The Albanese government has floated the creation of a new Cyber Security Act as part of a crackdown on lax corporate information security standards and data hoarding and to help remedy deficiencies in existing Security of Critical Infrastructure laws officially branded as “bloody useless”.
The bid to create new, bespoke, cyber legislation comes as home affairs minister Clare O’Neil announced the creation of a new National Office of Cyber Security and another cyber czar in her portfolio to cat-herd government responses to major incidents.
Revealed in an otherwise fairly light-touch discussion paper floating various reform options, the paper points to the already well-established case for the harmonisation of the mishmash of various cyber laws and regulations that traverse multiple security and regulatory agencies.
The idea for the new Cyber Security Act is contained in a discussion paper released by an advisory board chaired by former Telstra boss Andy Penn and assisted by former chief of Air Force Mel Hupfeld and Cyber Security Cooperative Research Centre head Rachel Falk.
A key question the government faces is whether any new legislation will face the same degree of stiff pushback from cyber-reliant industries, especially banking, telecommunications carriers and other utilities that are wary of laws big on obligation but short on efficacy.
The business sector has traditionally been highly averse to allowing the government onto its manor under the guise of cyber security, dating back to the creation of the Australian High Tech Crime Centre with the Australian Federal Police.
That model saw banks sending their staff to the cops to help fight hackers and fraud rather than cops being sent into banks.
A major friction point in the current SoCI laws is emergency powers to send in the Australian Signals Directorate to take control of hijacked infrastructure in the event a corporate cannot do so.
The paper offers an olive branch of sorts in this regard.
“During a cyber incident, would an explicit obligation of confidentiality upon the ASD’s Australian Cyber Security Centre (ACSC) improve engagement with organisations that experience a cyber incident so as to allow information to be shared between the organisation and ASD/ACSC without the concern that this will be shared with regulators?” the paper suggests.
It also asks whether “further reform to the Security of Critical Infrastructure Act required? “
“Should this extend beyond the existing definitions of ‘critical assets’ so that customer data and ‘systems’ are included in this definition? “ and “should the obligations of company directors specifically address cyber security risks and consequences?”
In the issue of paying ransoms, it appears that despite all the recent dogma about dog acts, everything is on the table, again.
“Should the Government prohibit the payment of ransoms and extortion demands by cyber criminals by:
(a) victims of cybercrime; and/or
(b) insurers?
“If so, under what circumstances?” the discussion paper asks.
“What impact would a strict prohibition of payment of ransoms and extortion demands by cyber criminals have on victims of cybercrime, companies and insurers?,” the paper continues, posing the question as to how explicit its position on ransoms needs to be.
“Should Government clarify its position with respect to payment or nonpayment of ransoms by companies, and the circumstances in which this may constitute a breach of Australian law?,” the paper asks.
Response to the paper is due by April 15.
READ MORE:
O’Neil creates new cyber agency to fix ‘bloody useless’ legislation
Any feedback or news tips? Here’s where to contact the relevant team.