Australia’s first standalone cyber security legislation has been passed into law, introducing mandatory ransom payment reporting alongside initiatives to boost collaboration with government during cyber security incidents.
The Cyber Security Act, passed on Monday under the government’s cyber security legislative package, addresses a number of proposals laid out in the 2023-2030 Cyber Security Strategy, including new requirements for business to disclose when they make a payment to ransomware criminals.
When an applicable business is extorted out of a ransom payment, it will need to let the Department of Home Affairs and the Australian Signals Directorate (ASD) know within 72 hours.
The law threatens fines for ransom payments made in secret, as any business which falls short of its reporting obligations could face penalties of about $94,000.
The reporting requirements – which come after ransomware accounted for around 11 per cent of cyber incidents reported to the ASD in 2023-2024 – will commence at latest six months after the act receives royal assent.
They will only apply to organisations which are a ‘responsible entity’ for a critical infrastructure asset or are private sector organisations which carry on business in Australia with a yearly turnover exceeding a yet-to-be-determined threshold.
While successive data breaches at the likes of Optus, Medibank, and Latitude Financial had initially prompted the government to weigh up an outright ban on ransomware payments, industry and expert feedback repeatedly called for payment reporting requirements alongside increased collaboration with victims.
John Baird, chief executive of cyber security company Revio Cyber Security and member of the ACS Cyber Security Technical Advisory Board, told Information Age a “ransomware ban was always going to fail to work”.
“Take, for example, a business that is ill-prepared and doesn’t have workable backups of crucial data,” said Baird.
“If such an organisation does not pay the ransom payment, they are effectively out of business.
“I’d argue that the majority of Australian businesses fall into this category.”
Baird added that businesses providing life-critical services, such as hospitals or air transport, would likewise be more subject to ransom payments for the sake of public safety.
“A government that said you must lose your business or that a group of people must suffer harm just because they are philosophically opposed to paying ransoms wouldn’t stay in government for long,” he said.
Baird said ransom payment reporting would enable government to see which industries were being attacked, how frequently, and for how much, offering some “very valuable data” which would have been otherwise invisible in the event of a ransom ban.
Closer collaboration with government
As described by Cyber Security Minister Tony Burke, the legislation will also give effect to a ‘limited use’ obligation for the National Cyber Security Coordinator (NCSC) and ASD to “facilitate rapid and open sharing of information during a cyber security incident”.
The limited use protection puts a ceiling on the purposes for which ransomware payment reports or information voluntarily provided to the NCSC can be used or disclosed, and further prevents protected information from being used as admissible evidence against the providing party in certain court proceedings.
These limited use protections, while not quite legal amnesty, aim to increase collaboration with government agencies when responding to a cyber incident while providing a clearer picture of the threats facing Australian organisations.
“Close co-operation between government and industry is one of our best defences against malicious cyber activity,” said Burke.
“In the wake of a cyber security incident, businesses need to know that they can call on government to quickly get the support they need.”
The new measures were reinforced by the establishment of a Cyber Incident Review Board, which is posited to conduct no-fault post-incident reviews of major cyber security incidents in Australia.
Burke said part of the board’s duties would be to make “concrete recommendations” to aid in the “prevention, detection, response, and minimisation of cyber incidents in the future”.
While Greens senator David Shoebridge argued the process behind getting the Cyber Security Act passed was “extraordinarily rushed” and the law itself lacked appropriate “safe-harbour provisions” for those who report ransom payments, Tasmanian Labor senator Helen Polley said the legislation marked a “significant step in achieving the Australian government's vision of becoming a world leader in cyber security by 2030”.
Tackling IoT risk
The legislation also has a provision for the cyber security minister to prescribe mandatory cyber security standards for Internet of Things (IoT) devices.
Independent law firm Corrs Chambers Westgarth reports these security standards will be detailed in legislative rules, and will see suppliers of IoT technology such as smart devices, fitness watches, and self-driving cars required to provide a statement of compliance when supplying to the Australian market.
The new IoT powers come as hackers increasingly turn to hardware exploits – many of which are enabled by subpar security measures on household devices.
