The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has urged in its advisory report handed down on Monday for three legislative bills that form part of a cyber security ‘package’ to be passed by the Parliament.
The Cyber Security Legislative Package 2024 consists of the Cyber Security Bill 2024, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024, and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, which were introduced in the House of Representatives and passed on for review by the inquiry in October.
The package is the culmination of seven initiatives to be implemented as part of the 2023-2030 Australian Cyber Security Strategy that intend to “bring Australia in line with international best practice” on cyber security and ensure the country is “on track to become a global leader in cyber security”, including:
- mandate minimum cyber security standards for smart devices
- introduce mandatory ransomware reporting for certain businesses to report ransom payments
- introduce ‘limited use’ obligations for the National Cyber Security Coordinator and the Australian Signals Directorate, and
- establish a Cyber Incident Review Board.
The new legislation will also introduces reforms to the Security of Critical Infrastructure Act 2018 (SOCI Act), including:
- clarify existing obligations in relation to systems holding business critical data
- enhance government assistance measures to better manage the impacts of ‘all hazards’ incidents on critical infrastructure
- simplify information sharing across industry and Government
- introduce a power for the Government to direct entities to address serious deficiencies within their risk management programs, and
- align regulation for the security of telecommunications into the SOCI Act.
“In response to matters raised by contributors to the inquiry, the Committee has made a total of 12 recommendations, mostly aimed at ensuring the implementation of the package is as effective as possible and subject to ongoing review.
“Noting the extensive consultation process that the Department of Home Affairs has already conducted — and subject to implementation of the recommendations in this report — the Committee supports the urgent passage of the legislative package.”
The committee said it had received over 60 written submissions from industry participants, peak bodies, civil society and individuals, which it has “taken.. into account in developing its conclusions and recommendations”. The committee recommended that the government look to pass the legislative package prior to the rising of the 47th Parliament to “avoid extended delays in its implementation”.
“Hardening Australia’s cyber security against these threats is essential to Australia’s ongoing security and prosperity. To this end, the Committee supports the intent of the Cyber Security Legislative Package and the broader 2023–2030 Australian Cyber Security Strategy to strengthen Australia’s cyber defences and build cyber resilience to help Australia become a world leader in cyber security by 2030,” the committee said in its advisory report.
“This intent—and the general approach taken in the three bills that comprise the Cyber Security Legislative Package—was almost universally supported by participants in the inquiry.
“At the same time, the Committee has listened to the concerns raised by some organisations and individuals who made submissions and appeared at public hearings, particularly in relation to the importance of clear guidance and ongoing consultation during the implementation of the legislation.
“The Committee notes that the bills allow for implementation periods of between 6 and 12 months for each of the key measures, with the exception of the limited use provisions. The Committee encourages the Department of Home Affairs to use these periods to ensure that industry is supported with clear guidance materials, education and advice on the intended operation of the provisions. “
