Australia’s first standalone Cybersecurity Bill has passed into law, introducing a mandatory ransomware reporting regime and protections for businesses that cooperate with authorities in the aftermath of a cyber-attack.
The Cyber Security Bill, which also introduces mandatory security standards for Internet of Things devices, passed the Senate after a short debate on Monday with bipartisan support.
It forms part of a broader cybersecurity legislative package that expands controversial last resort under the Security of Critical Infrastructure (SOCI) to account for “cascading” incidents.
The Coalition sided with the government to support the conjoined bills, with Liberal Senator James Patterson arguing that many of the reforms are long-overdue, while others are a “modest and logical extension of the SOCI reforms”.
But he criticised the “rushed process and the limited time for parliamentary scrutiny”, including the during the Parliamentary Joint Committee on Intelligence and Security inquiry, which recommended only minor changes to the bill.
Greens Senator David Shoebridge shared the concerns, describing the bills as “incredibly complex reform which will potentially have ripples across an array of existing regulatory requirements”.
On the mandatory standards for IoT devices, Senator Shoebridge sought clarity on whether the government intended to follow the United Kingdom and adopt European Telecommunications Standards Institute (ETSI) standards.
Labor Senator Murray Watt confirmed the standards would align with the European Telecommunications Standard Institute, specifically the first three mandatory requirements in ETSI 303 645. The standard contains a total of 33 mandatory requirements.
The standards will require businesses not to use a default password for smart devices, have a vulnerability disclosure statement and “let consumers known how long they are willing to support the device”, Senator Watt said.
Mr Shoebridge also questioned the ‘Limited Use’ provision, which he said was out of step with the safe harbour provisions that are the norm in the United States but which the government has ruled out.
“These limited use provisions will not create that relationship of trust between industry and government. That will stop the flow of information and reports back to government, and that will not make us any safer,” he said.
The ‘Limited Use’ provision is designed to give companies greater confidence to share information with the Australian Signals Directorate (ASD) amid a growing trend of businesses lawyering up.
Amendments moved by the Greens on Monday to restrict data sharing between the national cybersecurity coordinator and ASD and to make the Cyber Incident Review Board independent of Home Affairs were both voted down.
In a statement following the passage of the bills, Cyber Security minister Tony Burke said the Cyber Security Act “marks an important step in bringing Australia’s cyber laws into the 21st century”.
“This package forms a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber landscape,” he said on Monday.
“Close co-operation between government and industry is one of our best defences against malicious cyber activity. In the wake of a cyber security incident, businesses need to know that they can call on government to quickly get the support they need.”
Do you know more? Contact James Riley via Email.