The Albanese Labor Government is taking unprecedented action to secure Australia's cyber environment and protect our critical infrastructure by introducing a package of cyber security legislation.
The protection of our cyber security and critical infrastructure is vital to Australia's national security and economic stability. Recent cyber incidents have demonstrated that attacks can spread instantaneously - and we must harden our systems and legislation to keep ahead.
In this heightened geopolitical and cyber threat environment, strong laws and protections are necessary to protect every citizen and business across our digital economy.
The Cyber Security Legislative Package provides a clear legislative framework for contemporary, whole-of-economy issues, positioning the Australian Government to identify and respond to new and emerging cyber threats.
Subject to the passage of this legislation, Australia will have its first standalone Cyber Security Act.
The Cyber Security Legislative Package will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy. These measures will address gaps in current legislation to:
- Mandate minimum cyber security standards for smart devices
- Introduce mandatory ransomware reporting for certain businesses to report ransom payments
- Introduce a 'limited use' obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD)
- Establish a Cyber Incident Review Board.
The package will also progress and implement reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act). These reforms will:
- Clarify existing obligations in relation to systems holding business critical data
- Simplify information sharing across industry and Government
- Introduce a power for the Government to direct entities to address serious deficiencies within their risk management programs
- Move regulation for the security of telecommunications into the SOCI Act.
The SOCI Act reforms will also expand current Government assistance measures to ensure Government can step in as a last resort to manage the consequences of significant incidents.
The changes to government assistance measures will better enable the Government to gather information or direct entities to take or refrain from certain actions, on authorisation from the Minister for Home Affairs, in response to a serious incident.
The measures in this package have been developed following extensive consultation with public and private stakeholders, through public consultation on the Cyber Security Legislative Reforms Consultation Paper from December 2023 to March 2024 and targeted consultation on an Exposure Draft package in September 2024.
This Cyber Security Legislative Package brings Australia in line with international best practice, a significant step towards achieving our vision of becoming a world leader in cyber security by 2030.
Quotes attributable to Minister for Cyber Security, Tony Burke:
"The creation of a Cyber Security Act is a long-overdue step for our country, and reflects the government's deep concern and focus on these threats.
"Australians love the convenience of smart devices at home, but consumers need to know that smart devices are still safe devices.
"We know government has to lead the way on cyber, but we also know we can't do it alone, which is why these new laws have been consulted extensively with business.
"This legislation ensures we keep pace with emerging threats, positioning individuals and businesses better to respond to, and bounce back from cyber security threats."
"To achieve Australia's vision of being a world leader in cyber security by 2030, we need the unified effort of government, industry and the community."
