of Home Affairs for their incredibly hard work developing this Bill. I commend this Bill to the chamber.
INTELLIGENCE SERVICES AND OTHER LEGISLATION AMENDMENT (CYBER SECURITY) BILL 2024
This is the second Bill in the Cyber Security Legislative Package and seeks to amend the Intelligence Services Act 2001 to legislate a limited use obligation for the Australian Signals Directorate (ASD), similar to the provisions relating to the National Cyber Security Coordinator under the Cyber Security Bill. A limited use obligation will protect the information voluntarily provided to, or acquired or prepared by, ASD during an impacted entity’s engagement in relation to a cyber security incident or vulnerability.
Australian networks continue to be regularly targeted by opportunistic malicious cyber actors. As outlined in ASD’s Annual Cyber Threat Report 2023-2024, ASD responded to over 1,100 incidents from Australian entities. Separately, nearly 87,400 cybercrime reports were received, averaging one every six minutes.
Together with the other Bills in this Package, this Bill will equip both Government and industry with the awareness and resilience to better protect Australians from cyber security threats, providing a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber security landscape.
ASD relies on the receipt of timely, detailed technical information from industry and victims of cyber attacks to build a coherent national cyber threat picture, provide advice on cyber security uplift, diagnose the cause and severity of cyber incidents, and assess the information against ASD’s intelligence holdings to mitigate harms in the early stages of a cyber incident.
However, both industry feedback and ASD’s operational experience indicates a declining willingness from entities to share technical cyber security incident information with ASD in a timely manner, principally due to concerns that information shared with ASD could be co-opted by other parts of Government to inform regulatory action.
A limited use obligation will ensure this information can only be communicated by ASD to others for a permitted cyber security purpose. It is not a safe harbour for industry and will not exempt an organisation from complying with their existing legal and regulatory obligations.
I thank the Parliamentary Joint Committee on Intelligence and Security (Committee) for its work on this Bill through its inquiry and recommendations. The Committee made one recommendation (recommendation seven) in its advisory report that relate to this Bill. As noted in the second reading speech for the Cyber Security Bill, the Government agrees with this recommendation. This Bill has been amended in the House of Representatives to address recommendation seven. As introduced in the Senate, this Bill clarifies the application of the admissibility protections conferred by the limited use obligation
With this measure, alongside the establishment and clarification of the role of the National Cyber Security Coordinator, we will ensure Government and industry can work together to communicate with clarity and confidence, making our responses to cyber security incidents more efficient and based on real-time insights. Cooperation on a national scale is one of Australia’s greatest advantages against malicious cyber activity.
I extend my thanks to staff at the Australian Signals Directorate for their work developing this Bill. I commend this Bill to the chamber.
SECURITY OF CRITICAL INFRASTRUCTURE AND OTHER LEGISLATION AMENDMENT (ENHANCED RESPONSE AND PREVENTION) BILL 2024
This is the third Bill in the Cyber Security Legislative Package. This Bill seeks to amend the Security of Critical Infrastructure Act 2018 (the SOCI Act) to strengthen existing security obligations on critical infrastructure sectors to address gaps identified following recent major cyber security incidents.
Australia currently faces heightened geopolitical and cyber threats, which means that our critical infrastructure is increasingly at risk. The risk to our sovereignty, defence, and security has never been more present, especially for the critical infrastructure providing essential services crucial to our way of life.
Recent incidents illustrate that threats to the operation of Australia’s critical infrastructure continue to be significant and far-reaching. From natural hazards through to human-induced threats—all have the potential to significantly disrupt critical infrastructure. Indeed, the Director-General of the Australian Security Intelligence Organisation has stated, “malign foreign powers will consider using sabotage to coerce, disrupt or retaliate during times of escalating geopolitical tensions. Pre-positioning malicious code in Australia’s critical infrastructure is the most likely means.”
An attack on a single critical infrastructure entity can quickly create catastrophic cascading consequences across critical infrastructure and Australia’s socioeconomic stability, defence and national security.
This Bill will build upon previous reforms to the SOCI Act to uplift and enhance the security, resilience and agility of critical infrastructure in the face of an increasingly hostile and complex threat and risk landscape.
The Bill contains six measures in total:
First, the Bill seeks to clarify the application of the SOCI Act to data systems associated with a critical infrastructure asset. This recognises and protects the integrity of data held on the asset’s secondary systems to reduce the risk of widespread disruptions caused by a successful attack or breach of a secondary system or lateral transfer to operational technology.
Second, the Bill will put in place a more effective government assistance framework to respond to second and third order consequences across all incidents, regardless of their origin, including non-cyber incidents. This will facilitate the Government in addressing and managing multi-asset events and cascading impacts.
Third, the Bill will clarify the definition of protected information and the operation of the disclosure provisions to allow greater cross-industry collaboration and intra-government sharing, including in response to major incidents.
Fourth, the Bill will empower regulators to compel a critical infrastructure entity to remedy a seriously deficient risk management program where there is a risk to national security, the defence of, or the social or economic stability of Australia.
Fifth, this Bill will bring appropriate elements of the Telecommunications Sector Security Reforms, including security and notification obligations, from Part 14 of the Telecommunications Act 1997 into the SOCI Act, with enhancements to align the regulatory frameworks and clarify telecommunications-specific obligations, including through delegated legislation.
Finally, the Bill will remove direct interest holders from reporting obligations associated with Systems of National Significance. This will reduce administrative burden without compromising security.
I thank the Parliamentary Joint Committee on Intelligence and Security (Committee) for its work on this Bill through its inquiry and recommendations. The Committee made four recommendations (recommendations nine, eleven, twelve and thirteen) in its advisory report that relate to this Bill. As noted in the second reading speech for the Cyber Security Bill, the Government agrees with each of these recommendations. To address recommendations twelve and thirteen, the Government has amended this Bill in the House of Representatives. This Bill, as introduced in the Senate, will amend section 60B of the SOCI Act to extend the Committee’s ability to initiate a review into the operation, effectiveness and implications of the SOCI Act from 3 years to 5 years from Royal Assent of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act); and will repeal section 60AAA from the SOCI Act.
Together with the other Bills in this Package, this Bill will help to strengthen our responses to the dynamic, cascading consequences of serious incidents that impact our critical infrastructure, and more broadly, the Australian community.
I extend my thanks to staff at the Department of Home Affairs for their incredibly hard work developing this Bill. I commend this Bill to the chamber.
Senator James Paterson stated:
I rise to make a contribution on this cybersecurity legislative package: the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. The coalition supports the policy intent of the bills. As cyberthreats continue to evolve and the strategic environment continues to deteriorate, urgent action is required to uplift Australia’s national cyber-resilience. As the ASIO director-general, Mike Burgess, said in his most recent annual threat assessment:
The most immediate, low cost and potentially high-impact vector for sabotage is cyber. Our critical infrastructure networks are interconnected and interdependent, which increases the vulnerabilities and potential access points.
ASIO is aware of one nation state conducting multiple attempts to scan critical infrastructure in Australia and other countries, targeting water, transport and energy networks.
The Australian Signals Directorate has also spoken of near constant cyberattacks on our government networks and critical infrastructure. But it is not just government and big corporates that have been impacted. Small businesses and everyday Australians are increasingly falling prey to criminally motivated cyber actors. In its annual cyberthreat report released on Wednesday, ASD highlighted that it received over 87,000 cybercrime reports in the 2023-24 financial year. This averages out to a report every six minutes. The threat report also noted that 11 per cent of the 1,100 cybersecurity incidents ASD responded to in the last financial year related to critical infrastructure, highlighting how these networks are an attractive target because of the sensitive data they hold and the widespread disruption that a cybersecurity incident could cause. Against this backdrop, we must ensure that our laws are fit for purpose to prepare for and respond to the quickly evolving cybersecurity challenges facing Australia. I support the efforts to do so through this legislation.
Before I speak to the bills before us, it’s worth briefly reflecting on the history of reforms in this space. In government, the Liberal and National parties made tough but necessary decisions to secure our digital sovereignty, to equip our intelligence and security agencies with the appropriate tools and to harden the private sector from cyberattacks. We established the Australian Cyber Security Centre within the Australian Signals Directorate in 2014 to help drive a partnership between industry and government. We released the first ever cybersecurity strategy and appointed the first ever cybersecurity minister in 2016. We appointed the first ever cyber ambassador in 2017.
In 2018, we made ASD a statutory agency and legislated the first ever Security of Critical Infrastructure Act. We also led the world by banning Huawei and other high-risk vendors with close connections to the Chinese Communist Party from providing 5G mobile technology in Australia. Many other countries have since followed our lead. In 2020, we updated our Cyber Security Strategy and backed it with $1.67 billion of investment. This stands in stark contrast to the cybersecurity strategy released by the Albanese Labor government last year, which commits only $192 million over four years.
In 2021 we legislated a new legal framework for the Australian Federal Police to take the fight to criminals on the dark web, drawing on the assistance of ASD. We significantly enhanced the Security of Critical Infrastructure Act in 2021 and 2022 by expanding the sectors it covered from four to 11, requiring critical-infrastructure providers to implement risk management plans and giving emergency powers to ASD to step in in the event of a catastrophic attack on our most systemically important networks. And we made the largest-ever investment in ASD’s history through Project REDSPICE—$10 billion over 10 years to effectively double their size, with 1,900 new personnel and the acquisition of new platforms, technologies and capabilities. The reforms introduced by the package of legislation before the Senate today represent a logical extension of the world-leading approach taken by the former coalition government.
The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 contains a number of provisions that extend the powers of the existing SOCI framework, most significantly by expanding government assistance powers to facilitate the use of last-resort directions for managing the consequences of all hazards incidents. I remind the Senate that, in the wake of the Optus and Medibank cyber incidents in 2022, the then Minister for Home Affairs and Minister for Cyber Security, Clare O’Neil, trashed the SOCI Act, saying:
… that law was bloody useless, like not worth the ink printed on the paper, when it came to actually using it in a cyber incident. It was poorly drafted.
On a separate occasion, she actually praised the SOCI reforms:
If you look at the work that was done…on the Security of Critical Infrastructure Act in the last Parliament, when I describe that law to politicians around the world, their mouths are open thinking, “how can we construct something similar in our country?”
It’s somewhat ironic, then, that the backbone of Labor’s now-much-touted cyber legislation is a modest and logical extension of the SOCI reforms introduced by the previous government. Former minister O’Neil’s desperation to politicise what should have been bipartisan national security policy is, unfortunately, emblematic of Labor’s broader chaotic approach when it comes to national security. But it is good to see that the government has finally seen reason as to the merits of the coalition’s world-leading SOCI reforms to the point that it’s decided to double down on our approach, and I welcome the SOCI measures included in the legislation before us.
I also welcome the limited-use provisions in this legislation, which will provide assurance to entities that the information they disclose to government about cyber incidents will not be used against their interests in the future. We need seamless, time-sensitive sharing of information between government and business when there is a cyberattack. We can’t afford for any CISO or their CEO to hesitate to pick up the phone to the ACSC and share what they know.
I asked the former director-general of the Australian Signals Directorate, Ms Rachel Noble, about the merits of a limited-use provision at a Senate estimates hearing two years ago. Ms Noble reflected:
Speaking purely from ASD’s perspective, I think the safe harbour concept is a most excellent idea because, to your point, where there is ambiguity—if I’m dealing with a government, do you hand that information to other government departments or don’t you? How can I be sure that that won’t occur without my permission and so forth? So from an operational perspective, in that heat of the incident, if you will, when we’re still trying to pull people out of the water and into the lifeboats, to have that absolute confidence for the private sector, that at the very least their operational engagement with ASD would be exempted from the inquiry of others, whether they are other government agencies or other people scrutinising the process, like we’ve seen in class action lawsuits, for example, that is very attractive to us as well.
I first publicly called for a legislated limited-use obligation on 22 March 2023. I note that if the Australian government had moved more quickly with this reform it may have gone some way to address the declining willingness of industry to share information with ASD in a timely way, which we have witnessed in the intervening years.
The proposed mandatory standards for smart devices in the Cyber Security Bill are welcome and long overdue. I note that the proposal to introduce minimum standards for internet connected devices was first canvassed by the former government in the July 2021 discussion paper stemming from the 2020 Cyber Security Strategy. The need for these reforms has become more acute in recent years as we have learned more about the national security risks of internet connected devices. In this term of parliament, I’ve conducted successive audits which revealed hundreds of Chinese manufactured cameras, drones and internet connected solar inverters in use across the Commonwealth government on many sites, including many in our Defence and law enforcement agencies. As a result, departments and agencies committed to removing more than 1,000 cameras made by Hikvision and Dahua from Commonwealth sites. Many agencies, including Australian Border Force and the ADF, have grounded their fleet of drones made by DJI. But all these actions came only after I called on the government to address these vulnerabilities and after many of our allies had done so. The government’s piecemeal response is not a robust or sustainable approach to addressing issues that are core to our national security, and it is my hope that the provisions in this legislation lead us towards a more consistent and economy-wide approach to managing these risks.
I welcome the two subsequent PSPF directions, issued by the Department of Home Affairs in July, which relate to managing the risks of foreign interference in technology assets, but I also note the ironic and deeply concerning revelations that the Minister for Home Affairs and Minister for Cyber Security, Mr Burke, is himself the owner of a Chinese-made, internet connected electric vehicle. This came after the department admitted it was possible for these EVs to listen to the occupants, track the movements of the driver and record people and places, and to transmit all of that data back to the manufacturer. It beggars belief that our Minister for Home Affairs and Minister for Cyber Security is driving around in a car that is a potential listening device for the Chinese Communist Party, and I hope these reforms can be used to protect regular Australians, and the minister himself, from these kinds of risks.
Cybersecurity is a shared challenge, and no-one is immune from cyberattacks. That’s why it’s important that we learn the right lessons from every major cyber incident and apply these lessons across industry and government to make sure we are better equipped next time we face something similar. Two years on from the data breaches suffered by Optus and Medibank, we are still in the dark about the specifics of what led to these incidents, how they were managed and what companies can learn from the incidents to guard against future cyberattacks of a similar nature. This is what prompted me, over a year ago, to call for a mechanism to conduct dispassionate, objective investigations following a significant cyber incident, for the collective benefit of the organisations, who may be able to learn the lessons. This came after the US government announced the establishment of a cyber safety review board in 2021. Had the Australian government acted sooner to establish an equivalent construct here, it may have assisted in post-incident investigations in significant incidents, such as the MediSecure data breach and the CrowdStrike outage, which occurred this year. Nevertheless, I welcome the establishment of a legislated cyber incident review board and I welcome the clarification provided that standing members of the Cyber Incident Review Board do not necessarily need to be members of the Public Service, which will provide flexibility to include representatives external to government if the minister deems it appropriate.
In its most recent cyberthreat report, ASD noted 11 per cent of all incidents ASD responded to in 2023-24 included ransomware—a three per cent increase from the year before. In a report released earlier this year, the UK’s National Cyber Security Centre assessed that AI will heighten the global ransomware threat and increase the volume and impact of cyberattacks in the next two years by lowering the barrier to entry for novice cybercriminals, hackers for hire and hacktivists. The mandatory reporting requirements for entities who make a ransomware payment is therefore timely. The regime will assist government and industry to get a fuller sense of the scale of the problem so that our cyber defences are tuned appropriately. There are many other worthy reforms in this package of legislation that I do not have time to discuss at length.
While the coalition support the policy intent of the bills, we do continue to hold significant concerns about the government’s rushed process and the limited time for parliamentary scrutiny, which increases the risks of overlooking unintended consequences and drafting errors in the legislation. The former Minister for Home Affairs and Minister for Cyber Security originally announced the development of the most recent Cyber Security Strategy on 8 December 2022. The strategy was released on 22 November 2023, and on 19 December 2023 the department released a consultation paper on legislative reforms arising from the cyber strategy, which informed the current bills. The Department of Home Affairs consulted on a targeted exposure draft of the proposed legislative reform between 4 September and 11 September this year, and the government then introduced the bills on 9 October and referred them to the Parliamentary Joint Committee on Intelligence and Security on the same day, with submissions due by 25 October. This means that stakeholders had only two weeks to make a submission on the bills and that the PJCIS had just a month to consider and report on the bill.
Given these reforms have been in train for close to two years, it is inexplicable that the government has seen fit to reduce the time for parliamentary scrutiny in its desperation to pass the legislation before the end of the year. Multiple stakeholders shared these concerns during the PJCIS inquiry. The government has shown disregard for these concerns, and it remains clear that the condensed inquiry timeframe was not sufficient to properly scrutinise what is highly complex and consequential legislation. The intelligence committee report canvasses numerous issues identified throughout the inquiry, which has prompted the government to amend their own legislation in line with some of those recommendations. It stands to reason, though, that a more extensive scrutiny process would reveal even more that warrants further consideration. The coalition has repeatedly cautioned against this approach, and any unintended consequences that arise in the future as a result of this rushed process will lie solely on the government.
As I said, the coalition supports the policy intent of this legislative package. In the face of a complex and evolving threat environment, the government needs robust levers to protect Australians from cyberthreats. We will always support sensible changes which ensure our legislation is fit for purpose to tackle the ever-evolving cyberthreats facing Australia, which is why we will be supporting the passage of these bills and the accompanying government amendments.
Senator Shoebridge stated:
I rise on behalf of the Greens to speak to this package of bills: the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. I note at the outset that this process has been extraordinarily rushed by the government. There’s been a chaotic, end-of-year rush to bring this legislation through, first of all, the somewhat secretive Parliamentary Joint Committee on Intelligence and Security, which, even though it’s stacked with government and opposition members, expressed its concerns about the rush with which this legislation was brought to parliament.
Indeed, this complex legislation proposes a raft of cybersecurity changes for corporate and non-corporate Australia which we know are going to intersect with a series of other existing statutory obligations. Those obligations under the Corporations Act, the existing SOCI Act, the Australian taxation system and the Telecommunications Act, especially in relation to encryption, as well as obligations under the defence exports regime, mean that this legislation is actually incredibly complex reform which will potentially have ripples across an array of existing regulatory requirements.
And what did the government do? It gave the community and stakeholders two weeks to come to terms with the draft legislation and put submissions in. The Law Council of Australia, in their submission to the PJCIS, said:
… the Law Council is disappointed that a period of just over two weeks has been afforded between the tabling of the Package and the deadline for written submissions. We emphasise the complex nature of the legislation, which will have wide-reaching impact and consequences in a highly technical field. With respect, the current consultation period does not allow for meaningful and robust consultation with stakeholders to ensure the laws will work as effectively and efficiently as possible.
It wasn’t just the Law Council. Pretty much every stakeholder that my office has spoken with and those that put in submissions have made these same points. The Cybersecurity Coalition, for example, in their engagement with the PJCIS said that, yes, they wanted to commend the government on its approach to industry consultation, but they reiterated concerns about the lack of time. The Australian Institute of Company Directors expressed their concern with the lack of time. The Australian Information Security Association also expressed their concerns with the lack of time.
So what does this legislation propose to do? It proposes to put in mandatory security standards for smart devices, the so-called Internet of Things, and I’ll speak to that briefly when I talk about what this bill does and doesn’t do. It puts mandatory obligations on certain businesses to report ransomware and cyberextortion requests and a very limited-use obligation that restricts how that cybersecurity information provided to the National Cyber Security Coordinator can be used and disclosed, and, again, I’ll talk to the concerns about the lack of safe-harbour provisions in this legislation. It also establishes a cyber incident review board to conduct post-incident reviews into significant cybersecurity incidents, and I’ll speak to the lack of independence in that cybersecurity review board as well.
Could I deal first of all with the mandatory security standards for smart devices. In this regard, I note that the Greens have circulated a second reading amendment which seeks to add to the motion the following:
(a) this scheme will work best if the rules applied to Internet of Things devices are harmonised with similar regulatory obligations in other jurisdictions; and
(b) the government has indicated it will consider alignment of schemes following the passage of the bills.
It is obviously necessary to put in place protections so that, as the Internet of Things grows—as our fridge talks to our car, talks to the front door, communicates with the phone and then shares that online—we have adequate security measures in place to ensure that, as we just travel about our daily business, we don’t find ourselves the subject of some sort of global eavesdropping. And we know that’s already happening. We know that’s already happening, not so much because of the work of the government but because of the work of organisations like CHOICE and others that have pointed out that, for example, in the context of our motor vehicles, how many of the major brands are recording and transmitting data, including sometimes video and voice data, without our consent, simply as we move around in these vehicles.
Perhaps the worst offender is Tesla. Tesla motor vehicles actually record snippets of video and voice without your consent, without your information, as you drive around in Tesla motor vehicles, as well as data about where you go and how you drive, and feed that back to Tesla corporate headquarters in the United States—and feed it back to that champion of human rights, Elon Musk! You would have thought that the opposition would be concerned about that. They don’t seem to be concerned about that. We’re concerned about that. But it’s not just Tesla that’s doing a live feed from our motor vehicles back to Elon Musk, who is a danger to democracy, can I point out—absolutely a danger to democracy. It’s Korean car brands and it’s pretty much every imported Chinese car brand that in one way or another is gathering data about us without our consent, without any protections for us, and feeding it back to heaven knows where.
Of course we need security protections, and this legislation proposes that at some point, maybe in the next 12 months, there will be a process under which some rules will be written and maybe we’ll get some kinds of security protocols put in place for the Internet of Things. But we don’t know what. We don’t know what. Industry has been saying there are well-established international standards that should be clearly articulated by the government, and they’ll say that’s what they’re applying. Don’t make up your own standard; look across the world and get the best global standards to put in place.
I’ll just refer again to the PJCIS report, which dealt with this in some detail. At 5.26 in the report, it said this:
For example, the Institute for Integrated Economic Research … stated that it ‘would be sensible’ to adopt international standards, ‘with the flexibility to change as the threat changes’, but that ‘it would be useful to set the one standard and enforce compliance’ rather than adopting multiple standards. Similarly, … the Software Alliance … submitted that the government should ‘take every effort to avoid a divergent approach from other like-minded countries’. Infoblox submitted that:
Aligning with international standards is not only beneficial for the impacted entities to comply but also essential for Australia to maintain global interoperability and consistency.
Consumer Electronics Suppliers Australia recommended that ‘Australian requirements align with those of major overseas market’ to ‘minimise the need for bespoke Australian solutions and ensure the future-proofing of regulations against technological advancements’.
What are the standards that the government are applying? That’s a question we’d like to see the minister answer. What are the standards it is intended will apply? For example, is the government intending to use the United Kingdom’s Product Security and Telecommunications Infrastructure Act standards in rule making? For example, is the government intending to use the United Kingdom’s Product Security and Telecommunications Infrastructure Act standards in rule making? Is there an intent to use those international standards, agreed by much of industry, such as the ETSI EN 303 645 standard? What’s the standard that the government’s intending—are you just going to make up some sort of local South Pacific standard, which will then see a disconnect between Australian security standards and those in comparable jurisdictions? That, I think, is a question that surely the government will have an answer to today before we pass this rushed legislation. Surely, you know what standard you want to apply to the internet of things. But we need to do it rapidly. I don’t know about you, Deputy President, but I don’t like the idea of my car having a direct conversation with Elon Musk or whoever is monitoring it in Seoul or whoever is monitoring the information feed in Beijing. I’m not much attracted to that concept, and I would have thought the government should be passing legislation to prevent it happening. That is one of the other remarkable failures of this government—in its privacy legislations. This is meant to work coherently with privacy legislation, which is meant to be protecting our data, stopping it being farmed and sold for corporate benefit. But, while we get this rushed legislation through, we’ve also got a parallel piece of privacy legislation that doesn’t even touch upon this. It doesn’t do one thing to protect our data. This incoherence from the government on cybersecurity and privacy, failing to understand how these two things connect, is one of the key problems with this government’s rushed legislation.
Can I speak briefly to the issues of ransomware and cyber extortion payments and this concept of limited use provision. The purpose, as the Greens understand it, of the limited use protections is do with whether entities—corporate or individuals—are supplying information to the government about their vulnerabilities, cybervulnerabilities or potentially ransom attacks. Remember this isn’t always just one email saying, ‘We’ve got your data; if you don’t give us $1 million, we’re going to blow your data.’ Often these ransomware attacks can happen over months or even over a year or more. The limited use provisions mean that no government entity can use the information that has been supplied by entities that have reported for the purpose of civil proceedings against them. But there’s no protection against criminal proceedings. I suppose the question that the government hasn’t answered yet is: if you want cooperation from industry—and we absolutely need cooperation from industry—why aren’t there safe harbour provisions, which already exist in the United States, which seem to be very effective in the United States in ensuring there is a relationship of trust between industry and government? These limited use provisions will not create that relationship of trust between industry and government. That will stop the flow of information and reports back to government, and that will not make us any safer.
Finally—although there is much more in this legislation that we could speak to—the proposed Cyber Incident Review Board is a modest step forward. Actually reviewing what went wrong, actually reviewing what happened in a cyberincident, and having some part of government responsible for doing that work is useful. But it should not be part of Home Affairs, because Home Affairs may often be the problem. Home Affairs may have failed to identify a problem. The regulation presented by Home Affairs may be part of the reason why a ransomware attack was successful. It may by why information wasn’t supplied in a timely fashion. This Cyber Incident Review Board needs to be independent of Home Affairs. Our preferred option would be a standalone statutory entity. In the time we’ve had available, and given all the stress on our parliamentary drafters, we weren’t able to do that and we’re still waiting for the amendment to be circulated. That’s no criticism to parliamentary drafters; they are absolutely under the pump and they’re underresourced by this government. But we’re waiting for the amendment to be circulated that will move the Cyber Incident Review Board from Home Affairs, where there are obvious conflicts of interest, into, at least, the Department of the Prime Minister and Cabinet so there’s some functional separation between the review board and the entity primarily responsible for cybersecurity. I’ll finish with this. This is rushed legislation that’s important, and the rush is part of the problem. I move:
That at the end of the motion, add “but the Senate notes that:
(a) this scheme will work best if the rules applied to Internet of Things devices are harmonised with similar regulatory obligations in other jurisdictions; and
(b) the government has indicated it will consider alignment of schemes following the passage of the bills.”
Question negatived.
Senator Ciccone stated:
I also rise to speak on the Senate’s consideration of the Cyber Security Legislative Package 2024. This package aims to protect Australia’s cyber infrastructure, which is an essential part of our national security. Our critical infrastructure underpins our country’s ability to deliver essential goods and services to all Australians as our reliance on the digital economy continues to develop and grow. As we know, cyber attacks and threats to our critical infrastructure can be highly lucrative for cybercriminals.
At the end of October and the start of November, I chaired the Parliamentary Joint Committee on Intelligence and Security inquiry into this very important package. I want to start by thanking the corporate, industry and civil society submitters and government departments who participated in the public hearings. The committee, in its report, made clear that it supports the urgent passage of these three bills under the Cyber Security Legislative Package 2024. I also note that the evidence that was received by the committee from stakeholders was near universally supportive of the package. I am pleased to see the government’s acceptance of the recommendations listed in the report, as illustrated by the amendments to the bill that were brought forward before the chamber. This is something that I and members of the committee welcome wholeheartedly. I’m also pleased that the Department of Home Affairs has considered the feedback and is intent on assisting industry to understand their responsibilities under the reforms.
The first of the three bills in the package, the Cyber Security Bill 2024, provides a very clear framework for the government to identify and to respond to new and emerging cyber attacks. It will provide additional protections to Australians and businesses and improve the government’s threat picture to inform additional protections, current incident response procedures and future policy. The bill will also address existing legislative deficiencies that the government outlined throughout the development of the 2023-2030 Australian Cyber Security Strategy.
Let’s take ransomware, for instance. The sophistication of ransomware is unprecedented and causes serious problems for businesses right across Australia. It’s one of the most pervasive forms of cybercrime. In response to this growing threat, the government’s Cyber Security Bill will create mandatory ransomware payment reporting requirements for businesses who are affected by a cyber incident and make ransomware payments. Mandatory reporting of ransomware payments will apply to businesses in Australia that meet an annual turnover threshold. They’ll be required to report a ransomware payment to the Department of Home Affairs or to the Australian Signals Directorate within 72 hours of making the payment or becoming aware of the payment. The simple fact is that the current voluntary reporting scheme is underutilised, limiting the government’s understanding of the ransomware threat landscape.
It will also allow the government to understand the sheer scope ransomware has on the Australian economy and protect Australian businesses to recover as quickly as possible. The reporting obligations aren’t about calling out businesses and hurting their reputation. Instead, they’ll enable us to determine the threat level and assist Australia’s domestic law enforcement to disrupt cybercrime activities both locally and abroad. Businesses will be protected from regulators and law enforcement, and the department has emphasised the importance of an education-first approach, not an enforcement led approach, to assist businesses. Ransomware alone costs the Australian economy up to an estimated $3 billion in damages each year.
The bill will also mandate security standards for smart devices that are either internet or network connected. These devices include smart TVs, smartwatches, home assistance, baby monitors, home routers and even consumer energy resources such as rooftop solar systems. Smart devices have become part of our daily lives. Many of us simply can’t live without them. Unfortunately, however, many of these devices have poor security features that expose Australians to cyber threats, compromising users’ cybersecurity, privacy and online safety. These connectible products will have to meet certain standards, bringing them into line with European standards, for example. Under this measure, smart devices in Australia will have a basic level of cybersecurity. The Australian Cyber Security Centre advises that, by securing smart devices, consumers’ information will be protected and will have a reduced risk of being targeted by cybercriminals. Manufacturers and suppliers will also be responsible for compliance and will be required to provide a statement of compliance. Enforcement notices may also be issued if a smart device is not compliant with mandatory standards.
Lastly, the bill will also seek to establish a cyber incident review board to conduct reviews into significant cybersecurity incidents that have impacts on the Australian economy, national security or social prosperity. Currently, Australia has no formalised way to conduct post-incident reviews when such incidents occur. Recent cybersecurity incidents, such as the Optus and Medibank data breaches in 2022-23 and the MediSecure data breach in 2024, highlight that industry and government need an avenue to investigate and learn lessons from such incidents and to prepare for contingencies for future attacks. The board won’t act as an investigative body that apportions blame to an organisation that is before the post-incident review. Any information that is given voluntarily to the board isn’t admissible in criminal or civil proceedings and doesn’t impact any existing legal obligations. Instead, the board will enable our country to learn from cybersecurity incidents to weigh up vulnerabilities that led to the attack and the effectiveness of the government and the industry response to the incident. The formation of the board will align Australia with other jurisdictions around the world—including the United States of America, which created its own cyber safety review board in 2022.
Meanwhile, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 amends the Security of Critical Infrastructure Act 2018. These reforms aim to improve the security and resilience of critical infrastructure by assisting the government and industry’s ability to help prevent, manage and respond to future significant incidents impacting critical infrastructure through the act. Our country is facing increased geopolitical and cyber threats, putting our critical infrastructure at heightened risk. Critical infrastructure provides essential services that we rely on every single day. It’s important that we make these reforms and pass them as quickly as possible. It is worth noting, however, that data is not the only target of threat actors. Critical infrastructure organisations are also targets, as they provide essential services to support Australian life and businesses, including our electricity, water, health, transport, logistics and telecommunications networks.
Finally, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 amends the Intelligence Services Act 2001 to legislate a limited-use obligation for the Australian Signals Directorate. Limited use is designed to encourage industry to share cybersecurity incident information with ASD, thereby bolstering ASD’s ability to perform its cybersecurity functions. The provision will work hand-in-glove with the compulsory reporting obligations to help us understand the scope of the threats.
Last week, ASD’s Annual cyber threat report 2023-2024 highlighted our rapidly evolving cyber threat landscape, with over 87,000 reports of cybercrime received over the financial year—on average, a report every six minutes. The report also showed that, from last year, the average cost of cybercrime for small businesses rose by eight per cent to $49,600 per report, and for individuals, it rose by 17 per cent to $30,700 per report. We’ll hear a lot about these bills before us—and it sounds like we’ll probably end up in the committee stage—but our inquiry was certainly efficient and thorough. I also want to make the point that the process itself had a very comprehensive discussion around the issues the opposition and the crossbench have raised today.
The comprehensive consultation process—one of which I can only describe as ‘gold standard’ by the department—made it easy for the committee to discuss the issues that were raised with witnesses that appeared before it. It was fantastic to hear that the department had engaged with many stakeholders, particularly those in industry, for some time about these issues. That is why I mentioned earlier in my speech the fantastic work that was done to consult and iron out some of the issues before these bills were drafted and brought before the parliament today.
It’s also important to reiterate that, as a direct result of this consultation process, there was and is broad support for the bills by industry and by many others that put submissions to the committee. In fact, many stakeholders participated in the inquiry. There government’s consultation was best practice. Therefore, nothing in these bills was a surprise to them, with much of the content in the package already well known to industry. I also want to thank the government for the release of its 2023-2030 Australian Cyber Security Strategy back in November 2023 and the consultation paper that preceded it.
The Albanese government is committed to lifting our country’s cyber legislative strategy and doing everything it can to support Australians and small businesses around the country. The Cyber Security Bill and related bills provide an opportunity for this country and for the Senate to strengthen our national cybersecurity defences. The bills will position Australians and our businesses, particularly in the small business community, to better respond and recover from cybersecurity threats and help our nation become a world leader in cybersecurity by 2030 in an evolving threat environment. I commend the bill to the Senate.
Senator Helen Polley stated:
I rise to speak on the Cyber Security Bill and related bills. This issue is of great importance to our country, our citizens and our economy. As chair of the Joint Standing Committee on Law Enforcement and as a member of the Senate Standing Committee on Legal and Constitutional Affairs, I understand the importance of this issue. It’s gripping Australia, and it’s gripping the world. Governments around the world must act now if we have any chance of getting ahead of the game of crime syndicates, professional hackers, foreign adversaries and fighting against cybercrime.
I often relay tips to the public about the importance of personal online safety and tools they can implement to try and keep them safe online. There are simple strategies that can boost your cybersecurity, like updating your device regularly, setting up and performing regular backups, learning how to make a copy of your files so that you don’t lose that valuable data, turning on multifaceted authentication, setting secure passphrases, recognising and reporting scams, learning how to identify common cyberattacks and defending yourself against cyberattacks. The simplest way you can protect your devices from cybercrime is to turn them off every day. To get into the practice of doing that, before you get into the shower, turn your mobile phone or your iPad off and, when you get out of the shower, turn it back on. That is a really simple but effective way to help protect yourself.
As a government, since coming to office we have been very committed to meaningful reform. That’s why I’d like to acknowledge the Minister for Home Affairs and Minister for Cyber Security, the Hon. Tony Burke, and the previous Minister for Home Affairs, now the Minister for Housing and Minister for Homelessness, the Hon. Clare O’Neil, for the work that they’ve undertaken. Cybersecurity deserves our attention, and this bill, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 form the cybersecurity legislative reform package of the Albanese Labor government.
As a government, we are committed to strengthening our national cyberdefences and building cyber-resilience across the Australian economy after some very high-profile cyberattacks and data breaches over the last five to 10 years. This suite of legislative reforms will implement key initiatives under the 2023-2030 Australian Cyber Security Strategy, which Minister O’Neil worked tirelessly on, and I acknowledge her contribution. I also acknowledge the department’s contributions and submissions to the inquiry of the Intelligence and Security Joint Committee. They were always informed and completely focused on enhancing our cybersecurity intelligence and infrastructure. I know our security and intelligence organisations, and sometimes we take them for granted, but they are so essential to ensuring our national security and our own personal security, so I want to acknowledge them here today.
This is a significant step in achieving the Australian government’s vision of becoming a world leader in cybersecurity by 2030. To achieve this vision, Australia needs a clear legislative framework that addresses whole-of-economy cybersecurity issues and positions us to be able to respond to new and emerging threats from wherever they may come. Our country relies on a framework that enables individuals to trust the products that they use every day. We need a framework that enhances our ability to counter ransomware, cyberextortion and end-to-end encryption and to live with cryptocurrency and technological advancements. These are all important things that are part of our world now. We need a framework that enhances protections for victims of cyber incidents and encourages them to engage with government. We need a framework that enables us to learn lessons from significant cybersecurity incidents so that we can be better prepared, because time is of the essence. When a cybercrime has occurred, you have only hours to report that crime to have any hope of being able to track the cybercriminals, which is why we must report these crimes when they occur.
I don’t know how many people I’ve met in the last few months that have actually lost tens of thousands of dollars and been far too trusting. These cybercrimes are real, and they can impact any of us. Sometimes people will say to me, ‘You’re a high-profile politician, and that’s why you’re a target.’ That’s not true, unfortunately. Cybercrime can happen to each and every one of us. So we need a framework that enhances protections for victims of cyber incidents and that, as I said, encourages them engage with the government. We need to ensure that people understand the importance of reporting these crimes as soon as possible.
I know people that have been stung by various scams, and they feel embarrassed. They really do feel embarrassed and that they should have known better. But the reality is, these criminals are smart, they change the way that they operate all the time. They come from different places as well as from Australia—all these cybercrimes aren’t just being perpetrated from people offshore.
The Cyber Security Bill provides a framework to build our cybersecurity as a nation in a globalised and technologically advanced world. The first measure under this bill will ensure that Australians can trust their digital products by enabling the government to establish mandatory security standards for smart devices. Australians are prolific users of smart devices—we love our gadgets—but consumers need to be assured that smart devices are still safe for them to use. To date, smart devices have not been subject to mandatory cybersecurity standards or regulations in Australia. Therefore, this bill will bring our country in line with international best practice and also will provide Australians with peace of mind that the smart devices we’ve come to rely on almost every day will meet our expectations around security.
The bill will enhance consumer security by prohibiting the use of universal default passwords on a smart device which create backdoors for potential hackers. The bill addresses the ransomware threat that continues to cause large-scale harm to the Australian economy and national security. Businesses are losing millions of dollars every year because of ransomware. We can stop it in its tracks with mandatory reporting of ransomware payments to learn from these attacks. We must prevent future ransomware crises and equip businesses to be able to bounce back following any incident.
The Cyber Security Bill’s third measure seeks to support and assure Australian organisations as they respond to cybersecurity incidents. Close cooperation between government and industry is one of our greatest defences against cybercrime, which is malicious. In the wake of cybersecurity incidences, businesses need to know that they can call on government to quickly get the support that they need. The bill affirms the role of the National Cyber Security Coordinator to coordinate whole-of-government cyber-incident responses effectively. It also seeks to increase trust and engagement between business and government during an incident by limiting the circumstances under which the coordinator can use and share information that has been voluntarily provided by an affected entity. With these measures businesses will have a greater comfort to report cyber incidences and gain the assistance they need in order to respond to recover from cyber incidences.
We must remember that cyber crimes can impact businesses and individuals, and it’s important that when you have an incident, you report it and reach out and get the support that you need. I thank Minister Burke and Minister O’Neill for their leadership, and I thank those who provided evidence to our committee to investigate this. I recommend the bill to be passed in the Senate today.
The First reading text of the Bill provides:
Preliminary Part 1
The objects of this Act are to:
(a) improve the cyber security of products that:
(i) can connect directly or indirectly to the internet; and
(ii) will be acquired in Australia;
by requiring manufacturers and suppliers of those products to comply with security standards specified in the rules; and
(b) encourage the provision of information relating to the provision of payments or benefits (called ransomware payments) to entities seeking to benefit from cyber security incidents by imposing reporting obligations on entities in relation to the payment of such payments or benefits; and
(c) facilitate the whole of Government response to significant cyber security incidents by providing for the National Cyber Security Coordinator to lead across the whole of Government the coordination and triaging of action in response to significant cyber security incidents; and
(d) prevent, improve the detection of, improve the response to and minimise the impact of cyber security incidents by establishing the Cyber Incident Review Board to:
(i) cause reviews to be conducted in relation to certain cyber security incidents; and
(ii) make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, incidents of a 28 similar nature in the future; and
(e) improve the response to and minimise the impact of cyber security incidents (including imminent incidents) through encouraging entities impacted, or probably impacted, by such cyber security incidents to provide information to the Australian Government about the incidents by ensuring that:
(i) the information provided is only used and disclosed for limited purposes; and
(ii) the information provided is not admissible in evidence 1 in proceedings against the entities that provided the 2 information; and
(f) to facilitate the sharing of information about cyber security incidents with State and Territory Governments for limited purposes, with their consent that the information is only to be used and disclosed for limited purposes.
4 Simplified outline of this Act
This Act provides for mandatory security standards for certain products that can directly or indirectly connect to the internet (called relevant connectable products).
This Act also provides an obligation to report payments or benefits (called ransomware payments) provided to an entity that is seeking to benefit from a cyber security incident.
Information may be voluntarily provided to the National Cyber Security Coordinator in relation to a significant cyber security incident. The National Cyber Security Coordinator’s role is to lead across the whole of Government the coordination and triaging of action in response to a significant cyber security incident.
The Cyber Incident Review Board is established by this Act. Its functions include causing reviews to be conducted in relation to certain cyber security incidents. A review will make recommendations to Government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, incidents of a similar nature in the future.
Information provided by entities under provisions of this Act may only be used and disclosed for limited purposes. Certain information provided to the Australian Government under this Act is not admissible in evidence in proceedings against the entity that provided the information.
A range of compliance and enforcement powers are provided for, including by applying the Regulatory Powers (Standard Provisions) Act 2014.
This Act also deals with administrative matters such as delegations and the power to make rules.
Extraterritoriality
This Act applies both within and outside Australia.
Note: This Act extends to every external Territory.
6 Act binds the Crown
(1) This Act binds the Crown in each of its capacities.
(2) This Act does not make the Crown liable to be prosecuted for an offence.
Note: The Crown (other than a Crown authority) is not liable to a pecuniary penalty for the breach of a civil penalty provision or to be given an infringement notice: see subsections 79(8) and 82(7).
(3) The protection in subsection (2) does not apply to an authority of 16 the Crown.
7 Concurrent operation of State and Territory laws
This Act is not intended to exclude or limit the operation of a law of a State or Territory to the extent that that law is capable of operating concurrently with this Act.
8 Definitions
In this Act:
ASD means the Australian Signals Directorate.
benefit includes any advantage and is not limited to property.
business has the same meaning as in the Income Tax Assessment 26 Act 1997.
Part 1 Preliminary
Chair means the Chair of the Cyber Incident Review Board.
civil penalty provision has the same meaning as in the Regulatory Powers Act.
Commonwealth body means:
(a) a Minister of the Commonwealth; or
(b) a Department of State of the Commonwealth; or
(c) a body (whether incorporated or not) that:
(i) is established, or continued in existence, for a public purpose by or under a law of the Commonwealth; and
(ii) is not an authority of the Crown.
Commonwealth enforcement body means:
(a) the Australian Federal Police; or
(b) the Australian Prudential Regulation Authority; or
(c) the Australian Securities and Investments Commission; or
(d) the Inspector of the National Anti-Corruption Commission; or
(e) the Office of the Director of Public Prosecutions; or
(f) the National Anti-Corruption Commissioner; or
(g) Sport Integrity Australia; or
(h) another Commonwealth body, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction for a criminal offence.
Commonwealth officer has the same meaning as in Part 5.6 of the Criminal Code.
computer has the same meaning as in the Security of Critical Infrastructure Act 2018.
coronial inquiry means a coronial inquiry, coronial investigation or coronial inquest under a law of the Commonwealth, or of a State or Territory.
critical infrastructure asset has the same meaning as in the Security of Critical Infrastructure Act 2018.
Cyber Incident Review Board or Board means the Cyber Incident Review Board established by section 60.
cyber security incident has the meaning given by section 9.
designated Commonwealth body means:
(a) a Department, or a body established by a law of the Commonwealth, specified in the rules; or
(b) if no rules are made for the purposes of paragraph (a)—the Department and ASD.
draft review report has the meaning given by subsection 51(1).
entity means any of the following:
(a) an individual;
(b) a body corporate;
(c) a partnership;
(d) an unincorporated association that has a governing body;
(e) a trust;
(f) an entity that is a responsible entity for a critical 16 infrastructure asset.
Expert Panel means the Expert Panel established by the Board 18 under section 70.
final review report has the meaning given by subsection 52(1).
intelligence agency means:
(a) the agency known as the Australian Criminal Intelligence 22 Commission established by the Australian Crime Commission Act 2002; or
(b) the Australian Geospatial-Intelligence Organisation; or
(c) the Australian Secret Intelligence Service; or
(d) the Australian Security Intelligence Organisation; or
(e) ASD; or
(f) the Defence Intelligence Organisation; or
(g) the Office of National Intelligence.
internet-connectable product has the meaning given by 1 subsection 13(4).
manufacturer has the same meaning as in the Australian Consumer Law.
National Cyber Security Coordinator means:
(a) the officer of the Department known as the National Cyber Security Coordinator; and
(b) the APS employees, and officers or employees of Commonwealth bodies, whose services are made available to the officer in connection with the performance of any of the officer’s functions or the exercise of any of the officer’s powers under this Act.
network-connectable product has the meaning given by subsection 13(5).
permitted cyber security purpose for a cyber security incident has the meaning given by section 10.
personal information has the same meaning as in the Privacy Act 17 1988.
protected review report has the meaning given by subsection 54(1).
ransomware payment has the meaning given by subsection 26(1).
ransomware payment report means a report given by an entity under subsection 27(1).
Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.
relevant connectable product has the meaning given by subsection 13(2).
reporting business entity has the meaning given by subsection 26(2).
responsible entity, for an asset, has the same meaning as in the Security of Critical Infrastructure Act 2018.
Secretary means the Secretary of the Department.
sensitive information has the same meaning as in the Privacy Act 1988.
sensitive review information has the meaning given by subsection 53(2).
significant cyber security incident has the meaning given by section 34.
State body means:
(a) a Minister of a State or Territory; or
(b) a Department of State of a State or Territory or a Department of the Public Service of a State or Territory; or
(c) a body (whether incorporated or not) that:
(i) is established, or continued in existence, for a public purpose by or under a law of a State or Territory; and
(ii) is not an authority of the Crown.
supply has the same meaning as in the Australian Consumer Law and supplied and supplier have corresponding meanings.
9 Meaning of cyber security incident
(1) A cyber security incident is one or more acts, events or circumstances:
(a) of a kind covered by the meaning of cyber security incident in the Security of Critical Infrastructure Act 2018; or
(b) involving unauthorised impairment of electronic communication to or from a computer, within the meaning of 24 that phrase in that Act, but as if that phrase did not exclude the mere interception of any such communication.
(2) However, an incident is only a cyber security incident for the purposes of this Act if:
(a) the incident involves a critical infrastructure asset; or
(b) the incident involves the activities of an entity that is a corporation to which paragraph 51(xx) of the Constitution applies; or
(c) the incident is or was effected by means of a telegraphic, 1 telephonic or other like service within the meaning of 2 paragraph 51(v) of the Constitution (including, for example, by means of the internet); or
(d) the incident is impeding or impairing, or has impeded or impaired, the ability of a computer to connect to such a service; or
(e) the incident has seriously prejudiced or is seriously prejudicing:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security.
10 Meaning of permitted cyber security purpose
Each of the following is a permitted cyber security purpose for a cyber security incident:
(a) the performance of the functions of a Commonwealth body (to the extent that it is not a Commonwealth enforcement body) relating to responding to, mitigating or resolving the cyber security incident;
(b) the performance of the functions of a State body relating to responding to, mitigating or resolving the cyber security incident;
(c) the performance of the functions of the National Cyber Security Coordinator under Part 4 relating to the cyber security incident;
(d) informing and advising the Minister, and other Ministers of the Commonwealth, about the cyber security incident;
(e) preventing or mitigating material risks that the cyber security incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security;
(f) preventing or mitigating material risks to a critical infrastructure asset;
(g) the performance of the functions of an intelligence agency;
(h) the performance of the functions of a Commonwealth enforcement body.
Note 1: There are some limitations in relation to civil or regulatory functions against entities that have provided information in relation to the incident: see subsections 38(2) and 39(3).
Note 2: Certain information must not be disclosed to a State body under Parts 9 of this Act unless a Minister of the State or Territory has consented to those Parts applying to the State body: see section
11
Disclosure to State body
(1) Despite any other provision of this Act, information that may be disclosed to a State body under Part 3, 4 or 5 must not be disclosed to the State body under that Part unless:
(a) a Minister of the State or Territory has informed the Minister administering this Act, in writing, that the State or Territory gives consent to the provisions of that Part applying to the State body; and
(b) a Minister of the State or Territory has not informed the Minister administering this Act, in writing, that the State or Territory withdraws that consent.
(2) For the purposes of paragraph (1)(a), a Minister of a State or Territory may give consent in relation to all State bodies, a class of State bodies, or particular State bodies, of that State or Territory.
Section 12
Part 2——Security standards for smart devices
Division 1——Preliminary
12 Simplified outline of this Part
The rules may provide mandatory security standards for products that can directly or indirectly connect to the internet (called relevant connectable products) that will be acquired in Australia in specified circumstances.
If the rules provide a security standard for a product:
(a) manufacturers must manufacture the product in compliance with the requirements of the security standard if they are aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances; and
(b) those manufacturers must also comply with any other obligations relating to the product in the security standard (for example, obligations to publish information about the product); and
(c) if the product does not comply it must not be supplied in Australia if the supplier is aware, or could reasonably be expected to be aware, that the products will be acquired in Australia in those specified circumstances; and
(d) those suppliers must supply the product in Australia accompanied by a statement of compliance.
A compliance notice, a stop notice and a recall notice may be given for non-compliance with obligations in this Part. Internal review may be sought for a decision to issue a notice.
An independent audit of a product may be undertaken to determine compliance with the requirements of a security standard or requirements for the statement of compliance. The Secretary may request the manufacturer or supplier to provide the product, the statement of compliance or both for the purposes of the audit.
13 Application of this Part 3
(1) This Part applies to a relevant connectable product that is:
(a) manufactured on or after the commencement of this Part; or
(b) supplied (other than as second hand goods) on or after the commencement of this Part.
(2) A relevant connectable product is a product that:
(a) is an internet-connectable product or a network-connectable product; and
(b) is not exempted under the rules.
(3) For the purposes of paragraph (2)(b), the rules may specify that:
(a) classes of products are exempted; or
(b) particular products are exempted.
(4) An internet-connectable product is a product that is capable of connecting to the internet using a communication protocol that forms part of the internet protocol suite to send and receive data over the internet.
(5) A network-connectable product is a product that:
(a) is capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy; and
(b) is not an internet-connectable product; and
(c) meets the condition in subsection (6) or (7).
(6) A product meets the condition in this subsection if it is capable of connecting directly to an internet-connectable product by means of a communication protocol that forms part of the internet protocol suite.
(7) Subject to subsections (8) and (9), a product meets the condition in 29 this subsection if:
(a) it is capable of connecting directly to 2 or more products at the same time by means of a communication protocol that does not form part of the internet protocol suite; and
(b) it is capable of connecting directly to an internet-connectable product by means of such a communication protocol (whether or not at the same time as it connects to any other 6 product).
(8) A product consisting of a wire or cable that is used merely to connect the product to another product does not meet the condition in subsection (7).
(9) If:
(a) two or more products are designed to be used together for the purposes of facilitating the use of a computer (within the ordinary meaning of that expression); and
(b) at least one of the products (the linking product) is capable of connecting directly to an internet-connectable product (whether the computer or some other product) by means of a communication protocol that does not form part of the internet protocol suite; and
(c) each of the products (the input products) that is not a linking product is capable of connecting directly to the linking product, or, if there is more than one linking product, to each linking product:
(i) wirelessly; and
(ii) by means of a communication protocol that does not form part of the internet protocol suite;
each of the input products meets the condition in subsection (7).
(10) For the purposes of subsections (4) to (9), a product is not prevented from being regarded as connecting directly to another product merely because the connection involves the use of a wire or cable.
Division 2——Security standards for relevant connectable products
14 Security standards for relevant connectable products
(1) The rules may make provision for, or in relation to, security standards for specified classes of relevant connectable products that will be acquired in Australia in specified circumstances.
(2) Without limiting subsection (1) a class of relevant connectable products specified for the purposes of that subsection may consist of a particular relevant connectable product or of all relevant 9 connectable products.
(3) Despite subsection 14(2) of the Legislation Act 2003, the rules may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained 13 in an instrument or other writing as in force or existing from time to time.
15 Compliance with security standard for a relevant connectable product
Manufacturer must comply
(1) An entity must manufacture a relevant connectable product in compliance with the requirements of the security standard for a class of relevant connectable product that will be acquired in Australia in specified circumstances if:
(a) the product is included in that class; and
(b) the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in those circumstances.
(2) The entity must comply with any other requirements of the security standard that apply to the manufacturer of a product included in that class.
16 Cyber Security Bill 2024 No. , 2024
(3) An entity must not supply a product in Australia that was not manufactured in compliance with the requirements of the security standard for a class of relevant connectable product that will be acquired in Australia in specified circumstances if:
(a) the product is included in that class; and
(b) the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in those circumstances.
(4) The entity must comply with any other requirements of the security standard that apply to the supplier of a product included in that class.
Exception
(5) However, to the extent that a requirement in the security standard does not relate to any of the matters in subsection (6), an entity is 14 not required to comply with subsections (1) to (4) if the entity is not:
(a) an entity that is a corporation to which paragraph 51(xx) of the Constitution applies; or
(b) an entity that is undertaking activities in the course of, or in relation to, trade or commerce with other countries, among the States, between Territories or between a Territory and a State.
(6) The matters are the following:
(a) the direct, or indirect, connection of the relevant connectable product to, a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, connection to the internet);
(b) the direct, or indirect, use by the relevant connectable product of such a service (including, for example, use of the internet);
(c) measures that would protect the relevant connectable product from an attack effected by means of such a service (including, for example, by means of the internet).
16 Obligation to provide and supply products with a statement of compliance with security standard
Manufacturer must provide statement of compliance
(1) An entity that manufactures a relevant connectable product must provide, for the supply of the product in Australia, a statement of compliance with the security standard for a class of relevant connectable product that will be acquired in Australia in specified circumstances if:
(a) the product is included in that class; and
(b) the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in those circumstances.
(2) The entity must retain a copy of the statement of compliance for the period specified in the rules for that class of statements.
Supplier must supply the product with statement of compliance
(3) An entity that supplies a relevant connectable product in Australia must supply the product with a statement of compliance with the security standard for a class of relevant connectable product that will be acquired in Australia in specified circumstances if:
(a) the product is included in that class; and
(b) the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in those circumstances.
(4) The entity must retain a copy of the statement of compliance for the period specified in the rules for that class of statements.
Requirements for statement of compliance
(5) The statement of compliance with the security standard under subsection (1) or (2) must meet the requirements provided by the rules for that class of statements.
Matters relating to the rule making powers
(6) Without limiting subsection (2), (4) or (5) a class of statements may consist of a statement for a particular relevant connectable product or a particular security standard or all relevant connectable products or all security standards.
Division 3——Enforcement
17 Compliance notice
(1) The Secretary may give an entity that must comply with an 3 obligation under section 15 or 16 a compliance notice if the Secretary:
(a) is reasonably satisfied that the entity is not complying with the obligation; or
(b) is aware of information that suggests that the entity may not be complying with the obligation.
(2) The compliance notice must:
(a) set out the name of the entity to which the notice is given;
(b) set out brief details of the non-compliance or possible non-compliance; and
(c) specify action within the entity’s control that the entity must take in order to address the non-compliance or possible non-compliance; and
(d) specify a reasonable period within which the entity must take the specified action; and
(e) if the Secretary considers it appropriate—specify a reasonable period within which the entity must provide the Secretary with evidence that the entity has taken the specified action; and
(f) explain what may happen if the entity does not comply with the notice; and
(g) explain how the entity may seek review of the decision to issue the notice; and
(h) set out any other matters prescribed by the rules.
(3) Before giving the notice to the entity, the Secretary must:
(a) notify the entity that the Secretary intends to give the notice to the entity; and
(b) give the entity a specified period (which must not be shorter than 10 days) to make representations about the giving of the notice.
(4) Only one compliance notice may be given to an entity in relation to a particular instance of the entity’s non-compliance, or possible non-compliance, with an obligation under section 15 or 16.
18 Stop notice
(1) The Secretary may give an entity that must comply with an 8 obligation under section 15 or 16 a stop notice if:
(a) the entity has been given a compliance notice under section 17 in relation to the non-compliance with the obligation; and
(b) the Secretary is reasonably satisfied that:
(i) the entity has not complied with the compliance notice;
(ii) actions taken by the entity to rectify non-compliance with the obligation (whether in accordance with the compliance notice or otherwise) are inadequate to rectify the non-compliance.
(2) The stop notice must:
(a) set out the name of the entity to which the notice is given;
(b) set out brief details of the non-compliance; and
(c) specify action within the entity’s control that the entity must take, or refrain from taking, in order to address the non-compliance; and 26
(d) specify a reasonable period within which the entity must take 27 the specified action or refrain from taking the specified action; and
(e) if the Secretary considers it appropriate—specify a reasonable period within which the entity must provide the Secretary with evidence that the entity has taken the specified action or refrained from taking the specified action; and
(f) explain what may happen if the entity does not comply with the notice; and
(g) explain how the entity may seek review of the decision to issue the notice; and
(h) set out any other matters prescribed by the rules.
(3) Before giving the notice to the entity, the Secretary must:
(a) notify the entity that the Secretary intends to give the notice to the entity; and
(b) give the entity a specified period (which must not be shorter than 10 days) to make representations about the giving of the 8 notice.
(4) Only one stop notice may be given to an entity in relation to a particular instance of the entity’s non-compliance with an obligation under section 15 or 16.
19 Recall notice
(1) The Secretary may give an entity that must comply with an obligation under section 15 or 16 a recall notice if:
(a) the entity has been given a stop notice under section 18 in relation to the non-compliance with the obligation; and
(b) the Secretary is reasonably satisfied that:
(i) the entity has not complied with the stop notice; or
(ii) actions taken by the entity to rectify the non-compliance with the obligation (whether in accordance with the compliance notice or otherwise) are inadequate to rectify the non-compliance.
(2) The recall notice must:
(a) set out the name of the entity to which the notice is given;
(b) set out brief details of the non-compliance; and
(c) specify action that the entity must take to do any or all of the following:
(i) ensure, to the extent within the entity’s control, the product is not acquired in Australia;
(ii) ensure, to the extent within the entity’s control, that the product is not supplied to suppliers for supply in Australia;
(iii) arrange for the return, within a specified reasonable period, of the product to the entity, or if the entity is not the manufacturer of the product, the manufacturer of the product; and
(d) specify a reasonable period within which the entity must take the specified action; and
(e) if the Secretary considers it appropriate—specify a reasonable period within which the entity must provide the Secretary with evidence that the entity has taken the specified action; and
(f) explain what may happen if the entity does not comply with the notice; and
(g) explain how the entity may seek review of the decision to issue the notice; and
(h) set out any other matters prescribed by the rules.
(3) Before giving the notice to the entity, the Secretary must:
(a) notify the entity that the Secretary intends to give the notice to the entity; and
(b) give the entity a specified period (which must not be shorter than 10 days) to make representations about the giving of the notice.
(4) Only one recall notice may be given to an entity in relation to a particular instance of the entity’s non-compliance with an obligation under section 15 or 16.
20 Public notification of failure to comply with recall notice
If an entity fails to comply with a recall notice, the Minister may publish the following information on the Department’s website, or in any other way the Minister considers appropriate:
(a) the identity of the entity;
(b) details of the product;
(c) details of the non-compliance;
(d) risks posed by the product relating to the non-compliance;
(e) any other matters prescribed by the rules.
21 Revocation and variation of notices given under this Part 2
Variation
(1) The Secretary may, by notice in writing given to an entity, vary a compliance notice, stop notice or recall notice given under this Part 5 to the entity if the Secretary is reasonably satisfied that the variation is required:
(a) in order to rectify an error, defect or ambiguity in the notice;
(b) to adequately rectify the non-compliance, or possible non-compliance, to which the notice relates.
(2) Before giving the notice to the entity under subsection (1), the Secretary must:
(a) notify the entity that the Secretary intends to give the notice to the entity; and
(b) give the entity a specified period (which must not be shorter than 10 days) to make representations about the giving of the notice.
(3) A varied compliance notice, stop notice or recall notice has the same effect as the original notice for the purposes of this Part.
Revocation
(4) The Secretary may, by notice in writing given to an entity, revoke a compliance notice, stop notice or recall notice given under this Part to the entity if the Secretary is no longer satisfied that the grounds for issuing the notice were met.
(5) If a compliance notice, stop notice or recall notice, relating to non-compliance or possible non-compliance by an entity with an obligation, is revoked under subsection (4), no further notices may be issued under this Part in relation to that non-compliance.
22 Internal review of decision to give compliance, stop or recall notice
(1) An entity may apply, in writing, to the Secretary for review (an internal review) of a decision:
(a) to give the entity a compliance notice under section 17; or
(b) to give the entity a stop notice under section 18; or
(c) to give the entity a recall notice under section 19; or
(d) to vary, under section 21, a notice given to the entity.
(2) An application for an internal review must be made within 30 days after the day on which the notice was given to the entity.
(3) The decision-maker for the internal review is:
(a) the Secretary; or
(b) if the Secretary made the decision personally—a person:
(i) to whom the power to issue a notice of that kind has been delegated under section 86; and
(ii) that was not involved in the making of the Secretary’s decision.
(4) Within 30 days after the application is received, the decision-maker must:
(a) review the decision; and
(b) affirm, vary or revoke the decision; and
(c) if the decision is revoked—make such other decision (if any) that the decision-maker thinks appropriate.
(5) The decision-maker for the reviewable decision must, as soon as 24 practicable after making a decision under subsection (4), give the applicant a written statement of the decision-maker’s reasons for 26 the decision. 27
23 Examination to assess compliance with security standard and statement of compliance
(1) If an entity must comply with an obligation in section 15 or 16 in 30 relation to a relevant connectable product, the Secretary may engage an appropriately qualified and experienced expert to carry out an independent examination of the product to determine either 1 or both of the following:
(a) whether the product complies with the security standard for the class of relevant connectable product;
(b) whether the statement of compliance for the product complies with the requirements of section 16.
(2) The expert may examine the product, for example, by doing any of the following:
(a) opening any package in which the product is contained;
(b) operating the product;
(c) testing or analysing the product, including through the use of electronic equipment;
(d) if the product contains a record or document—reading the record or document either directly or with the use of an electronic device;
(e) taking photographs or video recordings of the product.
Request for product and statement of compliance
(3) For the purposes of the examination, the Secretary may request, by notice in writing, the entity to provide the product, or the statement of compliance for the product, or both.
(4) The notice must:
(a) specify the product; and
(b) if the entity is not the manufacturer—specify the manufacturer of the product (if known); and
(c) specify a reasonable period within which the entity must provide the notice; and
(d) specify the period for which the product will be retained for testing; and
(e) specify the requirements of the security standard that the product will be tested against; and
(f) explain the kind of testing or analysis that will be done; and
(g) explain what may happen if:
(i) the entity does not comply with the notice; or
(ii) the entity does not comply with its obligations in section 15 or 16 in relation to the product; and
(h) set out any other matters prescribed by the rules.
Compensation
(5) An entity is entitled to be paid by the Commonwealth reasonable 5 compensation for complying with a request under subsection (3).
24 Acquisition of property
This Part has no effect to the extent (if any) that its operation would result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) from a person otherwise than on just terms (within the meaning of that paragraph).
Ransomware reporting obligations Part 3
Part 3——Ransomware reporting obligations
Division 1——Preliminary
25 Simplified outline of this Part
This Part imposes reporting obligations on certain entities who are impacted by a cyber security incident, and who have provided or are aware that another entity has provided, a payment or benefit (called a ransomware payment) to an entity that is seeking to benefit from the impact or the cyber security incident.
Particular information must be included in a ransomware payment 9 report, including information relating to the cyber security incident, the demand made by the extorting entity and the ransomware payment.
An entity may be liable to a civil penalty if the entity fails to make a ransomware payment report as required by this Part.
26 Application of this Part
(1) This Part applies if:
(a) an incident has occurred, is occurring or is imminent; and
(b) the incident is a cyber security incident; and
(c) the incident has had, is having, or could reasonably be expected to have, a direct or indirect impact on a reporting business entity; and
(d) an entity (the extorting entity) makes a demand of the reporting business entity, or any other entity, in order to benefit from the incident or the impact on the reporting business entity; and
(e) the reporting business entity provides, or is aware that another entity has provided on their behalf, a payment or benefit (a ransomware payment) to the extorting entity that is directly related to the demand.
(2) An entity is a reporting business entity if, at the time the ransomware payment is made:
(a) the entity:
(i) is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold for that year; and
(ii) is not a Commonwealth body or a State body; and
(iii) is not a responsible entity for a critical infrastructure asset; or
(b) the entity is a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies.
(3) For the purposes of subparagraph (2)(a)(i), the turnover threshold is:
(a) if a business has been carried on for only part of the previous financial year—the amount worked out in the manner prescribed by the rules; or
(b) in any other case—the amount prescribed by, or worked out in the manner prescribed by, the rules.
Presumption
(4) For the purposes of paragraph (1)(b), an incident (other than an 4 incident covered by paragraph 9(2)(a) or (b)) is presumed to be a cyber security incident if:
(a) the incident was probably effected, is probably being effected or could reasonably be expected to be effected, by means of a 8 telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, by means of the internet); or
(b) the incident has probably impeded or impaired, or is probably impeding or impairing or could reasonably be expected to impede or impair, the ability of a computer to connect to such a service; or
(c) the incident has probably seriously prejudiced, is probably seriously prejudicing, or could reasonably be expected to prejudice:
(i) the social or economic stability of Australia or its 19 people; or
(ii) the defence of Australia; or
(iii) national security.
Note: Paragraphs 9(2)(a) and (b) cover incidents involving critical infrastructure assets or the activities of corporations to which paragraph 51(xx) of the Constitution applies.
(5) However, subsection (4) does not make an entity liable to a civil penalty under this Part if the incident:
(a) was not in fact effected by means of a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) 29 of the Constitution (including, for example, by means of the internet); or
(b) did not in fact impede or impair the ability of a computer to connect to such a service; or
(c) did not in fact seriously prejudice:
(i) the social or economic stability of Australia or its 35 people; or
(ii) the defence of Australia; or
(iii) national security.
27 Obligation to report following a ransomware payment
(1) The reporting business entity must give the designated Commonwealth body a report (a ransomware payment report) that complies with the requirements of this section within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made (whichever is applicable).
Note: For the definition of designated Commonwealth body: see section 8.
(2) The ransomware payment report must contain information relating to the following, in accordance with any requirements prescribed by the rules, that, at the time of making the report, the reporting business entity knows or is able, by reasonable search or enquiry, to find out:
(a) if the reporting business entity made the payment—the reporting business entity’s contact and business details;
(b) if another entity made the payment—that entity’s contact and 17 business details;
(c) the cyber security incident, including its impact on the 19 reporting business entity;
(d) the demand made by the extorting entity;
(e) the ransomware payment;
(f) communications with the extorting entity relating to the incident, the demand and the payment.
(3) The reporting business entity may include other information relating to the cyber security incident in the ransomware payment report.
(4) The ransomware payment report must be given:
(a) in the form approved by the Secretary (if any); and
(b) in the manner (if any) prescribed by the rules.
(5) An entity is liable to a civil penalty if the entity contravenes subsection (1).
Civil penalty: 60 penalty units.
(6) Subsection 93(2) of the Regulatory Powers Act does not apply in relation to a contravention of subsection (1) of this section.
28 Liability
(1) An entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in compliance with section 27.
(2) An officer, employee or agent of an entity is not liable to an action for damages for or in relation to an act done or omitted in good faith in connection with an act done or omitted by the entity as 10 mentioned in subsection (1).
(3) An entity that wishes to rely on subsection (1) in relation to an action or other proceeding bears an evidential burden (within the meaning of the Regulatory Powers Act) in relation to that matter.
29 Ransomware payment reports may only be used or disclosed for permitted purposes
Permitted use and disclosure
(1) A designated Commonwealth body may make a record of, use or disclose information provided in a ransomware payment report by a reporting business entity, but only for the purposes of one or more of the following:
(a) assisting the reporting business entity, and other entities acting on behalf of the reporting business entity, to respond to, mitigate or resolve the cyber security incident;
(b) performing functions or exercising powers under this Part or Part 6 as it applies to this Part;
(c) proceedings under, or arising out of, section 137.1 or 137.2 of the Criminal Code (false and misleading information and documents) that relate to this Act;
(d) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act;
(e) the performance of the functions of a Commonwealth body relating to responding to, mitigating or resolving a cyber security incident;
(f) the performance of the functions of a State body relating to 23 responding to, mitigating or resolving a cyber security incident;
(g) the performance of the functions of the National Cyber Security Coordinator under Part 4 relating to a cyber security incident;
(h) informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident;
(i) the performance of the functions of an intelligence agency.
Note: Certain information must not be disclosed to a State body under Parts of this Act unless a Minister of the State or Territory has consented to those Parts applying to the State body: see section 11.
(2) However, the designated Commonwealth body must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the reporting business entity of a Commonwealth, State or Territory law other than:
(a) a contravention by the reporting business entity of this Part;
(b) a contravention by the reporting business entity of a law that imposes a penalty or sanction for a criminal offence.
Note: See also section 32 in relation to admissibility of the information in proceedings against the reporting business entity.
Interaction with the Privacy Act 1988
(3) Subsection (1) does not authorise the designated Commonwealth body to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988.
Information not covered by the prohibitions in this section
(4) Subsection (1) does not prohibit the recording, use or disclosure of the following information:
(a) information that has been provided to the designated Commonwealth body by, or on behalf of, the entity to the Commonwealth to comply with:
(i) a requirement in Part 2B of the Security of Critical Infrastructure Act 2018; or
(ii) a requirement under the Telecommunications Act 1997;
(iii) a requirement under a law prescribed by the rules;
(b) information that has already been lawfully made available to the public.
30 Limitations on secondary use and disclosure of information in ransomware payment reports
(1) This section applies to information that:
(a) has been provided in a ransomware payment report by a reporting business entity; and
(b) has been obtained by another entity, Commonwealth body or State body under subsection 29(1) or this section; and
(c) is held by the other entity, Commonwealth body or State body.
Note: This section does not apply to the information to the extent that it has been otherwise obtained by the other entity, Commonwealth body or State body.
Permitted use and disclosure
(2) The other entity, Commonwealth body or State body may make a record of, use or disclose the information but only for the purposes of one or more of the following:
(a) assisting the reporting business entity, and other entities acting on behalf of the reporting business entity, to respond to, mitigate or resolve the cyber security incident;
(b) performing functions or exercising powers under this Part or Part 6 as it applies to this Part;
(c) proceedings under, or arising out of, section 137.1 or 137.2 of the Criminal Code (false and misleading information and documents) that relate to this Act;
(d) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act;
(e) the performance of the functions of a Commonwealth body relating to responding to, mitigating or resolving a cyber 26 security incident;
(f) the performance of the functions of a State body relating to responding to, mitigating or resolving a cyber security 29 incident;
(g) the performance of the functions of the National Cyber Security Coordinator under Part 4 relating to a cyber security incident;
(h) informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident;
(i) the performance of the functions of an intelligence agency.
(3) However, the other entity, Commonwealth body or State body must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention, by the reporting business entity, of a Commonwealth, State or Territory law other than:
(a) a contravention by the reporting business entity of this Part;
(b) a contravention by the reporting business entity of a law that imposes a penalty or sanction for a criminal offence.
Interaction with the Privacy Act 1988
(4) Subsection (2) does not authorise the other entity, Commonwealth body or State body to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988.
Information not covered by the prohibitions in this section
(5) Subsection (2) does not prohibit:
(a) recording, use or disclosure of information referred to in subsection 29(4); or
(b) if the other entity is an individual—recording, use or disclosure of personal information about the individual; or
(c) recording, use or disclosure of the reporting business entity’s own information, with the consent of the reporting business entity, by another entity, a Commonwealth body or a State body; or
(d) recording, use or disclosure of information for the purposes of carrying out a State’s constitutional functions, powers or duties.
Civil penalty for contravention of this section
(6) An entity is liable to a civil penalty if:
(a) the entity contravenes subsection (2); and
(b) the entity is not a Commonwealth officer; and
(c) any of the following applies:
(i) the information is sensitive information about an individual and the individual has not consented to the record, use or disclosure of the information;
(ii) the information is confidential or commercially sensitive;
(iii) the record, use or disclosure of the information would, or could reasonably be expected to, cause damage to the security, defence or international relations of the Commonwealth.
Note 1: See the Criminal Code for offences for Commonwealth officers.
Note 2: This Act does not make the Crown (other than an authority of the Crown) liable to a civil penalty.
Civil penalty: 60 penalty units.
31 Legal professional privilege
(1) The fact that a reporting business entity provided information in a ransomware payment report does not otherwise affect a claim of legal professional privilege that anyone may make in relation to that information in any proceedings:
(a) under any Commonwealth, State or Territory law (including the common law); or
(b) before a tribunal of the Commonwealth, a State or a Territory.
(2) Despite subsection (1), this section does not apply to the following:
(a) the proceedings of a coronial inquiry or a Royal Commission in Australia;
(b) proceedings in a federal court exercising original jurisdiction in which a writ of mandamus or prohibition or an injunction is sought against an officer or officers of the Commonwealth.
Note: For federal court, see section 2B of the Acts Interpretation Act 1901.
(3) This section does not limit or affect any right, privilege or immunity that the reporting business entity has, apart from this section, as a defendant in any proceedings.
32 Admissibility of information in ransomware payment report against reporting business entity
(1) This section applies to information that:
(a) has been provided in a ransomware payment report by a reporting business entity; and
(b) has been obtained by a Commonwealth body or State body under subsection 29(1) or section 30; and
(c) is held by the Commonwealth body or State body.
Note: This section does not apply to information held by the Commonwealth body or State body to the extent that it has been otherwise obtained.
(2) That information is not admissible in evidence against the reporting business entity in any of the following proceedings:
(a) criminal proceedings for an offence against a Commonwealth, State or Territory law, other than:
(i) proceedings for an offence against section 137.1 or 137.2 of the Criminal Code (which deal with false or 16 misleading information or documents) that relates to this Act; or
(ii) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act;
(b) civil proceedings for a contravention of a civil penalty provision of a Commonwealth, State or Territory law, other than a civil penalty provision of this Part;
(c) proceedings for a breach of any other Commonwealth, State or Territory law (including the common law);
(d) proceedings before a tribunal of the Commonwealth, a State or a Territory.
(3) However, this section does not apply to the following:
(a) the proceedings of a coronial inquiry or a Royal Commission in Australia;
(b) proceedings in a federal court exercising original jurisdiction in which a writ of mandamus or prohibition or an injunction is sought against an officer or officers of the Commonwealth.
Note: For federal court, see section 2B of the Acts Interpretation Act 1901.
(4) This section does not limit or affect any right, privilege or immunity that the reporting business entity has, apart from this section, as a defendant in any proceedings.
Part 4——Coordination of significant cyber security incidents
Division 1——Preliminary
33 Simplified outline of this Part
Information may be voluntarily provided to the National Cyber Security Coordinator in relation to significant cyber security incidents.
The National Cyber Security Coordinator’s role is to lead across the whole of Government the coordination and triaging of action in response to a significant cyber security incident.
Information voluntarily provided under this Part may only be recorded, used and disclosed for limited purposes.
34 Meaning of significant cyber security incident
A cyber security incident is a significant cyber security incident if:
(a) there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security; or
(b) the incident is, or could reasonably be expected to be, of serious concern to the Australian people.
Part 4 Coordination of significant cyber security incidents
Division 2 Voluntary information sharing with the National Cyber Security Coordinator
Division 2——Voluntary information sharing with the 1 National Cyber Security Coordinator
35 Impacted entity may voluntarily provide information to National Cyber Security Coordinator in relation to a significant cyber security incident
(1) This section applies if:
(a) an incident has occurred, is occurring or is imminent; and
(b) the incident is a cyber security incident; and
(c) the incident has had, is having, or could reasonably be expected to have, a direct or indirect impact on an entity (the impacted entity); and
(d) the impacted entity is:
(i) carrying on a business in Australia; or
(ii) a responsible entity for a critical infrastructure asset to which the Security of Critical Infrastructure Act 2018 applies.
(2) The impacted entity, or another entity acting on behalf of the impacted entity, may provide information about the incident to the National Cyber Security Coordinator if:
(a) the incident is a significant cyber security incident; or
(b) the incident could reasonably be expected to be a significant cyber security incident.
Note 1: For information provided in relation to other kinds of cyber security incidents: see sections 36 and 39.
Note 2: This subsection constitutes an authorisation for the National Cyber Security Coordinator to collect the information (including sensitive 26 information) for the purposes of the Privacy Act 1988.
(3) Information about the incident may be provided under subsection (2):
(a) at any time during the response to the incident; and
(b) on the impacted entity’s own initiative or in response to a request by the National Cyber Security Coordinator.
Coordination of significant cyber security incidents Part 4
Voluntary information sharing with the National Cyber Security Coordinator Division 2
Note: There is no obligation on the impacted entity to provide information in response to a request.
Presumption 3
(4) For the purposes of paragraph (1)(b), an incident (other than an incident covered by paragraph 9(2)(a) or (b)) is presumed to be a cyber security incident if:
(a) the incident was probably effected, is probably being effected or could reasonably be expected to be effected, by means of a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, by means of the internet); or
(b) the incident has probably impeded or impaired, or is probably impeding or impairing or could reasonably be expected to impede or impair, the ability of a computer to connect to such a service; or
(c) the incident has probably seriously prejudiced, is probably seriously prejudicing, or could reasonably be expected to prejudice:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security.
Note: Paragraphs 9(2)(a) and (b) covers incidents involving critical infrastructure assets or the activities of corporations to which paragraph 51(xx) of the Constitution applies.
(5) However, subsection (4) does not make an entity liable to a civil penalty under this Part if the incident:
(a) was not in fact effected by means of a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, by means of the internet); or
(b) did not in fact impede or impair the ability of a computer to connect to such a service; or
(c) did not in fact seriously prejudice:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security.
36 Voluntary provision of information in relation to other incidents 3 or cyber security incidents
(1) This section applies if:
(a) an incident has occurred, is occurring or is imminent; and
(b) an entity (the impacted entity) provides information to the National Cyber Security Coordinator in relation to the incident; and
(c) it is unclear at the time the information is provided whether 10 the incident is a cyber security incident or a significant cyber security incident.
(2) The National Cyber Security Coordinator may collect and use the information for the purposes of determining whether the incident is a cyber security incident or a significant cyber security incident. 15
Note: This subsection constitutes an authorisation for the National Cyber Security Coordinator to collect the information (including sensitive information) for the purposes of the Privacy Act 1988.
37 Role of the National Cyber Security Coordinator
The role of the National Cyber Security Coordinator includes, but 20 is not limited to, the following:
(a) to lead across the whole of Government the coordination and triaging of action in response to a significant cyber security incident;
(b) to inform and advise the Minister and the whole of Government in relation to the whole of Government response to a significant cyber security incident.
Division 3——Protection of information
38 Information provided in relation to a significant cyber security incident—use and disclosure by National Cyber Security Coordinator
Permitted use and disclosure
(1) The National Cyber Security Coordinator may make a record of, use or disclose information provided under subsection 35(2) by, or on behalf of, an entity (the impacted entity) in relation to a cyber 8 security incident but only for the purposes of one or more of the following:
(a) assisting the impacted entity, and other entities acting on behalf of the impacted entity, to respond to, mitigate or resolve the cyber security incident;
(b) a permitted cyber security purpose for a cyber security incident.
Note 1: For permitted cyber security purpose for a cyber security incident: see section 10. This includes the functions of the National Cyber Security Coordinator under this Part.
Note 2: Certain information must not be disclosed to a State body under Parts of this Act unless a Minister of the State or Territory has consented to those Parts applying to the State body: see section 11.
Restriction on use and disclosure for civil or regulatory action
(2) However, the National Cyber Security Coordinator must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the impacted entity of a Commonwealth, State or Territory law other than:
(a) a contravention by the impacted entity of this Part; or
(b) a contravention by the impacted entity of a law that imposes a penalty or sanction for a criminal offence.
Note: See also section 42 in relation to admissibility of the information in proceedings against the impacted entity.
Interaction with the Privacy Act 1988
(3) Subsection (1) does not authorise the National Cyber Security Coordinator to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988.
Information not covered by the prohibitions in this section
(4) Subsection (1) does not prohibit the recording, use or disclosure of the following information:
(a) information that has been provided by, or on behalf of, the impacted entity to the Commonwealth about the cyber security incident to comply with:
(i) a requirement in Part 3 of this Act; or
(ii) a requirement in Part 2B of the Security of Critical Infrastructure Act 2018; or
(iii) a requirement under the Telecommunications Act 1997; or
(iv) a requirement under a law prescribed by the rules;
(b) information that has been provided voluntarily to the National Cyber Security Coordinator by, or on behalf of, the impacted entity, other than under this Part;
(c) information that has already been lawfully made available to the public.
39 Information provided in relation to other incidents—use and disclosure by National Cyber Security Coordinator
(1) This section applies if:
(a) an incident has occurred, is occurring or is imminent; and
(b) an entity (the impacted entity) provides information to the National Cyber Security Coordinator in relation to the incident; and
(c) the incident either:
(i) is not a cyber security incident; or
(ii) is a cyber security incident but is not a significant cyber security incident.
Permitted use and disclosure
(2) The National Cyber Security Coordinator may make a record of, use or disclose the information provided by the impacted entity but only for the purposes of one or more of the following:
(a) directing the impacted entity to other services that may assist the entity to respond to, mitigate, or resolve the incident;
(b) if the incident is a cyber security incident—coordinating the whole of Government response to the cyber security incident where the National Cyber Security Coordinator considers such a response is necessary;
(c) if the incident is a cyber security incident—informing and advising the Minister, and other Ministers of the Commonwealth, about the cyber security incident.
Restriction on use and disclosure for civil or regulatory action
(3) However, the National Cyber Security Coordinator must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the impacted entity of a Commonwealth, State or Territory law other than:
(a) a contravention by the impacted entity of this Part; or
(b) a contravention by the impacted entity of a law that imposes a penalty or sanction for a criminal offence.
Note: See also section 42 in relation to admissibility of the information in proceedings against the impacted entity.
Interaction with the Privacy Act 1988
(4) Subsection (2) does not authorise the National Cyber Security Coordinator to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988.
Information not covered by the prohibitions in this section
(5) Subsection (2) does not prohibit the recording, use or disclosure of the following information:
(a) information that has been provided by, or on behalf of, the impacted entity to the Commonwealth about the cyber security incident to comply with:
(i) a requirement in Part 3 of this Act; or
(ii) a requirement in Part 2B of the Security of Critical Infrastructure Act 2018; or
(iii) a requirement under the Telecommunications Act 1997; or
(iv) a requirement under a law prescribed by the rules;
(b) information that has been provided voluntarily to the National Cyber Security Coordinator by, or on behalf of, the impacted entity, other than under this Part;
(c) information that has already been lawfully made available to the public.
40 Limitations on secondary use and disclosure
(1) This section applies to information that:
(a) has been provided by, or on behalf of, an entity (the impacted entity) under subsection 35(2) or as referred to in subsection 39(1); and
(b) has been obtained by another entity, a Commonwealth body (other than ASD) or a State body under subsection 38(1) or 39(2) or this section; and
(c) is held by the other entity, Commonwealth body or State body.
Note 1: This section does not apply to the information to the extent that it has been otherwise obtained by the other entity, Commonwealth body or State body.
Note 2: For ASD, see Division 1A of Part 6 of the Intelligence Services Act 28 2001.
Permitted use and disclosure
(2) The other entity, Commonwealth body or State body may make a record of, use or disclose the information but only for the purposes of one or more of the following:
(a) assisting the impacted entity, and other entities acting on behalf of the impacted entity, to respond to, mitigate or resolve the cyber security incident;
(b) a permitted cyber security purpose for a cyber security incident.
Note: For permitted cyber security purpose for a cyber security incident: see section 10.
Restriction on use and disclosure for civil or regulatory action
(3) However, the other entity, Commonwealth body or State body must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the impacted entity of a Commonwealth, State or Territory law other than:
(a) a contravention by the impacted entity of this Part; or
(b) a contravention by the impacted entity of a law that imposes a penalty or sanction for a criminal offence.
Interaction with the Privacy Act 1988
(4) Subsection (2) does not authorise the other entity, Commonwealth body or State body to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988.
Information not covered by the prohibitions in this section
(5) Subsection (2) does not prohibit:
(a) recording, use or disclosure of information referred to in subsection 38(4) or 39(5); or
(b) if the other entity is an individual—recording, use or disclosure of personal information about the individual; or
(c) recording, use or disclosure of the impacted entity’s own information, with the consent of the impacted entity, by another entity, a Commonwealth body or a State body; or
(d) recording, use or disclosure for the purposes of carrying out a State’s constitutional functions, powers or duties.
(6) An entity is liable to a civil penalty if:
(a) the entity contravenes subsection (2); and
(b) the entity is not a Commonwealth officer; and
(c) any of the following applies:
(i) the information is sensitive information about an individual and the individual has not consented to the record, use or disclosure of the information;
(ii) the information is confidential or commercially sensitive;
(iii) the record, use or disclosure of the information would, or could reasonably be expected to, cause damage to the security, defence or international relations of the Commonwealth.
Note 1: See the Criminal Code for offences for Commonwealth officers.
Note 2: This Act does not make the Crown (other than an authority of the Crown) liable to a civil penalty.
Civil penalty: 60 penalty units.
41 Legal professional privilege
(1) The fact that an entity provided information to the National Cyber Security Coordinator under subsection 35(2), or as referred to in subsection 39(1), does not otherwise affect a claim of legal professional privilege that anyone may make in relation to that information in any proceedings:
(a) under any Commonwealth, State or Territory law (including the common law); or
(b) before a tribunal of the Commonwealth, a State or a Territory.
(2) Despite subsection (1), this section does not apply to the following:
(a) the proceedings of a coronial inquiry or a Royal Commission in Australia;
(b) proceedings in a federal court exercising original jurisdiction in which a writ of mandamus or prohibition or an injunction is sought against an officer or officers of the Commonwealth.
Note: For federal court, see section 2B of the Acts Interpretation Act 1901.
(3) This section does not limit or affect any right, privilege or immunity that the entity has, apart from this section, as a defendant in any proceedings.
42 Admissibility of information voluntarily given by impacted entity
(1) This section applies to information that:
(a) has been provided by, or on behalf of, an entity (the impacted entity) under subsection 35(2) or as referred to in subsection 39(1); and
(b) has been obtained by a Commonwealth body or State body under subsection 38(1), 39(2) or 40(2); and
(c) is held by the Commonwealth body or State body.
Note: This section does not apply to information held by the Commonwealth body or State body to the extent that it has been otherwise obtained.
(2) That information is not admissible in evidence against the impacted entity in any of the following proceedings:
(a) criminal proceedings for an offence against a Commonwealth, State or Territory law, other than:
(i) proceedings for an offence against section 137.1 or 137.2 of the Criminal Code (which deal with false or 24 misleading information or documents) that relates to this Act; or
(ii) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act;
(b) civil proceedings for a contravention of a civil penalty provision of a Commonwealth, State or Territory law, other than a civil penalty provision of this Part;
(c) proceedings for a breach of any other Commonwealth, State or Territory law (including the common law);
(d) proceedings before a tribunal of the Commonwealth, a State or a Territory.
(3) However, this section does not apply to the following:
(a) the proceedings of a coronial inquiry or a Royal Commission in Australia;
(b) proceedings in a federal court exercising original jurisdiction in which a writ of mandamus or prohibition or an injunction is sought against an officer or officers of the Commonwealth.
Note: For federal court, see section 2B of the Acts Interpretation Act 1901.
(4) This section does not limit or affect any right, privilege or immunity that the entity has, apart from this section, as a defendant in any proceedings.
43 National Cyber Security Coordinator not compellable as witness
(1) The Secretary may issue a certificate stating that:
(a) a specified person is, or has been:
(i) a person referred to in paragraph (a) of the definition of National Cyber Security Coordinator in section 8; or
(ii) a person referred to in paragraph (b) of the definition of National Cyber Security Coordinator in section 8; and
(b) the specified person is involved, or has been involved, in a specified matter in which the National Cyber Security Coordinator is performing or has performed functions or is exercising or has exercised powers under this Part.
(2) If, under subsection (1), the Secretary issues a certificate in relation to a person and a specified matter, the person:
(a) is not obliged to comply with a subpoena or similar direction of a federal court or a court of a State or Territory to attend and answer questions relating to the matter; and
(b) is not compellable to give an expert opinion in any civil or criminal proceedings in a federal court or a court of a State or Territory in relation to the matter; but only to the extent that the matter relates to information that has been provided by, or on behalf of, an entity under subsection 35(2) or as referred to in subsection 39(1).
(3) This section does not apply to a coronial inquiry.
Division 4——Miscellaneous
44 Interaction with other requirements to provide information in relation to a cyber security incident
Information provided by an entity under this Part does not affect any other requirement of the entity to provide that information under this Act or another law of the Commonwealth.
Note: For example, the entity may also be required to provide some or all of the information under Part 3 of this Act, Part 2B of the Security of Critical Infrastructure Act 2018 or under the Telecommunications Act 1997.
Cyber Incident Review Board Part 5
Preliminary Division 1
Part 5——Cyber Incident Review Board
Division 1——Preliminary
45 Simplified outline of this Part
The Cyber Incident Review Board is established by this Part.
The Board must cause reviews to be conducted in relation to certain cyber security incidents. The purpose of a review is to make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, cyber security incidents of a similar nature in the future.
A review panel will be established for each review in accordance with the terms of reference for the review.
The Board consists of the Chair and up to other standing members. The standing members are appointed by the Minister.
The Board may establish an Expert Panel. One or more members of the Expert Panel may be appointed to assist in relation to a review conducted under this Part.
This Part also deals with the appointment of the Chair, standing members and Expert Panel members, and the procedures of the Board.
Division 2——Reviews
46 Board must cause reviews to be conducted
(1) The Cyber Incident Review Board may cause a review to be conducted under this section in relation to a cyber security incident, or a series of related cyber security incidents, on written referral by:
(a) the Minister; or
(b) the National Cyber Security Coordinator; or
(c) an entity impacted by the incident or an incident in the series of incidents; or
(d) a member of the Board.
Note: Each review is conducted by a particular review panel established for that review in accordance with the terms of reference for the review.
(2) A review may only be conducted under this section:
(a) if the Board is satisfied that the incident or series of incidents meets the criteria mentioned in subsection (3); and
(b) after the incident or series of incidents, and the immediate response, has ended; and
(c) if the Minister has approved the terms of reference for the review.
(3) For the purposes of paragraph (2)(a), the criteria are:
(a) the incident or series of incidents have seriously prejudiced, or could reasonably be expected to seriously prejudice:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security; or
(b) the incident or series of incidents involved novel or complex methods or technologies, an understanding of which will significantly improve Australia’s preparedness, resilience, or response to cyber security incidents of a similar nature; or
(c) the incident or series of incidents are, or could reasonably be expected to be, of serious concern to the Australian people.
(4) Each review is to be conducted by a review panel that consists of:
(a) the Chair; and
(b) the standing members of the Board that are specified in the terms of reference for the review; and
(c) the members of the Expert Panel appointed to assist in the review under section 70.
The terms of reference for the review must specify one or more standing members for the review.
(5) The rules may make provision for or in relation to reviews under this Part, including for or in relation to the following:
(a) dealing with written referrals made to the Board;
(b) prioritisation of referrals for review and reviews conducted;
(c) terms of reference for reviews, including their variation;
(d) notification of reviews;
(e) the timing of when reviews may be conducted;
(f) when reviews may be discontinued;
(g) how information or submissions may be provided for reviews.
47 Board may discontinue a review
(1) The Board may discontinue a review at any time.
(2) The Board must, within 28 days of discontinuing a review, publish in any way the Board considers appropriate notice of the review being discontinued.
48 Chair may request information or documents
If the Board reasonably believes that:
(a) an entity; or
(b) a Commonwealth body or a State body; or
(c) an officer or employee of a Commonwealth body or a State body;
has information or documents relevant to a review being conducted under section 46 by a review panel, the Chair may request, by notice in writing, the entity, body, officer or employee to give the Board such information or documents as are specified in the request.
Note 1: There is no requirement to comply with the request.
Note 2: The Chair may require certain entities to give documents under section 49.
49 Chair may require certain entities to produce documents
(1) This section applies if:
(a) the Board reasonably believes that an entity involved in a cyber security incident that relates to a review being conducted under section 46 by a review panel has a document that is relevant to the review; and
(b) the Chair of the Board has requested that the entity provide the document under section 48; and
(c) the entity is not:
(i) a Commonwealth body or a State body; or
(ii) an officer or employee of a Commonwealth body or a State body.
(2) The Chair of the Board may, by notice in writing given to the entity, require the entity to:
(a) produce any such documents; or
(b) make copies of any such documents and to produce those copies;
to the Board within the period (which must not be less than 14 days), and in the manner, specified in the notice.
(3) The notice must set out the effect of the following provisions:
(a) section 50;
(b) Part 6 of this Act (Regulatory powers);
(c) sections 137.1 and 137.2 of the Criminal Code (false or misleading information or documents).
Compensation
(4) An entity is entitled to be paid by the Commonwealth reasonable compensation for complying with a requirement covered by paragraph (2)(b).
50 Civil penalty—failing to comply with a notice to produce documents
(1) An entity is liable to a civil penalty if:
(a) the entity is given a notice under subsection 49(2); and
(b) the entity fails to comply with the notice.
Civil penalty: 60 penalty units.
(2) Subsection (1) does not apply in relation to the production of a document or a copy of a document if the production would, or could reasonably be expected to, prejudice one or more of the following:
(a) the security, defence or international relations of the Commonwealth;
(b) the capabilities of an intelligence agency;
(c) the prevention, detection or investigation of, or the conduct of proceedings relating to, an offence or a contravention of a civil penalty provision;
(d) the administration of justice.
(3) Subsection 93(2) of the Regulatory Powers Act does not apply in relation to a contravention of subsection (1) of this section.
(4) Despite section 96 of the Regulatory Powers Act, in proceedings for a civil penalty order against an entity for a contravention of subsection (1), the entity does not bear an evidential burden in relation to the matters in subsection (2).
Note: This Act does not make the Crown (other than an authority of the Crown) liable to a civil penalty.
51 Draft review reports
(1) The Board must prepare a draft report (a draft review report) on a review being conducted under section 46 by a review panel.
(2) The draft review report must set out:
(a) the preliminary findings of the review; and
(b) a summary of the information and material on which those preliminary findings are based; and
(c) any recommendations the Board proposes to make; and
(d) if the Board proposes to make recommendations—the reasons for those proposed recommendations; and
(e) if the terms of reference for the review require particular information to be included in the draft review report—that information; and
(f) information (if any) that is prescribed by the rules; and
(g) such other information that the Board thinks fit to include in the draft review report.
(3) The Board must give the draft review report to the Minister.
(4) The Board may give the draft review report, or an extract of the draft review report, to any other Commonwealth body or a State body or entity:
(a) if the Board considers it appropriate to give the body or entity an opportunity to make submissions on the draft review report or the extract; or
(b) for the purposes of determining whether information proposed to be included in the final review report is sensitive review information.
Note 1: The disclosure of sensitive review information may be prohibited under another Act (for example, the Privacy Act 1988). This section does not authorise disclosure if prohibited under that Act: see subsection (7) of this section.
Note 2: Sensitive review information must be redacted from a final review report that is to be published by the Board: see section 53.
(5) If the Board gives a draft review report to the Minister under subsection (3), or a Commonwealth body, State body or entity under subsection (4), the Board must specify a reasonable period within which submissions may be made to the Board on the draft review report.
(6) Submissions must be given in the manner and form (if any) prescribed by the rules.
(7) However, this section does not authorise the Board to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988 or any other Act.
52 Final review reports
(1) After a review is completed under section 46 by the review panel, 9 the Board must prepare a report (a final review report) on the review.
Note 1: The Board must redact sensitive review information from a final review report: see section 53.
Note 2: If information is redacted from a final review report, the Board must also prepare a protected review report: see section 54.
(2) In preparing the final review report, the Board must consider any submissions received under section 51 in relation to the draft review report.
(3) Subject to section 53, the final review report must set out:
(a) the findings of the review; and
(b) a summary of the information and material on which those findings are based; and
(c) any recommendations made by the Board; and
(d) if recommendations are made—the reasons for those recommendations; and
(e) if the terms of reference for the review require particular information to be included in the review report—that information; and
(f) information (if any) that is prescribed by the rules; and
(g) such other information that the Board thinks fit to include in the report.
(4) The Board must not in the final review report:
(a) apportion blame in relation to a cyber security incident that was the subject of the review; or
(b) provide the means to determine the liability of any entity in relation to such a cyber security incident; or
(c) identify an individual (unless the individual has consented); or
(d) allow any adverse inference to be drawn from the fact that an entity is the subject of the review.
However, even though blame or liability may be inferred, or an adverse inference may be made, by a person other than the Board, this does not prevent the Board from including information in the final review report.
(5) This section does not otherwise limit what may be included in the final review report.
(6) The Board must publish the final review report (excluding any information required to be redacted under section 53). The report may be published in any way the Board considers appropriate.
53 Certain information must be redacted from final review reports
(1) Information must be redacted from a final review report if the Chair is satisfied that the information is sensitive review information.
Note: If information is redacted from a final review report, the Board must prepare a protected review report that includes the information, see section 54.
(2) Sensitive review information is information the disclosure of which:
(a) could prejudice the security, defence or international relations of Australia; or
(b) would prejudice relations between the Commonwealth government and the government of a State or Territory; or
(c) could reveal, or enable a person to ascertain, the existence or identity of a confidential source of information in relation to the enforcement of the criminal law; or
(d) could endanger a person’s life or physical safety; or
(e) would prejudice the fair trial of any person or the impartial adjudication of a matter; or
(f) would involve disclosing information whose disclosure is prohibited or restricted by or under this Act, another Act or an instrument made under an Act; or
(g) would involve unreasonably disclosing information that is confidential or commercially sensitive; or
(h) would involve the disclosure of personal information about an individual without their consent.
54 Protected review reports
(1) If information must be redacted from a final review report under section 53, the Board must prepare another report (a protected review report) that includes:
(a) the redacted information; and
(b) the reasons for redacting the information from the final review report.
(2) If a protected review report is prepared under this section, the Board must give the Minister, and the Prime Minister, a copy of:
(a) the final review report prepared under section 52; and
(b) a copy of the protected review report.
(3) The Minister may give a copy of the protected review report, or an extract of the protected review report, to any other Commonwealth body, a State body or an entity but only for the purposes of one or more of the following:
(a) the performance of the functions of a Commonwealth body relating to responding to, mitigating or resolving a cyber security incident;
(b) the performance of the functions of a State body relating to responding to, mitigating or resolving a cyber security incident;
(c) informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident;
(d) the performance of the functions of an intelligence agency.
Division 3——Protection of information relating to reviews
55 Limitations on use and disclosure by the Board
Permitted use and disclosure
(1) The Board may make a record of, use or disclose information provided by an entity, Commonwealth body or State body under section 48, 49 or 51 but only:
(a) for the purposes of one or more of the following:
(i) performing functions or exercising powers under this Part or Part 6 as it applies to this Part;
(ii) proceedings under, or arising out of, section 137.1 or 137.2 of the Criminal Code (false and misleading information and documents) that relate to this Act;
(iii) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act;
(iv) the performance of the functions of a Commonwealth body relating to responding to, mitigating or resolving a cyber security incident;
(v) the performance of the functions of a State body relating to responding to, mitigating or resolving a cyber security incident;
(vi) informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident;
(vii) the performance of the functions of an intelligence agency; or
(b) as otherwise authorised by a provision of this Part.
Note: Certain information must not be disclosed to a State body under Parts of this Act unless a Minister of the State or Territory has consented to 30 those Parts applying to the State body: see section 11.
Restriction on use and disclosure for civil or regulatory action
(2) However, the Board must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the entity or body of a Commonwealth, State or Territory law other than:
(a) a contravention by the entity or body of this Part; or
(b) a contravention by the entity or body of a law that imposes a penalty or sanction for a criminal offence.
Note: See also section 58 in relation to admissibility of the information in proceedings.
Interaction with the Privacy Act 1988
(3) Subsection (1) does not authorise the Board to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988.
Information not covered by the prohibitions in this section
(4) Subsection (1) does not prohibit the recording, use or disclosure of information that has already been lawfully made available to the public.
56 Limitations on secondary use and disclosure
(1) This section applies to information that:
(a) has been provided to the Board under section 48, 49 or 51; and
(b) has been obtained under section 54 or 55, or this section, by an entity, a Commonwealth body or a State body; and
(c) is held by the entity, Commonwealth body or State body.
Note: This section does not apply to the information to the extent that it has been otherwise obtained by the entity, Commonwealth body or State body.
Permitted use and disclosure
(2) The entity, Commonwealth body or State body may make a record of, use or disclose the information but only:
(a) for the purposes of one or more of the following:
(i) performing functions or exercising powers, or assisting in the performance of functions or the exercise of powers, under this Part or Part 6 as it applies to this Part;
(ii) proceedings under, or arising out of, section 137.1 or 137.2 of the Criminal Code (false and misleading information and documents) that relate to this Act;
(iii) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act;
(iv) the performance of the functions of a Commonwealth body relating to responding to, mitigating or resolving a cyber security incident;
(v) the performance of the functions of a State body relating 18 to responding to, mitigating or resolving a cyber security incident;
(vi) informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident;
(vii) the performance of the functions of an intelligence agency; or
(b) as otherwise authorised by a provision of this Part.
Restriction on use and disclosure for civil or regulatory action
(3) However, the entity, Commonwealth body or State body must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention, by the entity or body that originally provided the information under section 48, 49 or 51, of a Commonwealth, State or Territory law other than:
(a) a contravention by the entity or body of this Part; or
(b) a contravention by the entity or body of a law that imposes a penalty or sanction for a criminal offence.
Note: See also section 58 in relation to admissibility of the information in proceedings.
Interaction with the Privacy Act 1988
(4) Subsection (2) does not authorise the entity, Commonwealth body or State body to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988.
Information not covered by the prohibitions in this section
(5) Subsection (2) does not prohibit:
(a) recording, use or disclosure of information that has already been lawfully made available to the public (for example, in the publication of the final review report); or
(b) if the entity is an individual—recording, use or disclosure of personal information about the individual; or
(c) if the entity or body is the entity or body that originally provided the information under section 48, 49 or 51—the entity’s or body’s own information; or
(d) recording, use or disclosure of that entity’s or body’s own information, with the consent of that entity or body, by another entity, a Commonwealth body or a State body; or
(e) recording, use or disclosure of information for the purposes of carrying out a State’s constitutional functions, powers or duties.
Civil penalty for contravention of this section
(6) An entity is liable to a civil penalty if:
(a) the entity contravenes subsection (2); and
(b) the entity is not a Commonwealth officer; and
(c) any of the following applies:
(i) the information is sensitive information about an individual and the individual has not consented to the record, use or disclosure of the information;
(ii) the information is confidential or commercially sensitive;
(iii) the record, use or disclosure of the information would, or could reasonably be expected to, cause damage to the security, defence or international relations of the Commonwealth.
Note 1: See the Criminal Code for offences for Commonwealth officers.
Note 2: This Act does not make the Crown (other than an authority of the Crown) liable to a civil penalty.
Civil penalty: 60 penalty units.
57 Legal professional privilege
(1) The fact that an entity provided information to the Board under section 48, 49 or 51 does not otherwise affect a claim of legal professional privilege that anyone may make in relation to that information in any proceedings:
(a) under any Commonwealth, State or Territory law (including the common law); or
(b) before a tribunal of the Commonwealth, a State or a Territory.
(2) Despite subsection (1), this section does not apply to the following:
(a) the proceedings of a coronial inquiry or a Royal Commission in Australia;
(b) proceedings in a federal court exercising original jurisdiction in which a writ of mandamus or prohibition or an injunction is sought against an officer or officers of the Commonwealth.
Note: For federal court, see section 2B of the Acts Interpretation Act 1901.
(3) This section does not limit or affect any right, privilege or immunity that the entity has, apart from this section, as a defendant in any proceedings.
58 Admissibility of information given by an entity that has been requested or required by the Board
(1) This section applies to information that:
(a) has been provided by an entity to the Board under section 48, 49 or 51; and
(b) has been obtained under section 54, 55 or 56 by a Commonwealth body or a State body; and
(c) is held by the Commonwealth body or State body.
Note: This section does not apply to information held by the Commonwealth body or State body to the extent that it has been otherwise obtained.
(2) The information is not admissible in evidence against the entity in any of the following proceedings:
(a) criminal proceedings for an offence under a Commonwealth law, other than:
(i) proceedings for an offence against section 137.1 or 137.2 of the Criminal Code (which deal with false or 16 misleading information or documents) that relates to this Act; or
(ii) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act;
(b) civil proceedings for a contravention of a civil penalty provision of a Commonwealth law, other than a civil penalty provision of this Part;
(c) proceedings for a breach of any other Commonwealth, State or Territory law (including the common law);
(d) proceedings before a tribunal of the Commonwealth, a State or a Territory.
(4) This section does not apply to the following:
(a) the proceedings of a coronial inquiry or a Royal Commission in Australia;
(b) proceedings in a federal court exercising original jurisdiction in which a writ of mandamus or prohibition or an injunction is sought against an officer or officers of the Commonwealth.
Note: For federal court, see section 2B of the Acts Interpretation Act 1901.
(5) This section does not limit or affect any right, privilege or immunity that the entity has, apart from this section, as a defendant in any proceedings.
59 Disclosure of draft review reports prohibited
(1) An entity is liable to a civil penalty if:
(a) the entity receives a draft review report under section 51; and
(b) the entity makes a record of, discloses or otherwise uses any information in the draft review report.
Civil penalty: 60 penalty units.
(2) Subsection (1) does not apply if the making of the record, disclosure or use is:
(a) for the purpose of preparing a submission to the Board in accordance with section 51; or
(b) if the entity is the entity that originally provided the information under section 48 or 49—of the entity’s own information; or
(c) with the consent of the Chair of the Board; or
(d) after the information has already been lawfully made available to the public (for example, in the publication of the final review report);
(e) for the purposes of carrying out a State’s constitutional functions, powers or duties.
(3) Despite section 96 of the Regulatory Powers Act, in proceedings for a civil penalty order against an entity for a contravention of subsection (1), the entity does not bear an evidential burden in relation to the matters in subsection (2).
Note: This Act does not make the Crown (other than an authority of the Crown) liable to a civil penalty.
Division 4——Establishment, functions and powers of the Board
60 Cyber Incident Review Board
(1) The Cyber Incident Review Board is established by this section.
(2) For the purposes of paragraph (a) of the definition of Department of State in section 8 of the Public Governance, Performance and 6 Accountability Act 2013, the Cyber Incident Review Board is prescribed in relation to the Department.
Note: Subject to subsection (2), this means that the chair and members of the Board are officials of the Department for the purposes of the Public Governance, Performance and Accountability Act 2013.
61 Constitution of the Board
The Board consists of the following members:
(a) a Chair;
(b) at least 2, and not more than 6, other standing members.
62 Functions of the Board
(1) The functions of the Board are:
(a) to cause reviews to be conducted by review panels in relation to cyber security incidents, or series of related cyber security incidents, to:
(i) identify factors that contributed to the incident or series of incidents; and
(ii) make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, incidents of a similar nature in the future; and
(iii) report publicly on the review; and
(b) any other functions conferred on the Board by this Act or the rules.
Note: See section 46 in relation to the circumstances in which a cyber security incident may be reviewed.
(2) It is not a function of the Board to:
(a) apportion blame in relation to a cyber security incident; or
(b) provide the means to determine the liability of any entity in relation to a cyber security incident; or
(c) allow any adverse inference to be drawn from the fact that an entity is the subject of a review.
However, even though blame or liability may be inferred, or an adverse inference may be made, by a person other than the Board, this does not prevent the Board from carrying out its functions.
(3) The Board has power to do all things necessary or convenient to be done for or in connection with the performance of the Board’s functions.
(4) The Board must not perform a function or exercise a power under this Part at a particular time if the performance of the function or the exercise of the power at that time would prejudice the investigation of, or the conduct of proceedings relating to, an offence or a contravention of a civil penalty provision under a law of the Commonwealth or of a State or Territory.
(5) The rules may prescribe the circumstances in which cyber security incidents are a series of related incidents for the purposes of this section.
Note: For example, the rules may prescribe that cyber security incidents are a series of related incidents if the incidents involve a common type of impacted system or a common attack method.
63 Independence
Subject to this Act and to other laws of the Commonwealth, the Cyber Incident Review Board:
(a) has complete discretion in the performance of the Board’s functions and the exercise of the Board’s powers; and
(b) is not subject to direction by any person in relation to the performance or exercise of those functions or powers.
Note: The Minister must approve the terms of reference for a review to be undertaken by the Board: see subsection 46(2).
Division 5——Terms and conditions of appointment of the Chair and members of the Board
64 Appointment of Chair
(1) The Chair of the Board is to be appointed by the Minister by written instrument.
Note: The Chair may be reappointed: see section 33AA of the Acts Interpretation Act 1901.
(2) The Chair may be appointed on a full-time or part-time basis.
(3) The Chair holds office for the period specified in the instrument of appointment. The period must not exceed 4 years.
(4) The rules may make provision for or in relation to the appointment of the Chair, including in relation to eligibility for appointment.
65 Remuneration of the Chair
(1) The Chair of the Board is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, the Chair is to be paid the remuneration that is prescribed by the rules.
(2) The Chair is to be paid the allowances that are prescribed by the rules.
(3) This section has effect subject to the Remuneration Tribunal Act 1973.
66 Appointment of standing members of the Board
(1) A standing member of the Board is to be appointed by the Minister by written instrument.
Note: A member may be reappointed: see section 33AA of the Acts Interpretation Act 1901.
Terms and conditions of appointment of the Chair and members of the Board Division
(2) A standing member of the Board may be appointed on a full-time or part-time basis.
(3) A standing member of the Board holds office for the period specified in the instrument of appointment. The period must not exceed 4 years.
(4) The rules may make provision for or in relation to the appointment of standing members of the Board, including in relation to eligibility for appointment.
67 Remuneration of standing members of the Board
(1) A standing member of the Board is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, a standing member of the Board is to be paid the remuneration that is prescribed by the rules.
(2) A standing member of the Board is to be paid the allowances that are prescribed by the rules.
(3) This section has effect subject to the Remuneration Tribunal Act 1973.
68 Acting Chair
The Minister may, by written instrument, appoint a standing member of the Board to act as the Chair:
(a) during a vacancy in the office of Chair (whether or not an appointment has previously been made to the office); or
(b) during any period, or during all periods, when the Chair:
(i) is absent from duty or from Australia; or
(ii) is, for any reason, unable to perform the duties of the office.
Note: For rules that apply to acting appointments, see section 33A of the Acts Interpretation Act 1901.
69 Terms and conditions etc. for standing members
(1) The rules may make provision for or in relation to the Board, including for or in relation to the following:
(a) membership of the Board (subject to section 61);
(b) terms of appointment of the Chair and standing members;
(c) acting appointments;
(d) resignation of the Chair and standing members;
(e) disclosure of interests by the Chair and standing members;
(f) termination of appointment of the Chair and standing members;
(g) leave of absence of the Chair and standing members.
(2) The Chair and a standing member of the Board holds office on the 12 terms and conditions (if any) that are determined by the Minister in relation to matters not covered by this Act or the rules.
Division 6——Expert Panel, staff assisting and consultants
70 Expert Panel
(1) The Board may, in writing, establish an Expert Panel.
(2) The Expert Panel consists of such members as the Board from time to time appoints by written instrument.
Note: A member of the Expert Panel may be reappointed: see section 33AA of the Acts Interpretation Act 1901.
(3) One or more members of the Expert Panel are to be appointed by the Board, in writing and in accordance with the terms of reference for a review under section 46, to the review panel for the review to assist in the review.
(4) The office of member of the Expert Panel, and the office of member of the Expert Panel assisting in relation to a review, are not public offices within the meaning of the Remuneration Tribunal Act 1973.
(5) The rules may make provision for or in relation to the Expert Panel, including for or in relation to the following:
(a) membership of the Expert Panel;
(b) appointment of members to the Expert Panel;
(c) appointments of its members to a review panel for a review;
(d) terms of appointment of members;
(e) remuneration of members;
(f) resignation of members;
(g) disclosure of interests by members;
(h) termination of appointment of members;
(i) leave of absence of members.
71 Arrangements relating to staff of the Department
(1) The staff assisting the Cyber Incident Review Board are to be APS employees, or officers or employees of a Commonwealth body, whose services are made available to the Board in connection with the performance of any of the Board’s functions or the exercise of any of the Board’s powers.
(2) When performing services for the Board, the staff are subject to the directions of the Board.
72 Consultants
The Secretary of the Department may, on behalf of the Commonwealth, engage consultants to assist in the performance of any of the Cyber Incident Review Board’s functions or the exercise of any of the Board’s powers.
Division 7——Other matters relating to the Board
73 Board procedures
(1) Subject to this Act and the rules, the Board may:
(a) operate in the way it determines; and
(b) regulate proceedings at its meetings as it considers appropriate.
(2) The rules may make provision for or in relation to the operation and procedures of the Board.
74 Liability
Responding to notices to produce
(1) An entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in compliance with section 49 (Chair may obtain documents from certain entities).
(2) An officer, employee or agent of an entity is not liable to an action for damages for or in relation to an act done or omitted in good faith in connection with an act done or omitted by the entity as 17 mentioned in subsection (1).
The Board etc.
(3) A person who is or has been:
(a) the Chair; or
(b) a standing member of the Board; or
(c) a member of the Expert Panel; or
(d) a member of the staff assisting the Board (as mentioned in section 71); or
(e) a consultant assisting the Board (as mentioned in section 72); or
(f) a witness appearing in a review;
is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in the performance or purported performance of a function or duty conferred by this Part, or the exercise or purported exercise of a power conferred by this Part.
Evidential burden
(4) An entity or person who wishes to rely on subsection (1), (2) or (3) in relation to an action or other proceeding bears an evidential 8 burden (within the meaning of the Regulatory Powers Act) in relation to that matter.
75 Certification of involvement in review
(1) The Chair may issue a certificate stating that a specified person who is, or has been:
(a) a standing member of the Board; or
(b) a member of the Expert Panel; or
(c) a member of the staff assisting the Board (as mentioned in section 71); or
(d) a consultant assisting the Board (as mentioned in section 72); or
(e) a witness appearing in a review;
is involved, or has been involved, in a review under this Part into a specified matter.
(2) The Secretary may issue a certificate stating that a specified person who is, or has been, the Chair is involved, or has been involved, in a review under this Part into a specified matter.
(3) If, under subsection (1) or (2), a certificate is issued in relation to a person and a specified matter, the person:
(a) is not obliged to comply with a subpoena or similar direction of a federal court or a court of a State or Territory to attend and answer questions relating to the matter; and
(b) is not compellable to give an expert opinion in any civil or criminal proceedings in a federal court or a court of a State or Territory in relation to the matter.
(4) This section does not apply to a coronial inquiry.
76 Annual report
The annual report prepared by the Secretary and given to the Minister under section 46 of the Public Governance, Performance and Accountability Act 2013 for a reporting period must also include the following:
(a) the number of each of the following during the period:
(i) reviews commenced;
(ii) reviews completed;
(iii) reviews discontinued;
(b) a brief description of each of those reviews;
(c) the status of any reviews not yet completed at the end of the period;
(d) the reasons for discontinuing any reviews during the period;
(e) the number of times the Minister refused to approve the terms of reference for a review during the period;
(f) the number of members of the Expert Panel during the period;
(g) the number of Expert Panel members appointed to a review panel during the period;
(h) the number of times appointment of a member of the Board was terminated during the period.
77 Rules may prescribe reporting requirements etc.
The rules may prescribe requirements with which the Board must comply relating to:
(a) the communication of information to the public; and
(b) reporting to the Minister;
about the work of the Board.
Part 6——Regulatory powers
Division 1——Preliminary
78 Simplified outline of this Part
Each civil penalty provision of this Act, and of Division 1A of Part 6 of the Intelligence Services Act 2001, is subject to:
(a) monitoring under Part 2 of the Regulatory Powers Act; and
(b) investigation under Part 3 of the Regulatory Powers Act.
Sections 15 and 16 of this Act (regarding security standards) are also subject to monitoring under Part 2 of the Regulatory Powers Act.
Civil penalty orders may be sought under Part 4 of the Regulatory Powers Act from a relevant court in relation to contraventions of such civil penalty provisions.
Infringement notices may be given under Part 5 of the Regulatory Powers Act for alleged contraventions of such civil penalty provisions.
Undertakings to comply with such civil penalty provisions, and sections 15 and 16 (regarding security standards), may be accepted and enforced under Part 6 of the Regulatory Powers Act.
Injunctions under Part 7 of the Regulatory Powers Act may be used to restrain a person from contravening, or to compel compliance with, such civil penalty provisions.
Division 2——Civil penalty provisions, enforceable undertakings and injunctions
79 Civil penalty provisions, enforceable undertakings and injunctions
Enforceable provisions
(1) Each civil penalty provision of this Act, and each civil penalty provision of Division 1A of Part 6 of the Intelligence Services Act 2001, is enforceable:
(a) under Part 4 of the Regulatory Powers Act (civil penalty provisions); and
(b) Part 7 (injunctions) of the Regulatory Powers Act.
Note 1: Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.
Note 2: Part 7 of that Act creates a framework for using injunctions to enforce provisions.
(2) The following provisions are enforceable under Part 6 (enforceable undertakings) of the Regulatory Powers Act:
(a) each civil penalty provision of this Act, and each civil penalty provision of Division 1A of Part 6 of the Intelligence Services Act 2001;
(b) sections 15 and 16 of this Act.
Note: Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.
Authorised applicant
(3) For the purposes of Parts 4 and 7 of the Regulatory Powers Act, each of the following persons is an authorised applicant in relation to the civil penalty provisions mentioned in subsection (1):
(a) the Secretary;
(b) a person who is appointed under subsection (4).
(4) For the purposes of paragraph (3)(b), the Secretary may, by writing, appoint a person who:
(a) is the chief executive officer (however described) of a designated Commonwealth body; or
(b) is an SES employee, or an acting SES employee, in:
(i) the Department; or
(ii) a designated Commonwealth body; or
(c) holds, or is acting in, a position in a designated Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee;
to be an authorised applicant for the purposes of Part 4 of the Regulatory Powers Act.
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
Authorised person
(5) For the purposes of Part 6 of the Regulatory Powers Act, as that Part applies in relation to a provision mentioned in subsection (2), each of the following persons is an authorised person:
(a) the Secretary;
(b) a person who is appointed under subsection (6).
(6) For the purposes of paragraph (5)(b), the Secretary may, by writing, appoint a person who is an SES employee, or an acting SES employee in:
(a) the Department; or
(b) a designated Commonwealth body.
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
Relevant court
(7) For the purposes of Parts 4, 6 and 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions mentioned in subsections (1) and (2):
(a) the Federal Court of Australia;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to the matter.
Liability of Crown
(8) Part 4 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions mentioned in subsection (1), does not make the Crown liable to a pecuniary penalty.
(9) The protection in subsection (8) does not apply to an authority of the Crown.
Division 3——Monitoring and investigation powers
80 Monitoring powers
Provisions subject to monitoring
(1) The following provisions are subject to monitoring under Part 2 of the Regulatory Powers Act:
(a) each civil penalty provision of this Act;
(b) each civil penalty provision of Division 1A of Part 6 of the Intelligence Services Act 2001;
(c) sections 15 and 16 of this Act.
Note: Part 2 of the Regulatory Powers Act creates a framework for monitoring whether the provisions have been complied with. It includes powers of entry and inspection.
Information subject to monitoring
(2) Information given in compliance or purported compliance with a provision mentioned in subsection (1) is subject to monitoring under Part 2 of the Regulatory Powers Act.
Note: Part 2 of the Regulatory Powers Act creates a framework for monitoring whether the information is correct. It includes powers of entry and inspection.
Authorised applicant
(3) For the purposes of Part 2 of the Regulatory Powers Act, a person who is appointed under subsection (4) is an authorised applicant in relation to the provisions mentioned in subsection (1) and information mentioned in subsection (2).
(4) The Secretary may, by writing, appoint a person who:
(a) is an SES employee, or an acting SES employee, in:
(i) the Department; or
(ii) a designated Commonwealth body; or
(b) holds, or is acting in, a position in a designated Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee;
to be an authorised applicant in relation to the provisions 4 mentioned in subsection (1) and information mentioned in subsection (2).
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
Authorised person
(5) For the purposes of Part 2 of the Regulatory Powers Act, a person who is appointed under subsection (6) is an authorised person in relation to the provisions mentioned in subsection (1) and information mentioned in subsection (2).
(6) The Secretary may, by writing, appoint a person who is:
(a) an APS employee in:
(i) the Department; or
(ii) a designated Commonwealth body; or
(b) an officer or employee of a designated Commonwealth body;
to be an authorised person in relation to the provisions mentioned in subsection (1) and information mentioned in subsection (2).
Issuing officer
(7) For the purposes of Part 2 of the Regulatory Powers Act, a magistrate is an issuing officer in relation to the provisions mentioned in subsection (1) and information mentioned in subsection (2).
Relevant chief executive
(8) For the purposes of Part 2 of the Regulatory Powers Act, the Secretary is the relevant chief executive in relation to the provisions mentioned in subsection (1) and information mentioned in subsection (2).
Relevant court
(9) For the purposes of Part 2 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions mentioned in subsection (1) and information mentioned in subsection (2):
(a) the Federal Court of Australia;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to matters arising under this Act.
Premises
(10) An authorised person must not enter premises under Part 2 of the Regulatory Powers Act, as it applies in relation to the provisions mentioned in subsection (1) and information mentioned in subsection (2), if the premises are used solely or primarily as a residence.
81 Investigation powers
Provisions subject to investigation
(1) Each civil penalty provision of this Act, and each civil penalty provision of Division 1A of Part 6 of the Intelligence Services Act 2001, is subject to investigation under Part 3 of the Regulatory Powers Act.
Authorised applicant
(2) For the purposes of Part 3 of the Regulatory Powers Act, a person who is appointed under subsection (3) is an authorised applicant in relation to evidential material that relates to a provision mentioned in subsection (1).
(3) The Secretary may, by writing, appoint a person who:
(a) is an SES employee, or an acting SES employee, in:
(i) the Department; or
(ii) a designated Commonwealth body; or
(b) holds, or is acting in, a position in a designated Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee;
to be an authorised applicant in relation to evidential material that relates to a provision mentioned in subsection (1).
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
Authorised person
(4) For the purposes of Part 3 of the Regulatory Powers Act, a person who is appointed under subsection (5) is an authorised person in relation to evidential material that relates to a provision mentioned in subsection (1).
(5) The Secretary may, by writing, appoint a person who is:
(a) an APS employee in:
(i) the Department; or
(ii) a designated Commonwealth body; or
(b) an officer or employee of a designated Commonwealth body;
to be an authorised person in relation to evidential material that relates to a provision mentioned in subsection (1).
Issuing officer
(6) For the purposes of Part 3 of the Regulatory Powers Act, a magistrate is an issuing officer in relation to evidential material that relates to a provision mentioned in subsection (1).
Relevant chief executive
(7) For the purposes of Part 3 of the Regulatory Powers Act, the Secretary is the relevant chief executive in relation to evidential material that relates to a provision mentioned in subsection (1).
Relevant court
(8) For the purposes of Part 3 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to evidential material that relates to a provision mentioned in subsection (1):
(a) the Federal Court of Australia;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to matters arising under this Act.
Division 4——Infringement notices
82 Infringement notices
Provisions subject to an infringement notice
(1) A civil penalty provision of this Act or of Division 1A of Part 6 of the Intelligence Services Act 2001 is subject to an infringement notice under Part 5 of the Regulatory Powers Act.
Note: Part 5 of the Regulatory Powers Act creates a framework for using infringement notices in relation to provisions.
Infringement officer
(2) For the purposes of Part 5 of the Regulatory Powers Act, a person authorised under subsection (3) is an infringement officer in relation to the civil penalty provisions mentioned in subsection (1).
(3) The Secretary may, by writing, authorise a person who:
(a) is an SES employee, or an acting SES employee, in:
(i) the Department; or
(ii) a designated Commonwealth body; or
(b) holds, or is acting in, a position in a designated Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee;
to be an infringement officer in relation to the civil penalty provisions mentioned in subsection (1).
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
Relevant chief executive
(4) For the purposes of Part 5 of the Regulatory Powers Act, the Secretary is the relevant chief executive in relation to the civil penalty provisions mentioned in subsection (1).
(5) The relevant chief executive may, in writing, delegate any or all of the relevant chief executive’s powers and functions under Part 5 of the Regulatory Powers Act to a person who is an SES employee or an acting SES employee in:
(a) the Department; or
(b) a designated Commonwealth body.
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
(6) A person exercising powers or performing functions under a delegation under subsection (5) must comply with any directions of the relevant chief executive.
Liability of Crown 10
(7) Part 5 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions mentioned in subsection (1), does not make the Crown liable to be given an infringement notice.
(8) The protection in subsection (7) does not apply to an authority of the Crown.
Division 5——Other matters
83 Contravening a civil penalty provision
(1) This section applies if a provision of this Act provides that an entity contravening another provision of this Act (the conduct provision) is liable to a civil penalty.
(2) For the purposes of this Act, and the Regulatory Powers Act to the extent that it relates to this Act, a reference to a contravention of a civil penalty provision includes a reference to a contravention of the conduct provision.
Part 7——Miscellaneous
84 Simplified outline of this Part
This Part deals with miscellaneous matters, such as delegations and rules.
85 How this Act applies in relation to non-legal persons
How permissions and rights are conferred and exercised
(1) If this Act purports to confer a permission or right on an entity that is not a legal person, the permission or right:
(a) is conferred on each person who is an accountable person for the entity at the time the permission or right may be exercised; and
(b) may be exercised by:
(i) any person who is an accountable person for the entity at the time the permission or right may be exercised; or
(ii) any person who is authorised by a person referred to in subparagraph (i) to exercise the permission or right.
How obligations and duties are imposed and discharged
(2) If this Act purports to impose an obligation or duty on an entity that is not a legal person, the obligation or duty:
(a) is imposed on each person who is an accountable person for the entity at the time the obligation or duty arises or is in operation; and
(b) may be discharged by:
(i) any person who is an accountable person for the entity at the time the obligation or duty arises or is in operation; or
(ii) any person who is authorised by a person referred to in subparagraph (i) to discharge the obligation or duty.
How non-legal persons contravene this Act
(3) A provision of this Act (including a civil penalty provision) that is purportedly contravened by an entity that is not a legal person is instead contravened by each accountable person for the entity who:
(a) did the relevant act or made the relevant omission; or
(b) aided, abetted, counselled or procured the relevant act or omission; or
(c) was in any way knowingly concerned in, or party to, the relevant act or omission.
Meaning of accountable person
(4) For the purposes of this section, a person is an accountable person for an entity at a particular time if:
(a) in the case of a partnership in which one or more of the partners is an individual—the individual is a partner in the partnership at that time; or
(b) in the case of a partnership in which one or more of the partners is a body corporate—the person is a director of the body corporate at that time; or
(c) in the case of a trust in which the trustee, or one or more of the trustees, is an individual—the individual is a trustee of the trust at that time; or
(d) in the case of a trust in which the trustee, or one or more of the trustees, is a body corporate—the person is a director of the body corporate at that time; or
(e) in the case of an unincorporated association—the person is a member of the governing body of the unincorporated association at that time.
86 Delegation by Secretary
(1) The Secretary may, in writing, delegate all or any of the Secretary’s functions or powers under section 17, 18, 19, 21 or 23 to an SES employee, or acting SES employee, in the Department.
Note 1: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.
Note 2: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
(2) In performing a delegated function or exercising a delegated power, the delegate must comply with any written directions of the Secretary.
87 Rules
(1) The Minister may, by legislative instrument, make rules prescribing matters:
(a) required or permitted by this Act to be prescribed by the rules; or
(b) necessary or convenient to be prescribed for carrying out or giving effect to this Act.
(2) To avoid doubt, the rules may not do the following:
(a) create an offence or civil penalty;
(b) provide powers of:
(i) arrest or detention; or
(ii) entry, search or seizure;
(c) impose a tax;
(d) set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;
(e) directly amend the text of this Act.
(3) Before making or amending the rules, the Minister must:
(a) cause to be published on the Department’s website a notice:
(i) setting out the draft rules or amendments; and
(ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice; and
(b) consider any submissions received within the period mentioned in subparagraph (a)(ii).
(4) The period specified in the notice must not be shorter than 28 days.