https://ift.tt/jZP9MXU
The federal government’s Cyber Security Act has passed both houses, with new laws set to come into power to legislate how cyber security incidents are handled.
Passing the Senate on 25 November, the legislation falls under the government’s 2023-2030 Australian Cyber Security Strategy and addresses legislative gaps and claiming to bring Australia in line with international best practice.
“This package forms a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever changing cyber landscape,” said Minister for Cyber Security Tony Burke.
“Close co-operation between government and industry is one of our best defences against malicious cyber activity. In the wake of a cyber security incident, businesses need to know that they can call on government to quickly get the support they need.
“The Cyber Security Act marks an important step in bringing Australia’s cyber laws into the 21st century.”
Under the passed legislation, the Cyber Security Minister can prescribe mandatory cyber security standards for smart devices.
The laws also require certain businesses to report ransom payments, enable a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD) to rapidly and openly share information during a cyber security incident and establish a Cyber Incident Review Board to conduct no-fault, post-incident reviews of incidents and make recommendations.
Speaking in the Senate before the Act was passed, Senator and Shadow Minister for Cyber Security James Paterson said the Coalition supports the policy intent of the then-Bill.
“In the face of a complex and evolving threat environment, the government needs robust levers to protect Australians from cyber threats. We will always support sensible changes which ensure our legislation is fit for purpose to tackle the ever-evolving cyber threats facing Australia,” he said according to Hansard.
Also contained within the legislative package are reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act), which clarify existing obligations about systems holding business critical data and expand existing last resort powers to allow the government manage the impacts of hazards on critical infrastructure.
Other SOCI Act reforms include the simplifying of information sharing across industry and government, enable the government to direct entities to address serious deficiencies within their risk management programs and integrate regulation for the security of telecommunications.
The passing of the Cyber Security Act comes over a month after concerns had been raised about the SOCI Act reforms by the Australian Information Industry Association (AIIA), which claimed would grant step in and intervention powers.
“We therefore oppose its further expansion in this bill to now apply to all incidents impacting critical infrastructure assets and having cascading impacts to other critical infrastructure sector assets,” the AIIA said at the time.
During the Senate hearing of the Bill, Senator David Shoebridge claimed the process has been “extraordinarily rushed” by the government according to Hansard and will potentially have a ripple effect across existing regulatory requirements.
“What did the government do? It gave the community and stakeholders two weeks to come to terms with the draft legislation and put submissions in.
He continued, also claiming that “pretty much every stakeholder that my office has spoken with and those that put in submissions” said the timeframe was too short.