Chapter 2 - The Cyber Security Bill 2024

  1. The Cyber Security Bill 2024

Background and purpose of the Cyber Security Bill

2.1The Cyber Security Bill 2024 (Cyber Security Bill) establishes a legislative framework for ‘contemporary, whole-of-economy cyber security issues’ and aims to position the Australian Government to ‘identify and respond to new and emerging cyber security threats’.[1]

2.2The Explanatory Memorandum states that the Cyber Security Bill seeks to:

provide additional protections to Australian people and businesses, build mitigations for extant cyber risks, and improve the Government’s visibility of the threat environment to inform protections, incident response procedures, and future policy through various measures.[2]

2.3The measures in the Cyber Security Bill include:

  • establishing the power to mandate security standards for smart devices that are either internet- or network-connectable (commonly referred to colloquially as Internet of Things (IoT) devices)
  • introducing a mandatory reporting obligation for entities affected by a cyber incident who receive a ransomware demand and elect to make a payment or give benefits in connection with that cyber security incident
  • establishing a ‘limited use’ obligation that restricts how cyber security incident information provided to the National Cyber Security Coordinator (NCSC) during a cyber security incident can be used and shared with other government agencies, including regulators
  • establishing a Cyber Incident Review Board to conduct post-incident reviews into significant cyber security incidents.[3]
    1. The Cyber Security Bill consists of seven parts.

Part 1: Preliminary

2.5Part 1 of the Cyber Security Bill, consisting of proposed sections 1 to 11, sets out preliminary matters including extraterritoriality, definitions and the meaning of the terms ‘cyber security incident’ and ‘permitted cyber security purpose’. Part 1 would commence the day after the Act receives Royal Assent.

Extraterritoriality

2.6Proposed section 5 provides that, once passed, the Act applies both within and outside Australia. This covers all external territories of Australia, including Australia’s exclusive economic zone, and the continental shelf. It also extends jurisdiction outside of Australia.[4]

2.7This section enables the Act to apply to entities and events that occur outside of Australia, including cyber security incidents; and allows particular entities to be subject to the Act, provided that they have a sufficient nexus to Australia under international law. This includes a reporting business entity that is subject to mandatory reporting obligations in Part 3 of the Act and manufacturers and suppliers of relevant connectable products that may be located outside Australia.[5]

2.8The Explanatory Memorandum sets out that:

Extraterritorial application of the Act is required because cyber security incidents do not respect the boundaries of nation states. Many incidents will occur in one jurisdiction and may cross into multiple other jurisdictions. An entity located in Australia may procure services from an entity located in another jurisdiction that is subject to a cyber security incident. An entity may be operating in both Australia and other jurisdictions and be impacted by a cyber security incident. For this Act to engage with the multi-jurisdictional context of cyber security incidents, the extraterritorial application of various provisions is essential.

Each Part of this Act, where it is necessary, explicitly includes what nexus to Australia is relevant. This is because the nexus to Australia in the context of acquiring relevant connectable products to which security standards apply in Part2 of this Act is a different context than the nexus relevant to the reporting of a ransomware payment in Part 3 of this Act.[6]

Cyber security incident

2.9The Cyber Security Bill’s proposed definition of ‘cyber security incident’ is used across Parts 3, 4 and 5 of the Act to enliven particular operative provisions, including:

  • the ransomware payment reporting obligation for reporting business entities following a cyber security incident in Part 3
  • the NCSC’s role and responsibilities in relation to voluntary information collected relating to significant cyber security incidents in Part 4
  • the Cyber Incident Review Board’s role in undertaking reviews and providing recommendations to Government in relation to certain cyber security incidents in Part 5.[7]
    1. Proposed subsection 9(1) provides that a cyber security incident is one or more acts, events or circumstances of a kind covered by the meaning of cyber security incident in the Security of Critical Infrastructure Act 2018 (SOCI Act). Cyber security incident is defined in section 12M of the SOCI Act as one or more acts, events or circumstances involving:
  • unauthorised access to computer data or a computer program (subsection 12M(a))
  • unauthorised modification of computer data or a computer program (subsection 12M(b))
  • unauthorised impairment of electronic communication to or from a computer (subsection 12M(c))
  • unauthorised impairment of the availability, reliability, security or operation of a computer, computer data or a computer program (subsection 12M(d)).[8]
    1. Proposed paragraph 9(1)(b) provides that the part of the definition of cyber security incident as provided by subsection 12M(c) of the SOCI Act—‘unauthorised impairment of electronic communication to or from a computer’—would not exclude ‘the mere interception of any such communication’ from being a cyber security incident under the Cyber Security Act.[9]
    2. Proposed subsection 9(2) limits the definition of cyber security incident for the purposes of the Cyber Security Act, to account for constitutional limits on the legislative power of the Commonwealth, such that, for example, a cyber security incident must involve a critical infrastructure asset, corporation, use of a telegraphic service, or threat to Australia’s national stability or security.

Permitted cyber security purpose for a cyber security incident

2.13The proposed definition of ‘permitted cyber security purpose’ is used in Part 4, in relation to the use and disclosure of information provided to the NCSC.

2.14Proposed section 10 provides that each of the following is a ‘permitted cyber security purpose’ for a cyber security incident:

  • the performance of the functions of a Commonwealth body (to the extent that it is not a Commonwealth enforcement body) relating to responding to, mitigating or resolving the cyber security incident
  • the performance of the functions of a State body relating to responding to, mitigating or resolving the cyber security incident[10]
  • the performance of the functions of the NCSC under Part 4 relating to the cyber security incident
  • informing and advising the Minister and other Ministers of the Commonwealth about the cyber security incident
  • preventing or mitigating material risks that the cyber security incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice, the social or economic stability of Australia or its people, the defence of Australia or national security
  • preventing or mitigating material risks to a critical infrastructure asset[11]
  • the performance of the functions of an intelligence agency[12]
  • the performance of the functions of a Commonwealth enforcement body.[13]

Part 2: Security standards for smart devices

2.15Part 2 of the Cyber Security Bill establishes a framework to allow rules to prescribe mandatory security standards for products that can directly or indirectly connect to the internet (‘relevant connectable devices’) that will be acquired in Australia in specified circumstances.

2.16Part2 would commence on a single day fixed by Proclamation, or at the end of 12 months after the Act receives Royal Assent. Part 2 consists of four divisions.

2.17Division 1 deals with preliminary matters. Proposed section 12 provides a simplified outline of Part 2, while proposed section 13 is an application provision setting out which products may be subject to the mandatory security standards established in the rules under Part 2.[14]

  • Proposed subsection 13(1) provides that Part 2 only applies to ‘relevant connectable products’ manufactured or supplied on or after the commencement of the Part, defined in proposed subsection 13(2) to include ‘internet-connectable products’ or ‘network-connectable products’ that are not exempted under the rules.
  • Proposed subsection 13(3) provides that the rules may specify that a class of products is exempt, or particular products are exempt. The effect of this is that exempt products are not considered relevant connectable products and thus are not captured under Part 2.
  • Proposed subsection 13(4) defines ‘internet-connectable product’ as a product that is capable of connecting to the internet using a communication protocol that forms part of the internet protocol suite to send and receive data over the internet.
  • The definition of internet-connectable product captures a broad range of devices that are capable of directly connecting to the internet, through a wired connection (for example via an Ethernet port) such as an internet router, or wirelessly (for example via Wi-Fi or cellular connection) such as a smart television.
  • Proposed subsection 13(5) defines ‘network-connectable product’ as a product that is capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy, and which are not internet connectable products.
  • Broadly, network-connectable products are products that are unable to directly connect to the internet but are able to connect to the internet through an internet-connectable product (for example through a Bluetooth connection). Subsections 13(6) to 13(9) provide further technical clarity on the types of products that do, or do not, fall within the definition.
  • Proposed subsection 13(10) clarifies, for the purpose of subsections 13(4) to (9), a product is not prevented from being regarded as connecting directly to another product merely because the connection involves the use of a wire or cable.[15]
    1. Division 2 consists of proposed sections 14 to 16, comprising the main operative clauses requiring entities to comply with security standards.
  • Proposed section 14 provides a general rule-making power for security standards to be prescribed in rules relating to specified classes of relevant connectable products.[16] Under proposed section 87, the rules will take the form of a legislative instrument made by the Minister.
  • Proposed section 15 provides broad obligations on entities who intend to supply or manufacture a relevant connectable product to comply with a security standard made under section 14.[17]
  • The compliance obligation applies in circumstances where the entity ‘is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia’.[18]
  • Proposed section 16 places obligations on entities to provide and retain a statement of compliance with the security standard relating to the supply of relevant connectable products.[19]
  • Detailed requirements for statements of compliance are proposed to be set out in the rules.[20]
    1. Division 3 consists of proposed sections 17 to 20 which set up an enforcement framework including compliance notices, stop notices, recall notices and public notification of failure to comply with a recall notice.
  • Proposed section 17 provides for the first type of notice that may be given to an entity if an obligation under section 15 or section 16 is not complied with. Section17 empowers the Secretary to give a compliance notice to an entity if the Secretary is reasonably satisfied that an entity has not complied with their obligations, or the Secretary is aware of information that suggests an entity may not be complying with their obligations.[21]
  • Proposed subsections 17(1) to 17(4) set out the conditions that must exist for a compliance notice to be given, the details the notice must include, procedural fairness relating to steps that the Secretary must follow before giving an entity a compliance notice, and that only one compliance notice may be issued to an entity in relation to a particular instance of non-compliance or possible non-compliance.[22]
  • Proposed section 18 provides for the second type of notice that may be issued if an entity has not complied with an obligation under section 15 or section 16. Section 18 empowers the Secretary to issue a stop notice to an entity if the Secretary is reasonably satisfied that an entity has not complied with the compliance notice issued under section 17.[23]
  • Proposed subsection 18(1) provides that to give a stop notice under section18, the Secretary must be reasonably satisfied an entity, who has been issued a compliance notice, has not complied with the compliance notice, or that the actions the entity has taken are inadequate to rectify the non-compliance.[24] The Explanatory Memorandum states that:

Being ‘reasonably satisfied’ of something is a common threshold for the state of mind required before a decision maker takes a particular administrative action. This threshold imposes a requirement that there be reasonable grounds for being ‘satisfied’ that it is necessary or desirable to issue a stop notice. Being ‘reasonably satisfied’ is a state of mind that requires that the Secretary must be satisfied that the entity has not complied with the compliance notice, or that the actions taken by the entity to rectify noncompliance with the obligation are inadequate to rectify the noncompliance, and that this satisfaction is objectively reasonable. Therefore, the grounds upon which the satisfaction is based must be capable of inducing a similar belief in a reasonable person in the position of the Secretary.[25]

  • Proposed subsection 18(2) specifies the matters that the stop notice must detail and proposed subsection 18(3) contains natural justice elements that the Secretary must follow before giving an entity a stop notice. The Secretary must notify the entity of the intention to give the notice and provide the entity a specified period to make representations about the intention to give the notice. The specified period must not be shorter than 10 days. Best practice for the specified period for entities to make representations about the giving of a notice is 10 business days, but this can be varied depending on the details of the notice.[26]
  • Proposed subsection 18(4) provides that only one stop notice may be issued to an entity in relation to a particular instance of an entity’s non-compliance.[27]
  • Proposed section 19 provides for the third type of notice that may be issued if an entity has not complied with an obligation. Section 19 empowers the Secretary to issue a recall notice to an entity if the Secretary is reasonably satisfied that an entity has not complied with the stop notice issued under section 18. In much the same terms as set out in proposed subsections 18(1) to 18(4), proposed subsections 19(1) to 19(4) set out what the Secretary must be reasonably satisfied of to give a recall notice, the matters that the recall notice must detail, natural justice elements that must be followed in relation to a recall notice and that only one recall notice may be issued.[28]
  • Proposed section 20 provides a discretionary power for the Minister to publish the details of an entity that has failed to comply with a recall notice. This section provides that the Minister may publish such details on the Department’s website or in another way the Minister considers appropriate. The information that may be published includes the identity of the non-compliant entity, details of the product and non-compliance, and risks posed by the product relating to the non-compliance.[29]
    1. Division 4, consisting of proposed sections 21 to 24, sets out miscellaneous powers including:
  • revocation and variation of notices (proposed section 21)
  • internal (departmental) review of decisions to give notices (proposed section 22)
  • provision for the Department to arrange independent examination to assess compliance with a security standard and statement of compliance, including a requirement for an entity to provide a product for examination on request, with reasonable compensation for doing so (proposed section 23).

Part 3: Ransomware mandatory reporting obligations

2.21Part 3 of the Cyber Security Bill deals with ransomware reporting obligations and consists of three divisions. Part 3 would commence on a single day fixed by Proclamation, or at the end of six months after the Act receives Royal Assent.

2.22Division 1 provides a simplified outline of Part 3.

2.23Division 2, consisting of proposed sections 26 to 28, imposes a reporting obligation on certain entities (‘reporting entities’) who are impacted by a cyber security incident, and who have directly or indirectly provided a payment or benefit (referred to as a ‘ransomware payment’) to an entity that is seeking to benefit from the incident or its impact (‘extorting entities’).[30]

2.24Proposed subsection 26(1) sets out five criteria that, if all met, enliven the ransomware reporting obligations. The obligations are enlivened if:

  • an incident has occurred, is occurring or is imminent
  • the incident is a cyber security incident as defined in section 9
  • the cyber security incident has had, is having, or could reasonably be expected to have, a direct or indirect impact on a reporting business entity, which is defined in subsection 26(2)
  • the extorting entity makes a demand of the reporting business entity, or any other entity, in order to benefit from the incident or the impact on the reporting business entity
  • the reporting business entity provides or is aware that another entity has provided on their behalf, a payment or benefit (a ransomware payment) to the extorting entity that is directly related to the demand.[31]
    1. The Explanatory Memorandum advises that the requirements in subsection 26(1) are satisfied regardless of whether the extorting entity is responsible for the cyber security incident. Additionally, the reporting business entity ‘will still have an obligation to report under Part 3 even if they are not themselves subject to the demand but are aware another entity has received a demand as a result of the initial cyber security incident’.[32] The Explanatory Memorandum explains:

This section reflects the reality that the identity of the entity responsible for a cyber security incident is not always known, and in some cases may never be discovered. Similarly, the identity of the extorting entity is not always verifiable. They can be the same entity, a group of entities working together, or potentially entirely unrelated to one another where one entity opportunistically exploits an incident caused by another. In any case, the reporting obligation is intended to be agnostic to the arrangements and seeks to capture circumstances where one entity causes a cyber security incident, and another, or the same entity makes demands of the impacted entity in order to benefit from the incident.[33]

2.26Proposed subsection 26(2) defines ‘reporting business entity’ for the purpose of subsection 26(1). An entity is a reporting business entity if, at the time the ransomware payment is made,

  1. the entity:
  1. is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold for that year; and
  2. is not a Commonwealth body or a State body; and
  3. is not a responsible entity for a critical infrastructure asset; or
  1. the entity is a responsible entity for a critical infrastructure asset to which Part 2B of the [SOCI Act] applies.[34]
    1. Proposed subsection 26(3) provides that the ‘turnover threshold’ for the purpose of subparagraph 26(2)(a)(i) is to be determined by the manner prescribed by the rules.[35] In accordance with proposed section 87, the rules would take the form of a legislative instrument made by the Minister.
    2. Proposed section 27 establishes the obligation for reporting business entities to report following a ransomware payment, where the criteria in section 26 have been satisfied.[36]
  • The report is required to be given to the ‘designated Commonwealth body’ within 72 hours of making the payment, or becoming aware of the payment.[37]
  • ‘Designated Commonwealth body’ is defined in section 8 to mean the Department of Home Affairs and the Australian Signals Directorate (ASD); or a department or Commonwealth body that is specified in the rules.
  • The required form, manner and content of reports to the designated Commonwealth body are set out in proposed subsections 27(2)–(4), and may be supplemented by requirements prescribed by the rules.
    1. An entity is liable to a civil penalty of 60 penalty units for contraventions of the reporting obligation.[38]
    2. Proposed subsections 28(1) and 28(2) are designed to protect reporting entities from incurring liabilities, such as from a breach of confidentiality, other contractual requirements or other civil proceedings that may arise from complying ‘in good faith’ with the obligation to report cyber security incidents.[39] The Explanatory Memorandum states:

This protection from liability is necessary to ensure businesses are not forced to choose between complying with a mandatory requirement and complying with contractual or other obligations that could result in proceedings for damages. This could include contractual confidentiality of certain information, or an alleged tort resulting in damages. It is critical that entities are not prevented from supplying the Government with information that is essential to building the national cyber security threat picture… Fulsome engagement with the regime, and the provision of comprehensive information will be hindered if businesses are not provided appropriate protections while complying with this obligation to report. The types of information are precisely defined in section 27 to limit, to the extent possible, the information that could result in a relevant action for damages.[40]

2.31Proposed subsection 28(3) provides that an entity that seeks to rely on the protection in section 28 bears an evidentiary burden of proving that matter.[41] The Explanatory Memorandum states:

The Commonwealth Guide to Framing Offences, Infringement Notices and Enforcement Powers (the Guide) has been considered in framing subsection 28(3). The entity bears the burden of proof because the matters that need to be proved would be peculiarly within the knowledge of the entity, and it would be significantly more difficult (and in some cases costly) for a hypothetical plaintiff to disprove than for the entity to establish this matter. The entity is uniquely placed to adduce evidence that can determine whether they were acting in good faith in compliance with section 27.[42]

2.32Division 3 of Part 3, consisting of proposed sections 29 to 32, deals with protection of information in relation to ransomware payment reports.

2.33Proposed section 29 provides the framework for the permitted recording, use and disclosure of the information contained in the ransomware payment report by the designated Commonwealth body.[43] Proposed subsection 29(1) specifies that information provided to a designated Commonwealth body in a ransomware payment report by a reporting business entity may be recorded, used or disclosed for the purposes of one or more of the following:

  • assisting the reporting business entity, and other entities acting on behalf of the reporting business entity to respond to, mitigate or resolve the cyber security incident
  • performing functions or exercising powers under this Part or Part 6 (Regulatory Powers)
  • proceedings under, or arising out of, sections 137.1 or 137.2 of Schedule 1 to the Criminal Code Act 1995 (Criminal Code). These sections of the Criminal Code establish offences for providing false and misleading information and documents, or information given to a Commonwealth entity or produced in compliance with a law of the Commonwealth. The inclusion of this exception would allow ransomware payment reports to be adduced in evidence relating to proceedings in the event an entity is subject to one of those offences in relation to providing false and misleading documents or information
  • proceedings for an offence against section 149.1 of the Criminal Code. This provision of the Criminal Code includes an offence for obstructing, hindering, intimidating or resisting a Commonwealth public official in the performance of the official’s functions. This would allow the ransomware payment report to be included as evidence in a proceeding for obstructing a Commonwealth public official in relation to the Cyber Security Act
  • the performance of the functions of a Commonwealth body relating to responding to, mitigating or resolving a cyber security incident
  • the performance of the functions of a State body relating to responding to, mitigating or resolving a cyber security incident
  • the performance of the functions of the NCSC under Part 4 relating to a cyber security incident
  • informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident
  • the performance of the functions of an intelligence agency.[44]
    1. Proposed subsection 29(2) restricts the designated Commonwealth body from recording, using or disclosing information for the purpose of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention penalty or sanction, other than for a contravention of Part 3 or a criminal offence, as it relates to the reporting business entity. This is to prevent information provided by an entity being used against them in a civil regulatory context.[45]
    2. Proposed subsection 29(3) states that subsection 29(1) does not authorise the designated Commonwealth body to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988.[46]
    3. Proposed subsection 29(4) provides that the general restrictions on the recording, use or disclosure of information contained in ransomware payment reports do not apply to the extent that the information was already provided to the designated Commonwealth body by or on behalf of the entity as a requirement under Part 2B of the SOCI Act (cyber security reporting), a requirement under the Telecommunications Act 1997, or a requirement under a law prescribed by the rules.
    4. Proposed section 30 contains limitations on the secondary use and disclosure of information that was provided in a ransomware payment report.[47] Section 30 applies to information that was provided in a ransomware payment report by a reporting business entity; which was obtained by another entity, Commonwealth body or State body under subsection 29(1) or section 30; and is held by another entity, Commonwealth body or State body. Subsections 30(2), 30(3) and 30(4) then mirror the restrictions on recording, use and disclosure applicable to the designated Commonwealth body in subsections 29(1), 29(2) and 29(3).
    5. Proposed subsection 30(5) provides exceptions to the section 30 prohibitions on recording, using or disclosure of information by secondary agencies, which include the exceptions set out in subsection 29(4) and additional exceptions relating to personal information, business entity information disclosed with the entity’s consent, and the performance of State constitutional functions or powers.
    6. Proposed subsection 30(6) introduces a civil penalty provision for the unauthorised secondary use or disclosure of information in a ransomware payment report.[48]
    7. Proposed section 31 is intended to provide clarity regarding the issue of legal professional privilege and the interaction with providing information to government within a ransomware payment report that would normally be protected by legal privilege.[49] The section provides that the fact of reporting ransomware information would not affect an entity’s claim of legal professional privilege in relation to that information, subject to some exceptions such as proceedings of coronial inquiries or Royal Commissions.
    8. Proposed section 32 similarly restricts the admissibility of information provided by a reporting business entity in a ransomware payment report as evidence in criminal or civil proceedings.[50]

Part 4: Coordination of significant security incidents

2.42Part 4 of the Cyber Security Bill deals with voluntary provision of information to the NCSC. Part 4 would commence the day after the Act receives Royal Assent and consists of three divisions.

2.43Division 1 deals with preliminary matters, and includes proposed section 34, providing the definition of a ‘significant cyber security incident’. A cyber security incident is a significant cyber security incident if:

  • there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice the social or economic stability of Australia or its people, the defence of Australia, or national security; or
  • the incident is, or could reasonably be expected to be, of serious concern to the Australian people.[51]
    1. Division 2, consisting of proposed sections 35 to 37, deals with voluntary sharing of information with the NCSC.[52]
  • Proposed section 35 provides for impacted entities or other entities acting on behalf of an impacted entity, to voluntarily provide information to the NCSC, in relation to a significant cyber security incident, in accordance with the criteria set out in this section.[53]
  • Proposed section 36 outlines the circumstances and purpose for which the NCSC may collect and use information; which is to determine whether an incident is a cyber security incident or a significant cyber security incident.[54]
  • Proposed section 37 outlines the role of the NCSC, including to ‘lead across the whole of government the coordination and triaging of action in response to serious cyber security incidents’ and to ‘inform and advise the Minister and the whole of government in relation to the whole of government response to a significant cyber security incident’. However, section 37 is ‘non-exhaustive in nature and does not limit the role of the [NCSC] to the matters listed’.[55]
  • The NCSC is defined in section 8 to include the officer of the Department of Home Affairs known as the National Cyber Security Coordinator; and the Australian Public Service employees, and officers or employees of Commonwealth bodies, whose services are made available to the Coordinator in connection with the performance of their functions and the exercise of their powers under the Cyber Security Act.
    1. Division 3, consisting of proposed sections 38 to 43, deals with protection of information provided in relation to a significant cyber security incident under subsection 35(2).[56]
    2. Proposed section 38 sets out parameters for the use and disclosure by the NCSC of such information.[57]
  • Proposed subsection 38(1) outlines that the NCSC may make a record of, use or disclose information provided under subsection 35(2) by, or on behalf of, an entity (the impacted entity) in relation to a cyber security incident, only for one or more of the following purposes:
  • enabling the NCSC, and staff assisting the NCSC, to assist the impacted entity, and other entities acting on behalf of the impacted entity, to respond to, mitigate or resolve the cyber security incident
  • a ‘permitted cyber security purpose’, as defined under section 10 (see above).[58]
  • Proposed subsection 38(2) prohibits the making of records, use and disclosure of information by the NCSC for the investigation or enforcement of a contravention of civil law, other than Part 4 of the Bill.[59] The Explanatory Memorandum provides further detail in relation to proposed subsection 38(2):

This subsection reinforces that the intention of this Part is to encourage entities to engage with the National Cyber Security Coordinator during a cyber incident, whilst being assured that the information provided cannot be recorded, used or disclosed for law enforcement or regulatory purposes. This does not prevent disclosure for the purpose of imposing a penalty or sanction for a criminal offence as it is not the intention of the regime to protect against breaches of criminal law.

It must be highlighted that it is not the Government’s intention to restrict operational, regulatory or law enforcement agencies from carrying out their existing legislated functions, especially where serious breaches of law are made apparent that are not related to the cyber security incident. This Part is not intended to restrict law enforcement or regulators gathering this information using their own existing powers and using it for regulatory or law enforcement purposes against the entity.[60]

2.47Proposed section 39 sets the parameters for the use and disclosure by the NCSC of information provided in relation to other incidents (namely incidents that are not ‘significant cyber security incidents’, as defined in section 34).[61] The Explanatory Memorandum sets out that:

The intention of section 39 is to ensure that where information is provided to the National Cyber Security Coordinator in relation to an incident, but it is unclear whether the incident is, or could be, a significant cyber security incident, the information is still only recorded, used or disclosed for limited purposes. The permitted cyber security purposes do not apply here as the incident is not a significant cyber security incident and therefore, it is not necessary to share information for these purposes. Should further details of the incident deem it significant, the provisions outlined under section 35 will apply.[62]

2.48Proposed section 40 provides similar limitations on the secondary use and disclosure of information.[63]

2.49Proposed section 41 is intended to provide clarity regarding the issue of legal professional privilege and the interaction with providing information that would normally be protected to the NCSC under Part 4.[64] Proposed section 42 addresses the admissibility of information voluntarily given by the impacted entity.[65] The Explanatory Memorandum sets out that:

The intention of the provision is to clarify that due to the volume of potential on-disclosure for permitted cyber security purposes, it is not established in this Part that the provision of information to the National Cyber Security Coordinator does or does not amount to a waiver of legal professional privilege. While protection of privilege information cannot be assured, the limitations on secondary use and disclosure under section 40, and the protections from admissibility under section 42(2) provide a level of protection to the information provided sufficient to encourage disclosure without the assurance that legal professional privilege will not be waived.

Information voluntarily provided under permitted cyber security purposes cannot be used by regulators for civil compliance action against the reporting entity. Information would not be admissible against that entity in proceedings for a contravention of civil penalties under Commonwealth law.[66]

2.50Proposed section 43 provides for the Secretary to issue a certificate stating that a specified person is currently, or has in the past been, part of the NCSC as defined in section 8. Such a person is not compellable as a witness in a federal court or a court of a State or Territory, to the extent that the matter relates to information provided by an entity under Part 4.[67] The Explanatory Memorandum sets out that:

Information that is received by the National Cyber Security Coordinator in the course of a response to a cyber security incident or a significant cyber security incident is considered to be covered by the Limited Use Obligation. Therefore, any information that may be provided in evidence, by the National Cyber Security Coordinator, regarding a cyber security incident which they responded to, is not admissible according to section 42 of the Act. The non-compellability provision in this Act is not designed to be a safe harbour. Enforcements agencies are still able to rely on their own legislative powers. Further, the protection does not apply to coronial inquiries.[68]

2.51Division 4, comprising proposed section 44, provides that the operation of Part 4 does not affect any other requirement to provide information under the Cyber Security Act or another law of the Commonwealth.[69]

Part 5: Cyber Incident Review Board

2.52Part 5 of the Cyber Security Bill establishes the Cyber Incident Review Board (CIRB). Part 5 would commence on a single day fixed by Proclamation, or at the end of six months after the Act receives Royal Assent. Part 5 consists of seven divisions.

2.53Division 1 consists of proposed section 45, providing a simplified outline of Part 5.[70]

2.54Division 2, consisting of proposed sections 46 to 54, deals with reviews by the CIRB. The purpose of a review is to make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of cyber security incidents of a similar nature in the future.[71]

2.55The CIRB may cause a review to be conducted in relation to a cyber security incident, or series of related cyber security incidents, on written referral by:

  1. the Minister;
  2. the NCSC;
  3. an entity impacted by the incident or an incident in a series of incidents; or
  4. a member of the CIRB.[72]
    1. Proposed subsection 46(2) provides that a review may only be conducted
  1. If the CIRB is satisfied that the incident or series of incidents meets the criteria set out in subsection (3);
  1. after the incident or series of incidents, and the immediate response, has ended; and
  2. if the Minister has approved the terms of reference for the review.
    1. The criteria for an incident warranting review set out in subsection 46(3) include where an incident (or series) has or could reasonably be expected to ‘seriously prejudice’ Australia’s social or economic stability, defence or national security; where it involved novel or complex methods or technologies; or where it could ‘reasonably be expected to be of serious concern to the Australian people’.
    2. Proposed subsection 46(4) provides that each review is to be conducted by a review panel that consists of the Chair, the standing members of the CIRB that are specified in the terms of reference for the review, and the members of an expert panel appointed to assist the review.
    3. Proposed sections 48 to 50 provide the CIRB with the power to request, or to issue a notice requiring, an entity to provide information or documents to the CIRB. An entity is liable to a civil penalty for failing to comply with a notice requiring the production of documents.[73]
    4. Proposed sections 51 to 54 set out requirements for draft and final review reports prepared by the CIRB. A final review report must not include ‘sensitive review information’[74] and must not:
  • apportion blame in relation to a cyber security incident that was subject of the review;
  • provide the means to determine the liability of any entity in relation to such a cyber security incident;
  • identify an individual (unless the individual has consented); or
  • allow any adverse inference to be drawn from the fact that an entity is the subject of the review.[75]
    1. The final review report (excluding any redactions) is required to be published.[76]
    2. Division 3, consisting of proposed sections 55 to 59, deals with protection of information relating to reviews, including limited use provisions similar to those in relation to ransomware reports and information provided voluntarily to the NCSC (see above).
    3. Division 4, consisting of proposed sections 60 to 63, deals with the establishment, functions and powers of the CIRB. The CIRB is required to consist of a Chair and at least two, but no more than six, other standing members.[77] Section 63 provides that, subject to the other provisions of the Cyber Security Act and to other laws of the Commonwealth, the CIRB has complete discretion and is not subject to direction by any person in the performance of its functions and exercise of its powers.
    4. Division 5, consisting of proposed sections 64 to 69, deals with the terms and conditions of appointment of the Chair and members of the CIRB. The Chair and other standing members are appointed by the Minister.[78]
    5. Division 6, consisting of proposed sections 64 to 69, deals with the Expert Panel, staff assisting and consultants.[79] Members of the Expert Panel are to be appointed by the CIRB in accordance with the terms of reference for a review, in order to assist in the review.[80] Australian Public Service employees, or officers or employees of other Commonwealth bodies, may be made available as staff assisting the CIRB and are subject to the directions of the CIRB.[81]
    6. Division 7, consisting of proposed sections 73 to 77, deals with other matters relating to the CIRB such as its procedures, protections from liability and annual reporting.[82]

Part 6: Regulatory powers

2.67Part 6, consisting of four divisions and proposed sections 78 to 83 deals with regulatory powers including civil penalty provisions, enforceable undertakings and injunctions; making various civil penalty and other infringement provisions subject to the monitoring, investigation and enforcement procedures in the Regulatory Powers (Standard Provisions) Act 2014.[83] Part 6 would commence the day after the Act receives Royal Assent.

Part 7: Miscellaneous

2.68Part 7, consisting of proposed sections 84 to 87, deals with miscellaneous matters including delegation of some Part 2 functions or powers by the Secretary to a Senior Executive Service employee of the Department, and establishing the rule making power of the Minister.[84] Part 7 would commence the day after the Act receives Royal Assent.

Footnotes

[1]Cyber Security Bill 2024, Explanatory Memorandum (EM), p. 2.

[2]Cyber Security Bill 2024, EM, p. 2.

[3]Cyber Security Bill 2024, EM, p. 2.

[4]Cyber Security Bill 2024, EM, p. 14 [18].

[5]Cyber Security Bill 2024, EM, p. 14 [19].

[6]Cyber Security Bill 2024, EM, pp. 14–15 [20]–[21].

[7]Cyber Security Bill 2024, EM, p. 20 [67].

[8]Cyber Security Bill 2024, EM, p. 20 [68].

[9]Cyber Security Bill 2024, EM, p. 20 [69]. Section 5 of the Security of Critical Infrastructure Act 2018 (SOCI Act) specifies that ‘mere interception’ is not considered to be impairment of electronic communication for the purposes of the SOCI Act.

[10]‘State body’ is defined in proposed section 8 to include a Minister or Department of a State or Territory, or a body established for a public purpose by a State or Territory that is not an authority of the Crown.

[11]‘Critical infrastructure asset’ has the same meaning as in the SOCI Act.

[12]‘Intelligence agency’ is defined in proposed section 8 to include the Australian Criminal Intelligence Commission, the Australian Geospatial-Intelligence Organisation, the Australian Secret Intelligence Service, the Australian Security Intelligence Organisation, the Australian Signals Directorate, the Defence Intelligence Organisation and the Office of National Intelligence.

[13]Cyber Security Bill 2024, EM, pp. 21–22 [75]. ‘Commonwealth enforcement body’ is defined in proposed section 8 to include the Australian Federal Police, the Australian Prudential Regulation Authority, the Australian Securities and Investments Commission, the Inspector of the National Anti-Corruption Commission, the Office of the Director of Public Prosecutions, the National Anti-Corruption Commissioner, Sport Integrity Australia and ‘another Commonwealth body, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction for a criminal offence’: Cyber Security Bill 2024, proposed s. 8.

[14]Cyber Security Bill 2024, EM, p. 23 [86].

[15]Cyber Security Bill 2024, EM, pp. 23–25 [86]–[99].

[16]Cyber Security Bill 2024, EM, p. 26 [100].

[17]Cyber Security Bill 2024, EM, p. 27 [109].

[18]Cyber Security Bill 2024, proposed s. 15(1).

[19]Cyber Security Bill 2024, EM, p. 28 [116].

[20]Cyber Security Bill 2024, proposed s. 16(5).

[21]Cyber Security Bill 2024, EM, p. 30 [128].

[22]Cyber Security Bill 2024, EM, pp. 30–31 [129]–[132].

[23]Cyber Security Bill 2024, EM, p. 31 [133].

[24]Cyber Security Bill 2024, EM, p. 31 [134].

[25]Cyber Security Bill 2024, EM, p. 32 [138].

[26]Cyber Security Bill 2024, EM, p. 32 [142].

[27]Cyber Security Bill 2024, EM, p. 33 [143].

[28]Cyber Security Bill 2024, EM, p. 33 [144]–[149].

[29]Cyber Security Bill 2024, EM, p. 34 [150].

[30]Cyber Security Bill 2024, EM, p. 39 [178].

[31]Cyber Security Bill 2024, EM, pp. 39–40 [182]–[186].

[32]Cyber Security Bill 2024, EM, p. 40 [187].

[33]Cyber Security Bill 2024, EM, p. 41 [189].

[34]Cyber Security Bill 2024, proposed s. 26(2); Cyber Security Bill 2024, EM, p. 41 [190]. The Explanatory Memorandum states ‘Part 2B of the SOCI Act establishes its own framework by which responsible entities must report cyber security incidents that have a relevant impact on a critical infrastructure asset to which that Part applies. Enlivening the ransomware reporting obligation will ensure there is a complimentary reporting framework in place to capture reports that are required to be made under existing provisions within the SOCI Act. This will not increase the reporting burden but will ensure that reporting requirements are captured within the larger reporting scheme.’

[35]Cyber Security Bill 2024, EM, p. 43 [194].

[36]Cyber Security Bill 2024, EM, p. 44 [202].

[37]Cyber Security Bill 2024, proposed s. 27(1).

[38]Cyber Security Bill 2024, proposed s. 27(5).

[39]Cyber Security Bill 2024, EM, p. 48 [223]–[225].

[40]Cyber Security Bill 2024, EM, p. 48 [226].

[41]Cyber Security Bill 2024, EM, p. 48 [227].

[42]Cyber Security Bill 2024, EM, p. 48 [227].

[43]Cyber Security Bill 2024, EM, p. 48 [228].

[44]Cyber Security Bill 2024, EM, pp. 48–49 [229].

[45]Cyber Security Bill 2024, EM, p. 50 [231].

[46]Cyber Security Bill 2024, EM, p. 50 [233].

[47]Cyber Security Bill 2024, EM, p. 50 [236].

[48]Cyber Security Bill 2024, EM, p. 52 [243]–[244].

[49]Cyber Security Bill 2024, EM, p. 53 [253].

[50]Cyber Security Bill 2024, EM, p. 54 [259].

[51]Cyber Security Bill 2024, EM, p. 56 [270]–[271].

[52]Cyber Security Bill 2024, EM, p. 56.

[53]Cyber Security Bill 2024, EM, p. 56 [272].

[54]Cyber Security Bill 2024, EM, p. 58 [284].

[55]Cyber Security Bill 2024, EM, p. 59 [288].

[56]Cyber Security Bill 2024, EM, p. 59 [290].

[57]Cyber Security Bill 2024, EM, p. 59 [290].

[58]Cyber Security Bill 2024, EM, p. 59 [291].

[59]Cyber Security Bill 2024, EM, p. 60 [294].

[60]Cyber Security Bill 2024, EM, p. 60 [295]–[296].

[61]Cyber Security Bill 2024, EM, p. 61 [301].

[62]Cyber Security Bill 2024, EM, p. 63 [309].

[63]Cyber Security Bill 2024, EM, p. 63 [310].

[64]Cyber Security Bill 2024, EM, p. 65 [328].

[65]Cyber Security Bill 2024, EM, p. 66 [334].

[66]Cyber Security Bill 2024, EM, p. 67 [241]–[242].

[67]Cyber Security Bill 2024, EM, p. 67 [343].

[68]Cyber Security Bill 2024, EM, p. 68 [347].

[69]Cyber Security Bill 2024, EM, p. 68 [348].

[70]Cyber Security Bill 2024, EM, p. 70 [355]–[360].

[71]Cyber Security Bill 2024, EM, pp. 70–81 [361]–[439].

[72]Cyber Security Bill 2024, proposed s. 46.

[73]Cyber Security Bill 2024, proposed s. 50.

[74]Cyber Security Bill 2024, proposed s. 53.

[75]Cyber Security Bill 2024, proposed s. 52.

[76]Cyber Security Bill 2024, proposed s. 52(6).

[77]Cyber Security Bill 2024, proposed s. 61.

[78]Cyber Security Bill 2024, EM, pp. 90–93 [498]–[519].

[79]Cyber Security Bill 2024, EM, pp. 93–95 [520]–[536].

[80]Cyber Security Bill 2024, proposed s. 70.

[81]Cyber Security Bill 2024, proposed s. 71.

[82]Cyber Security Bill 2024, EM, pp. 95–99 [535]–[565].

[83]Cyber Security Bill 2024, EM, pp. 99–110 [567]–[634].

[84]Cyber Security Bill 2024, EM, pp. 110–113 [635]–[658].

Contents
Previous Next