- Introduction
- On 9 October 2024, Minister for Home Affairs and Minister for Cyber Security the Hon Tony Burke MP wrote to refer the Cyber Security Legislative Package to the Committee for inquiry and report.
- The Cyber Security Legislative Package encompasses the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024.
- The Minister asked that the Committee complete its report by no later than 18November 2024 in order to enable the timely passage of the reforms in the Spring 2024 sitting period.
Conduct of the inquiry
1.4The Committee announced its inquiry on 10 October 2024 and invited submissions addressing the terms of reference by 25 October 2024.
1.5The Committee received 64 submissions and 4 supplementary submissions. Appendix A sets out a list of submissions received.
1.6The Committee held public hearings on 31 October and 1 November 2024. Appendix B sets out a list of witnesses who appeared at the public hearings.
1.7Copies of the submissions, transcripts from the public hearings and links to each bill and its explanatory memorandum can be accessed from the Committee’s website.
Report structure
1.8This report comprises six chapters:
- The remainder of Chapter 1 discusses the context within which the Cyber Security Legislative Package was introduced, including prior consultations and the purpose of the reforms
- Chapter 2 outlines the provisions of the Cyber Security Bill 2024
- Chapter 3 outlines the provisions of the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024
- Chapter 4 outlines the provisions of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024
- Chapter 5 summarises evidence received by the Committee in relation to the three bills
- Chapter 6 sets out the Committee’s comments and recommendations to the Parliament.
Context of the inquiry
1.9Protecting Australia from cyber security threats and ensuring the resilience of critical infrastructure is an increasingly important aspect of Australia’s national security. While modern technologies have provided countless opportunities for individuals, businesses and governments to pursue new opportunities and create efficiencies, they have also created new vulnerabilities. Malicious cyber actors—ranging from petty criminals to hostile nation-states—are constantly looking for ways to exploit those vulnerabilities. Ensuring that Australian organisations can better protect themselves against cyber threats has become an increasing priority for governments and the broader community, as highlighted by the reaction to recent high-profile cyber incidents which involved the disclosure of large amounts of personal information.
1.10In November 2023, the then Minister for Home Affairs and Cyber Security, the Hon Clare O’Neil MP, released the 2023–2030 Australian Cyber Security Strategy. The strategy consists of six ‘cyber shields’—strong businesses and citizens; safe technology; world-class threat sharing and blocking; protected critical infrastructure; sovereign capabilities; and resilient region and global leadership—intended to make Australia a ‘world leader in cyber security’ by 2030. The strategy flagged a range of legislative reforms to be ‘co-designed with industry’ to help strengthen those shields.
1.11In December 2023, the Minister released for public comment a consultation paper on the proposed legislative reforms. The changes set out in the consultation paper were largely those now being implemented in the Cyber Security Legislative Package. The Department of Home Affairs received more than 130 written submissions in response to the consultation paper, informing the development of the bills. On 4 September 2024, the Department of Home Affairs released a targeted exposure draft of the proposed legislative package. It received 61 written submissions in relation to the exposure draft and held two ‘closed door virtual town halls’ involving more than 200 participants.
The Cyber Security Legislative Package
1.12The three bills that constitute the Cyber Security Legislative Package were introduced into the House of Representatives on 9 October 2024.
1.13The bills are intended to implement seven initiatives under the 2023–2030 Australian Cyber Security Strategy, aiming to address legislative gaps to ‘bring Australia in line with international best practice’ and help ensure Australia is ‘on track to become a global leader in cyber security’. These include measures intended to:
- mandate minimum cyber security standards for smart devices
- introduce mandatory ransomware reporting for certain businesses to report ransom payments
- introduce ‘limited use’ obligations for the National Cyber Security Coordinator and the Australian Signals Directorate
- establish a Cyber Incident Review Board.
- The Cyber Security Legislative Package also introduces reforms to the Security of Critical Infrastructure Act 2018 (SOCI Act), which are intended to:
- clarify existing obligations in relation to systems holding business critical data
- enhance government assistance measures to better manage the impacts of ‘all hazards’ incidents on critical infrastructure
- simplify information sharing across industry and Government
- introduce a power for the Government to direct entities to address serious deficiencies within their risk management programs
- align regulation for the security of telecommunications into the SOCI Act.
- The key provisions of each bill in the package are described in more detail in Chapters 2, 3 and 4.