The Australian Government implemented the Cyber Security Act 2024, marking a significant advancement in addressing the country’s emerging cyber challenges and strengthening its critical infrastructure. This important legislation forms a core part of the 2023–2030 Australian Cyber Security Strategy. It aims to fix legislative gaps, enhance governance, and position Australia as a leader in cyber security by 2030.
“The Australian Government has introduced Australia’s first Cyber Security Act—a key step forward in uplifting Australia’s cyber security and the resilience of our critical infrastructure.,” stated Lieutenant General Michelle McGuinness CSC, National Cyber Security Coordinator. “This is a large part of implementing the Cyber Security Strategy, addressing gaps in previous legislation to bring us in line with international best practice and ensure Australia is on track to become a global leader in cyber security by 2030.”
This legislation puts essential provisions into action to tackle significant challenges. It establishes minimum cybersecurity standards for smart devices, requires mandatory reporting of ransomware incidents, and enhances protocols for incident management. The initiative aims to protect Australian businesses, consumers, and the broader public sector from the increasing risks of cyber threats.
Strengthening cyber defences
The Cyber Security Act 2024 introduces four key initiatives that strengthen Australia’s cyber defences:
- Minimum cybersecurity standards for smart devices
The legislation sets essential security requirements for devices that connect to the internet, such as smartwatches, baby monitors, and home automation systems. Manufacturers and suppliers must comply with these standards and submit compliance statements before marketing products in Australia. Australia now mandates that smart thermostats incorporate strong encryption protocols to protect against unauthorised access. This reinforces security measures that prevent unauthorised access to home networks. This strengthens consumer confidence and ensures that only secure, solid devices contribute to Australia’s interconnected environment.
- Mandatory ransomware reporting
Organisations in designated industries must disclose ransomware payments to regulatory bodies. This initiative seeks to evaluate the scale of ransomware incidents, disrupt the operational framework of cybercriminals, and strengthen the nation’s threat intelligence capabilities. When a logistics company encounters a ransomware attack, they are legally required to reveal the amount they have paid to resolve the issue. Officials will use this information to monitor trends, pinpoint offenders, and create customised responses. This provides a clearer understanding of the ransomware environment, enabling better resource distribution and support for those impacted.
- Limited use obligation for incident data
The legislation enhances transparency by restricting the use of information that individuals voluntarily share during cyber incidents. The National Cyber Security Coordinator cannot use this data for civil or regulatory purposes, which promotes enhanced cooperation between government and industry. Financial institutions cannot use the information they disclose about data breaches in unrelated regulatory enquiries. This gives organisations confidence that reporting vulnerabilities will lead to positive outcomes. It builds confidence, which results in quicker reporting and more efficient reactions to significant events.
- Cyber incident review board
The Act creates an independent entity to conduct evaluations after major cyber incidents. The Board will provide practical recommendations to reduce vulnerabilities and improve preparedness in various sectors. In the wake of a significant ransomware attack targeting a public hospital, the Board will conduct a thorough evaluation of the incident, pinpoint security vulnerabilities, and propose targeted measures, including improved endpoint security and comprehensive employee training. This approach fosters an environment for ongoing enhancement, enabling organisations to gain insights from previous events and bolstering national resilience.
The Cyber Security Act 2024 emphasises essential aspects and establishes a strong proactive approach to cybersecurity, protecting Australia’s digital landscape for the future.
Check Out: “Cybersecurity strengthens cyber supply chains”
Cyber rules consultation
The Department of Home Affairs is launching a thorough public consultation process to ensure the successful implementation of the Cyber Security Act 2024 by developing essential supporting rules. The upcoming consultation period runs from 16 December 2024 to 13 February 2025 and invites contributions on essential aspects crucial for the effective implementation of the Act. The consultation focuses on formulating the Cyber Security (Security Standards for Smart Devices) Rules 2024, which define the precise obligations for manufacturers and suppliers of connected devices.
They request feedback on the Cyber Security (Ransomware Reporting) Rules 2024, which outline businesses’ responsibilities for reporting ransomware incidents and cyber extortion. The consultation outlines the Cyber Security (Cyber Incident Review Board) Rules 2024, specifying the operational procedures and responsibilities of the newly formed review board. This public engagement ensures that the rules remain practical, effective, and aligned with the needs of both industry and the public sector, fostering a strong and flexible national cybersecurity framework.
Enhancing digital governance
The Cyber Security Act 2024 showcases the Australian Government’s commitment to improving digital governance and fostering a resilient, secure, and agile digital environment. Artificial intelligence, data analytics, and strong data governance frameworks actively respond to the rapidly evolving digital landscape. The 2023–2030 Cyber Security Strategy introduces new measures that enhance the governance of emerging technologies, especially generative AI, which plays a crucial role in navigating the opportunities and risks in the digital economy.
Australia commits to addressing future cybersecurity challenges through the initiatives outlined, emphasising the need to balance innovation with strong security measures. The Cyber Security Act strengthens Australia’s capacity to manage and protect essential infrastructure and digital resources, aligning with global standards. The Act enables a swift response to cyber threats by implementing improved data protection strategies, encouraging collaboration within the industry, and creating independent review entities like the Cyber Incident Review Board.
“And so through the efforts of government, and industry and indeed the community working together, we’re going to be really well positioned to try and prevent and respond to some of the threats that we will face over the coming years, and the Cyber Security Act is a really important component in this work.” remarked Hamish Hansford, Deputy Secretary of Cyber and Infrastructure Security Group.
The strategy fosters collaboration among a wide range of stakeholders, including businesses, government entities, and the public, aiming to establish a more inclusive framework that meets the diverse needs of the community. This cooperative strategy cultivates a sense of collective accountability and strengthens the nation’s resilience to cyber threats. Australia’s cybersecurity landscape will offer both opportunities and obstacles in the future.
As technology evolves, cyber threats will transform, highlighting the need for a flexible and responsive approach. We must commit to innovation and research to create advanced security solutions that effectively address new vulnerabilities. Enhancing cybersecurity laws will be crucial to ensure that protective strategies evolve alongside technological progress.