House debates

Wednesday, 9 October 2024

Bills

Cyber Security Bill 2024; Second Reading

12:48 pm

Photo of Mr Tony BurkeMr Tony Burke (Watson, Australian Labor Party, Leader of the House) Share this | | Hansard source

I move:

That this bill be now read a second time.

In introducing this legislation, I acknowledge the work done in its development from the former Minister for Home Affairs, now the Minister for Housing, and also acknowledge the work of the very large number of members of the Department of Home Affairs in the cybersecurity section, who have worked for some years in the development of the legislation in the national interest that I present to the House today.

This bill, alongside the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, form the cybersecurity legislative reforms package. This package will collectively strengthen our national cyber defences and build cyber-resilience across the Australian economy.

This suite of legislative reforms will implement key initiatives under the 2023-2030 Australian Cyber Security Strategy. This is a significant step in achieving the Australian government's vision of becoming a world leader in cybersecurity by 2030.

To achieve this vision, Australia needs a clear legislative framework that addresses whole-of-economy cybersecurity issues and positions us to respond to new and emerging threats. We need a framework that enables individuals to trust the products they use every day. We need a framework that enhances our ability to counter ransomware and cyberextortion. We need a framework that enhances protections for victims of cyber incidents and encourages them to engage with government, and we need a framework that enables us to learn lessons from significant cybersecurity incidents so that we can be better prepared going forward.

The Cyber Security Bill provides this framework under one holistic piece of legislation.

The first measure under this bill will ensure that Australians can trust their digital products by enabling the government to establish mandatory security standards for smart devices. Australians love the convenience of smart devices at home, but consumers need to know that smart devices are still safe devices. These devices currently often lack basic cybersecurity protections. To date, smart devices have not been subject to mandatory cybersecurity standards or regulation in Australia. We've fallen behind our international counterparts in this regard. This measure not only will bring us into line with international best practice but also will provide Australians with peace of mind that the smart devices we've come to rely on also meet our expectations around security. Standards implemented under this power will be designed to enhance consumer security, such as prohibiting the use of universal default passwords on smart devices, not to create backdoors for government agencies.

The bill's second measure will help build our understanding of the ransomware threat that continues to cause large-scale harm to the Australian economy and national security. In 2023 it was estimated that Australian businesses who paid in response to ransomware attacks paid an average of $9.27 million. This issue needs to be tackled. Mandatory reporting of ransomware payments will crystalise our picture of how much is being extorted from businesses via ransomware attacks, whom these payments are being made to and how. With these timely and comprehensive insights, the government will be better able to develop the resources, tools and supports that are most useful to industry and help break the ransomware business model. Together, we can work to prevent future ransomware crises and equip businesses to bounce back following an incident.

The Cyber Security Bill's third measure seeks to support and assure Australian organisations as they respond to a cybersecurity incident.

Close cooperation between government and industry is one of our greatest defences against malicious cyber activity.In the wake of a cybersecurity incident, businesses need to know that they can call on government to quickly get the support they need. However, we understand that businesses can also be anxious to ensure that the information they provide isn't going to be inappropriately on-shared or, worse, used against them.

This bill affirms the role of the National Cyber Security Coordinator to coordinate whole-of-government cyber incident response efforts. It also seeks to increase trust and engagement between business and government during an incident by limiting the circumstances under which the coordinator can use and share information that has been voluntarily provided by an affected entity. This measure complements the limited-use measure that was put in place for the Australian Signals Directorate through theIntelligence Services and Other Legislation Amendment (Cyber Security) Bill, which I'll introduce in a moment. With these measures, businesses will have greater comfort to report cyber incidents and gain the assistance they need in order to respond to and recover from cyber incidents.

The fourth measure in the Cyber Security Bill establishes the Cyber Incident Review Board. This board will be an independent advisory body able to conduct no-fault postincident reviews of significant cybersecurity incidents. The Optus and Medibank breaches of 2022 and the more recent MediSecure data breach demonstrate the urgent need for government and industry to collectively learn lessons from high-impact cybersecurity incidents and to prepare contingencies for future attacks. Building upon the success of the United States Cyber Safety Review Board, the Cyber Incident Review Board will review the circumstances that led to a significant cybersecurity incident, form findings and provide recommendations for both government and industry to enhance our nation's cyber resilience. The board will ensure that we're learning from these cyber incidents and improving Australian organisations' practices, policies and procedures.

These four measures form the Cyber Security Bill. Together with the other bills in this package, this bill will equip both government and industry with the awareness and resilience to better protect Australians from cybersecurity threats. It will provide a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever changing cybersecurity landscape.

The government will refer this bill and the others in the package to the Parliamentary Joint Committee on Intelligence and Security and will consider any recommendations that the committee makes.

In forming the measures within this bill and the broader package, significant stakeholder consultation has been undertaken. After releasing the cyber legislative reforms consultation paper on 19 December 2023, the Department of Home Affairs led over 30 public town hall meetings, deep-dive sessions and bilateral engagements. The department received over 130 written submissions in response to the consultation paper, detailing feedback on the measures proposed. This robust co-design process has ensured the measures detailed within the bills in this package strike the right balance to achieve our security outcomes without placing undue burden on business.

I extend my thanks to all the staff at the Department of Home Affairs for their incredibly hard work in developing this bill. I'm pleased that a number of them are able to be in the chamber to see it presented to the parliament. I commend the bill to the chamber.

Debate adjourned.