- Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024
- This chapter outlines the key measures of the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (ISA Bill).
- The ISA Bill proposes to amend the Intelligence Services Act 2001 (IS Act) to place restrictions on the use and communication of certain cyber security information. The ISA Bill also includes certain consequential amendments arising from the Cyber Security Bill 2024.
- The ISA Bill is intended to legislate a ‘limited use’ obligation for the Australian Signals Directorate (ASD), similar to the limited use obligation to be imposed on the National Cyber Security Coordinator (NCSC) under Part 4 of the Cyber Security Bill 2024. As set out in the Minister’s second reading speech:
The limited use obligation in the ISA Bill provides industry with legislative assurance that they can engage and provide information to the very agencies the government has established to help them prepare for and respond to cyber security incidents. … The limited-use obligation in this bill will make it clear that the ASD may only on-share this information for a permitted purpose and that on-shared recipients can only use that information for a permitted purpose. The obligation is not a safe harbour for industry. It won't exempt an organisation from complying with their existing legal and regulatory obligations.
3.4The proposed amendments to the IS Act outline that ASD will only on-share limited cyber security information for permitted cyber security purposes. The ISA Bill Explanatory Memorandum states that:
decreasing engagement and information flow between industry and ASD presents a significant risk to Australia’s national cyber security posture, as it impedes ASD’s ability to maintain a comprehensive national cyber threat picture and provide timely technical cyber security advice and assistance.
3.5The ISA Bill prescribes limited purposes, referred to as ‘permitted cyber security purposes’, for which ASD may communicate certain information relating to cyber security incidents, which is referred to as ‘limited cyber security information’. The ISA Bill would prevent ASD from communicating limited cyber security information for the purposes of investigating or enforcing a contravention of a Commonwealth, State or Territory law (other than a criminal offence) against the impacted entity.
3.6The ISA Bill also intends to place specific limitations on the admissibility of limited cyber security information in certain civil or criminal proceedings, and specifies that the provision of cyber security information does not otherwise affect a claim of legal professional privilege in relation to that information.
3.7Schedule 2 of the ISA Bill proposes to amend the Freedom of Information Act 1982 (FOI Act) to include an exemption from Freedom of Information requests for a document given to, or received by, the NCSC for the purposes set out under Part 4 of the Cyber Security Bill 2024.
3.8A more detailed outline of the provisions is set out below.
Schedule 1: Limited use of certain cyber security information
3.9Schedule 1 to the ISA Bill proposes to insert new Division 1A into Part 6 of the IS Act, implementing a key initiative of the 2023–2030 Australian Cyber Security Strategy designed to encourage industry engagement with government in relation to cyber security incidents. As explained in the Explanatory Memorandum for the ISA Bill, industry engagement will be encouraged by providing entities with assurance through a legislative mechanism that information reported to ASD will not be on-shared and subsequently used by recipients for reasons other than permitted cyber security purposes.
3.10The insertion of new Division 1A into the IS Act would support this objective by:
- establishing a clear legislative obligation in relation to cyber security information that is voluntarily provided by entities or through their representatives, to or acquired or prepared by, ASD
- clarifying that ASD will only on-share limited cyber security information for permitted cyber security purposes and prescribing how a receiving party may use limited cyber security information when on-shared by ASD
- providing protections to limited cyber security information in Commonwealth, State and Territory court proceedings, such that the information is not admissible in court proceedings against the impacted entity, subject to certain exceptions.
- The Explanatory Memorandum states that:
Schedule 1 of the Bill strikes an appropriate balance between providing assurance to entities to encourage early and open engagement with ASD and protecting broader public interests by not impeding an effective and efficient regulatory environment.
3.12Proposed section 41BA of the IS Act outlines when cyber security information is captured by the limited use obligation, including what constitutes ‘limited cyber security information’—a key term used throughout the Division.
3.13‘Limited cyber security information’ is defined to include information acquired or prepared by ASD that relates to:
- a cyber security incident that has occurred or is occurring; or
- a cyber security incident that may potentially occur.
- The Explanatory Memorandum states that:
This broad applicability allows the limited use obligation to protect information relating to the discovery of vulnerabilities on a system, in addition to incident information where exploitation has occurred.
3.15Proposed subsection 41BA(2) restricts the application of the Division to information that has been voluntarily provided to ASD in the performance of its functions by, or on behalf of, an impacted entity, acquired or prepared by ASD in the performance of its functions, with the consent of the impacted entity, such as through an ASD technical program; or acquired by the NCSC and disclosed to ASD under the limited use obligation in the Cyber Security Bill 2024.
3.16‘Limited cyber security information’ also explicitly excludes information provided to the Commonwealth in compliance with certain mandatory reporting obligations, information that has already been made public, and information that has been de-identified.
3.17Proposed subsection 41BA(4) defines ‘cyber security incident’ as:
- one or more acts, events or circumstances:
- of a kind covered by the meaning of cyber security incident in the Security of Critical Infrastructure Act 2018; or
- involving unauthorised impairment of electronic communication to or from a computer, within the meaning of that phrase in that Act, but as if that phrase did not exclude the mere interception of any such communication; or
- the discovery of unintended or unexpected vulnerabilities in computer, computer data or a computer program that, if exploited, would result in a cyber security incident within the meaning of paragraph (a).
- Proposed subsection 41BA(5) provides for the meaning of a Commonwealth body, Commonwealth enforcement body, entity and State body. These terms have the same meaning given by the Cyber Security Bill 2024.
- Proposed new section 41BB of the IS Act provides that limited cyber security information can only be communicated by ASD for permitted cyber security purposes and imposes specific limitations on the communication of limited cyber security information by ASD.
- Proposed subsection 41BB(1) places a restriction on the Director-General and staff members of ASD to only communicate limited cyber security information to a person who is not a staff member of ASD for one or more of the permitted cyber security purposes set out in the subsection. These purposes are similar to the permitted cyber security purposes set out in the Cyber Security Bill 2024 (see Chapter 2), but with additional specific purposes relating to ASD’s functions under the IS Act, and the performance of the functions of the Inspector-General of Intelligence and Security.
- Proposed subsection 41BB(2) restricts the use and communication of limited cyber security information for civil or regulatory action and is applicable only to the limited cyber security information that has been voluntarily provided to, or acquired or prepared by, ASD.
- Proposed section 41BC imposes similar limitations on the secondary use and communication of limited cyber security information by a Commonwealth body, State body or Commonwealth corporation. This section also establishes a civil penalty for a contravention of the section.
- Proposed section 41BD relates to the application of section 41BC to the Crown and provides that the Crown is bound in right of each of its capacities but is not liable to be prosecuted for an offence. Proposed section 41BD also introduces a consent mechanism to allow for the communication of limited cyber security information to a State body.
- Proposed section 41BE relates to legal professional privilege. Subsection 41BE(1) specifies that where an entity has provided limited cyber security information to ASD it does not otherwise affect a claim of legal professional privilege that anyone may make in any of the specified proceedings.
- Proposed section 41BF limits the admissibility of limited cyber security information in criminal or civil proceedings against the impacted entity, subject to certain exceptions. The section specifies that limited cyber security information held by ASD, a Commonwealth body or a State body, is inadmissible in certain circumstances.
- Proposed subsection 41BF(1) sets out the type of limited cyber security information to which section 41BF applies.
- Proposed subsection 41BF(2) provides that limited cyber security information is not admissible as evidence against the impacted entity in Commonwealth, State or Territory criminal proceedings, subject to limited exceptions dealing with false or misleading information or obstruction of Commonwealth public officials. Limited cyber security information is also inadmissible in civil proceedings for a contravention of a civil penalty (excluding the civil penalty provisions in Division1A), proceedings for a breach of any other Commonwealth, State or Territory law (including the common law), or proceedings before a tribunal of the Commonwealth, a State or Territory.
- Proposed subsection 41BF(3) provides that the limitation on admissibility of limited cyber security information does not apply to a coronial inquiry or a Royal Commission in Australia; or proceedings in the Federal Court exercising original jurisdiction involving a writ of mandamus or prohibition or injunction sought against a Commonwealth Officer.
- Proposed section 41BG prevents the Director-General and staff members of ASD, both former and current, from being compelled to comply with certain court orders in relation to limited cyber security information.
- Proposed section 41BH specifies how permissions and rights are conferred and exercised, and how obligations and duties are imposed and discharged, on an entity that is a non-legal person. The proposed section also applies a civil penalty provision on a non-legal person that contravenes Division 1A.
Schedule 2: Amendment to the FOI Act
3.28Section 7 of the FOI Act makes certain persons and bodies exempt from its operation.
3.29Schedule 2 to the ISA Bill proposes to insert a new subsection 7(2H) into the FOI Act, which would provide that a document that is given to, or received by, the NCSC for the purposes set out under proposed Part 4 of the Cyber Security Bill 2024 is exempt from the operation of the FOI Act.
3.30The Explanatory Memorandum for the ISA Bill states:
New subsection (2H) to section 7 of the Freedom of Information Act 1982 provides a complementary additional safeguard for the information collected under that regime. While there are a series of robust exemptions under Part 4 of the Freedom of Information Act 1982, they are not complete and are not sufficient to capture all types of information that may be provided during a cyber incident. It is possible that an entity would provide information to the Coordinator that is not subject to an existing exemption, where that information is pertinent to a response to, mitigation of or resolution to a cyber security incident, but where that entity would refuse to voluntarily provide that information as a result of a concern that the information could become public information through a relevant request under the Freedom of Information Act 1982.
… The objective of this carve out for information obtained under Part 4 of the Cyber Security Act 2024 is to ensure that the entity does not have to undergo an assessment of whether such a conditional exemption would apply and have full confidence that the information will be handled confidentially by government.