Australia's New Cyber Law Combats Emerging Threats

 

A new Cyber Security Act has been passed into law by the Australian government, which we should consider a very important step in our mission to protect Australians from threats posed by cyberspace. Having adopted this package, Australia will gain a cohesive legislative toolbox allowing the country to move forward with clarity and confidence in an ever-evolving cyber landscape as the law develops. Specifically, the Cyber Security Act enacts seven initiatives, first described in the Cyber Security Strategy, that will strengthen cyber security. 

A ransomware attack, also known as a crypto locker, remains one of the most common forms of cyberattack, and they are particularly dangerous because they can have such powerful effects. By 2031, it is estimated that the total cost of ransomware damage will exceed $265 billion in the world. The level of vulnerability of an organization to these attacks can vary from the smallest to the largest.

As part of the attack on Indonesia, a hacking group infected critical systems at a national data centre in July, causing over 230 government agencies and services to be down for about a week. During the past week, after the passing of Australia's first-ever Cyber Security Act, various measures have been introduced into the nation's defences to improve their security. 

A key provision of this legislation is that organizations are required to inform the government if they pay ransomware criminals - a practice that has gained popularity across the globe increasingly in recent years. Cyber Security Act 2013 is implemented under the Australia 2023-2030 Cyber Security Strategy. According to the policy, Australia was aiming to reposition itself as a leader in cyber resilience through some steps in the law, including the creation of a National Cyber Security Coordinator to coordinate a cohesive national response to cyber incidents. 

Australia's Cyber Security Minister Tony Burke made a statement in a media release regarding the Act, saying that it was "the cornerstone of the mission to protect Australians from cyber threats" and that "it forms a cohesive legislative toolbox which will enable Australia in the face of a rapidly evolving cyber landscape to move forward with clarity and confidence." 

As a result, experts have strongly urged IT leaders to update their cyber security incident response plans to take into consideration the legislative changes. Should a cyber security attack or crisis occur, they will need to communicate with the government in new ways to make sense of the confusing situation. A major change that has a direct impact on Australian organizations is the introduction of a mandatory reporting requirement for ransomware payments, as well as a new voluntary reporting regime for cyber incidents, which is intended to become mandatory over time as a consequence of the upcoming changes. 

There will be an obligation for organizations of a certain size to report ransomware payments to the government. According to the local law firm Corrs Chambers Westgarth, although the size threshold hasn't been determined, it's expected the mandate will apply to businesses with a sales turnover of more than AUD 3 million when the mandate becomes effective. The Department of Home Affairs and the Australian Signals Directorate are obligated to receive a report stating that a ransomware payment was made within 72 hours of receiving it.

Corrs is telling The Australian Financial Review that if organizations fail to report these payments, they could face a civil penalty of AUD $93,900, which is currently the value that Corrs is claiming. The report notes that despite the new mandate, the government's policy remains the same that organizations should not pay ransoms to avoid being held hostage. As per the government's view, paying ransoms to cyber-crime gangs does not contribute to the functioning of their business model, but rather only helps them keep their operations viable - and it cannot be guaranteed that organizations will be able to get their data back or keep it private from other people. 

With the new Act, a new framework was enacted for the voluntary reporting of cyber incidents, which was an excellent development. When an organisation suffers a cyberattack, the measure aims to encourage more free information sharing during those times when there is a risk of harm to other parties in the public and private sectors as well as a wider community, in order to benefit both.

In addition to the NCSC overseeing the system, any organization doing business in Australia can report incidents to the organization with the understanding that they are protected somewhat by a "limited use" obligation, which limits what the NCSC can do with the information it receives. As an example, it is important to note that by reporting a significant cyber security incident, the NCSC will be able to utilize the information for a variety of purposes under the law, such as preventing or mitigating threats to critical infrastructure and national security, and supporting intelligence agencies or law enforcement agencies, according to Corrs. 

As a result of the new regulatory obligations, organizations will have to adjust their plans in order to ensure compliance with the regulations. To ensure that these changes will be incorporated into future cyber security tabletop exercises, the CISOs and security teams will be vital in adjusting plans to account for these changes. According to Corrs, the trigger for a company to report a ransomware payment to the authorities is the payment itself rather than the fact that they receive a demand for payment from the victim.

In addition, this will have an impact on both how organizations manage these cyber decisions and how they choose to communicate them to their stakeholders. Those organisations that are classified as critical infrastructure companies under Australian privacy laws and the SOCI Act may also be required to report on an overlapping basis and within different timelines. In addition to that, if they are listed on the Australian Stock Exchange, they will be required to make continuous disclosures.