An Overview of the Cyber Security Bill

Last month, the Cyber Security Bill 2024 was presented for the first time to the Federal Parliament of Australia. It is the first, standalone piece of legislation that is specifically targeted at improving Australia’s cyber-incident response and regulatory framework. Although Australia already has a complex regulatory framework, there are inconsistencies and overlaps, and as such, this bill aims to clarify a few of these points, among other things.

REMINDER: This is not legal advice! If you require legal advice on how these changes could affect you, please seek out professional advice.

Wait, What’s a Bill?

Before we get too deep into what the key points in the Cyber Security Bill 2024 (hereinafter referred to as ’the bill’)¹ actually are, it’s worth clarifying what a bill is. In short, a bill is a draft ‘act’, where an ‘act’ forms enforceable law. In order for a bill to become an act and thus become an actual law, it must pass through multiple stages. Crucially, it must pass through both Houses of Parliament. At the federal level, this means it has to be ‘approved’ by the House of Representatives and then the Senate. During this approval process, politicians will debate over whether certain sections need to be amended or not. Once it passes through both Houses, it has to be approved by the Governor General and then it will enter into force (the time of enforcement depends on the act itself).

So why is this important? Because it means the bill can be changed. Its current form could be almost completely different from its final Act. Indeed, it may not even gain enough support to be passed through both Houses. Thus, all of this analysis is based upon the First Reading of the bill, which may not be the same as the final act.

If you want to learn more about how laws are made (at a federal level, although it is quite similar at the state level too), check out Parliament’s infosheet here. You can also look at the diagram below, though it is worth mentioning that not every bill will be passed on its first passage— it may take multiple attempts to get through a House!

So, What are the Key Takeaways?

Part 2: Establishing Minimum Security Standards for ‘Smart’ Devices

Part 2 of the bill is aimed at creating a framework by which manufacturers of ‘smart devices’, called ‘connectable products’ in the bill, must obey relevant security standards, which can be added and changed as technology evolves. Such standards are yet to be specified but should the bill pass into law, they will probably be contained in an appendix. It is evident that this part has been motivated by the growth of the IoT (Internet of Things) space. Essentially, it forces manufacturers to be compliant with these standards, provided the product they are selling can be categorised as a ‘connectable product’ if they wish to sell the product in Australia. Such a ‘connectable product’ is defined as one that is either ‘internet-connectable’ or ’network-connectable’ and is not exempt for any reason.² The definitions are quite broad, and are probably intended to encompass all smart devices (so everything from watches to fridges).

There are, however, two important exceptions to this. Firstly, it does not apply to entities that are not constitutional corporations as per s 51(xx) of the Constitution. That is to say, the entity must be a foreign, trading or financial corporations. There is also a second exception that requires the entity in question to be ‘undertaking activities … in relation to’³ or directly connected to international or interstate trade and commerce. It is quite clear why the first exception exists: The Commonwealth simply cannot make legislation on subjects for which it has no head of power, as the Commonwealth’s legislative power is enumerated (i.e. everything it can legislate on is written down in the Constitution). This goes to the core of Australian constitutional law, and thus, the legislation’s scope must be appropriately limited to make sure that it is indeed a valid law. The second exception is probably more pragmatic, as it would be difficult to regulate products being sold for a non-commercial purpose.

Furthermore, on top of manufacturing products that obey the safety standards, both manufacturers and suppliers must provide ‘statements of compliance’, which effectively declare that the product complies with the relevant security standard(s).

But what if a manufacturer or supplier fails to comply with either of these requirements? Are there any consequences? The answer is ‘yes’, but it may not be as substantive as some may like. Essentially, it’s an escalating flowchart of actions. A simplified version is presented below:

1. If the entity is in breach of the obligation(s), or there is reasonable evidence suggesting that the entity is in breach of the obligation(s), a compliance notice can be issued. Among other things, it must inform the entity that they are in breach and must take certain actions to rectify the breach.⁴
2. If the entity fails to comply with the compliance notice or does not adequately address the breach, then a stop notice can be issued. Similar to the compliance notice, it must, among other things, specify actions that the entities must take to address the breach and provide a timeframe to do so.⁵
3. If the entity fails to comply with the stop notice or does not adequately address the breach, then a recall notice can be issued, which, among other things, specifies actions that the entity must take to remove their product from Australia (like a standard recall process).⁶
4. If the entity fails to comply with the recall notice, then a public notification of the entity’s failure to comply with the recall notice can be published. This can be through a government website or ‘any other way the Minister considers appropriate’.⁷

Part 3: Compulsory Ransomware Reporting

Part 3 of the bill is titled ‘Ransomware reporting obligations’, which is pretty much all this section is about. Essentially if a ‘reporting business entity’ is targeted by an extorting entity (i.e. is targeted by a ransomware attack) and then provides some payment or benefit to the extorting entity, the business must lodge a report to either the Department of Home Affairs or the Australian Signals Directorate (ASD) within 72 hours of payment. Failing to do so can lead to the business facing a civil penalty and/or fines. Note that the legality of making a ransomware payment is not addressed in this section, so nothing has changed there.

There are two main questions that arise. Firstly, what is a reporting business entity? Per s 26(2), the entity must be carrying out business in Australia and meet a certain turnover threshold, which has yet to be determined. It also excludes government bodies and critical infrastructure managers. The second questions is what must be reported? Section 27 clarifies this and provides a list of items that must be included, such as what payment has been made and details of the incident itself, and also adds that any additional, relevant information can also be included.

Interestingly, section 29 also notes that the information disclosed in the report can only be used for certain purposes, such as assisting the affected entity,⁸ performing government functions connected to cybersecurity incidents,⁹ and various intelligence functions.¹⁰ The information cannot be used against the entity to investigate them for a breach of civil or regulatory laws (at all levels), however, the information can be used in criminal investigations.¹¹ Such narrow restrictions also appear to apply to any information that is voluntarily (i.e. not through mandatory reporting) given.

So why is this section so interesting? Because it is not the first piece of legislation to deal with mandatory reporting of cybersecurity incidents. Consider the Privacy Act 1988 (Cth), another piece of federal legislation. Section 26WL states that relevant entities (that is, Commonwealth bodies and Australian businesses that aren’t ‘small businesses’) must notify the Australian Information Commissioner if there has been an ’eligible data breach’. Such a ‘breach’ is defined as the presence of ‘unauthorised access … or disclosure of the information’ and a reasonable person would consider that this access or disclosure is ’likely to result in serious harm’ to any of the affected individuals.¹² The proposed bill would thus augment the existing body of legislation, of which the Privacy Act is just one part, to expand upon the scenarios in which a report must be made.

Part 4: Managing ‘Significant Cyber Security Incidents’

Continuing on the theme of reporting information, part 4 establishes that information can be voluntarily provided to the National Cyber Security Coordinator in relation to ‘significant cyber security incidents’. The purpose of this is to help the government have a unified response to manage such incidents. As before, any information that is received in this way can only be used for certain purposes (the narrow scope is somewhat similar to that of the restrictions in part 3).

While this sounds like it could be an important step towards transparency in reporting, it is worth noting that it is voluntary and also applies to significant incidents. Significant in this part means it must have some national effect (social or economic stability, defence and security are listed in s 34(a)) or must be of ‘serious concern to the Australian people’.¹³ This limits the scope of the part quite substantially, though that does not make it any less important.

Part 5: The Cyber Incident Review Board

The final key takeaway from the bill is the establishment of a new executive body called the Cyber Incident Review Board (’the Board’). One of its critical functions is to review cybersecurity incidents (individual or a series) at the behest of the Minister of Home Affairs, the National Cyber Security Coordinator, an impacted entity or a member of the Board. However, it cannot just be any incident that is investigated; it must have at least one of the following characteristics:

• The incident could harm the social/economic stability of Australia, the defence of Australia or national security.¹⁴
• The incident used a novel or complex attack methodology and understanding the incident could significantly improve Australia’s future responses to cyber-incidents.¹⁵
• The incident could reasonably be expected to be of ‘serious concern’ to Australians.¹⁶

The report’s purpose is not to determine fault or blame for an incident (as this would deter entities from disclosing information which could aid the Board). Rather, the focus is on identifying the issues that led to the incident, then recommending actions that could be taken to mitigate future incidents. Moreover, there are still limitations on how any information that has been given can be used. In short, the information can only be used for the purposes of the report or to investigate criminal offences.¹⁷ On top of this, any ‘sensitive’ information that is contained in the report must be redacted from the final report under s 53.

So, what can the Board do to achieve these aims? Generally, the Board’s powers are powers of inquiry (obtaining information), as briefly set out below:

• If the Board has reasonable belief that a relevant entity/individual/government body has relevant information to the incident, the Chair can request that information to be given to the Board.¹⁸
• If the above requirements are met and the entity is not a government body or individual and the entity fails to provide the information, then the Chair can compel the entity to comply with the request for information.¹⁹
• If an entity fails to comply with a mandatory request for information, then it may face civil penalties, unless compliance with the request would endanger another critical function (e.g. the defence of Australia or the administration of justice)²⁰

As to the composition of the Board, it is comprised of a Chair and between 2–6 other members. To assist the Board in its duties, an Expert Panel can also be appointed under s 70. Per s 72, consultants can also be sought out.

Conclusion

In summary, although the bill is still in its early stages of development, it could mark the start of a legislative push to better regulate and manage cybersecurity incidents in Australia. The establishment of a legislative requirement to comply with security standards for smart devices is a significant milestone, as is the establishment of a Cyber Incident Review Board. The addition of mandatory and voluntary reporting augments Australia’s existing framework and although it still remains a complex system, having a dedicated bill for cybersecurity could help start a trend to clarify and unify as much of these obligations as possible.

It remains to be seen how much of the bill will pass into law, if the bill passes into law at all. However, it looks promising and while some may argue it is ’too little, too late’, it is arguably better to start somewhere than to not start at all.

EDIT 26/11/2024: It’s an Act now! It still needs Royal Assent but that’s generally a mere formality.

Banner image credit: Gerda