The Cybersecurity Bill 2024 in Australia is a comprehensive legislative initiative aimed at strengthening the nation’s cyber resilience and securing critical infrastructure. This bill is a key part of the Australian Cyber Security Strategy 2023-2030 and introduces the country’s first standalone Cyber Security Act.
Below are the detailed highlights:
1. Mandatory Standards for Smart Devices
- Smart devices (e.g., IoT gadgets like smart doorbells and wearables) must comply with baseline cybersecurity standards. These include:
- Secure Default Settings: Devices must have non-generic passwords and configurations.
- Regular Updates: Manufacturers must ensure timely security patches.
- Unique Device Passwords: Default passwords that are unique to each device
- The government may issue compliance notices, stop notices, or recalls for non-compliance, following standards modelled on similar laws in the UK.
2. Mandatory Ransomware Payment Reporting
- Large private-sector entities (with turnovers above a certain threshold) must report ransomware payments to the Australian Signals Directorate (ASD) and the Department of Home Affairs within 72 hours of payment or becoming aware of it.
- The law aims to address the underreporting of ransomware incidents, helping the government gain insight into cybercriminal activity
- Penalties: Failure to report could result in civil penalties, emphasizing compliance.
3. National Cyber Security Coordinator (NCSC)
- The NCSC will oversee and coordinate responses to significant cyber incidents across the government and private sectors.
- Organizations can voluntarily share information about significant incidents with the NCSC, protected by a “limited use” obligation to prevent punitive actions. However, the framework does not shield entities from legal or regulatory scrutiny under separate laws.
4. Cyber Incident Review Board
- A new, independent Cyber Incident Review Board will review major cyber incidents and provide post-incident recommendations to improve national cyber preparedness.
- The board will focus on incidents that significantly impact national security, economic stability, or public safety.
5. Reforms to the Security of Critical Infrastructure Act (SOCI Act)
- Updates include:
- Simplified information-sharing mechanisms between industries and government.
- Clarified obligations for protecting systems holding critical business data.
- Expanded powers for the government to address serious security deficiencies in critical infrastructure.
- The government can direct organizations to take corrective actions in the event of severe cybersecurity risks.
6. Whole-of-Economy Framework
- The bill sets a clear legal framework addressing “whole-of-economy” issues, positioning the nation to counter emerging cyber threats.
- It aligns Australian regulations with international best practices, supporting the goal of making Australia a global leader in cybersecurity by 2030.
This bill was introduced following extensive consultations with stakeholders and public feedback on cyber legislative reforms. It reflects a proactive response to escalating global and local cyber threats, including ransomware, IoT vulnerabilities, and attacks on critical infrastructure.
The Australian government emphasizes the shared responsibility between industries, government, and the community to strengthen cyber resilience and protect the digital economy
