The Australian Parliament’s recent passage of the Cyber Security Act 2024 is being touted as a landmark moment for the nation’s cyber resilience. Minister for Cyber Security Tony Burke has described it as “a cohesive legislative toolbox” for navigating an increasingly hostile digital landscape. But while the bill introduces much-needed measures to address cyber threats, it also raises questions about its practicality and the strain it may impose on businesses already grappling with a labyrinth of compliance requirements. Furthermore I am still worried along the lines of my previous comments: “How do we get a more cohesive and holistic overall cyber security policy” and in order to be effective we need international collaboration, a parochial approach is just not good enough. Also, on a national scale we do need bipartisan support otherwise we keep on getting failures such as the recent abandonment of the misinformation bill. This significantly undermines trust in government policies. Also the Social Media Ban for Under-16s has far more questions than answers and will be hard to implement and police.
Ransomware Reporting: An Important First Step
Back to the current Bill. A cornerstone of the new legislation is the mandatory reporting of ransomware payments. Affected entities now have 72 hours to report such payments to the government. This measure aims to gather intelligence on the scope of ransomware attacks and curb the growing trend of paying cybercriminals. While this is a welcome step, it raises questions about how businesses can navigate the immediate aftermath of a cyberattack while also meeting the stringent reporting deadline.
Will this approach discourage payments or merely add another layer of stress for already overburdened organisations? Without robust support mechanisms in place, businesses may find themselves caught between the need to restore operations swiftly and the obligation to meet government-imposed deadlines.
Strengthening Smart Device Security: A Win for Consumers
The Act’s introduction of tougher security standards for smart devices is a clear win for consumers. With the proliferation of Internet of Things (IoT) devices in homes and workplaces, vulnerabilities in these technologies pose significant risks. However, the measures should perhaps have gone further. The legislation addresses device security but leaves gaps when it comes to software and Software as a Service (SaaS) providers that process and store sensitive data. If the government truly aims to create a resilient cyber landscape, these areas must also be addressed.
The Cyber Incident Review Board: A Double-Edged Sword
The establishment of a Cyber Incident Review Board (CIRB) represents an ambitious effort to analyse major cyber incidents and recommend preventive measures. However, its limited powers and reliance on voluntary cooperation from affected organisations weaken its potential impact. Businesses are already burdened with compliance demands, audits, and incident response preparations. Adding an external review process during a crisis could exacerbate their challenges.
While the intent behind the CIRB is laudable, the government must balance its ambitions with the realities faced by organisations. A collaborative approach that focuses on support rather than enforcement may yield better outcomes and encourage businesses to embrace these reviews as a learning opportunity rather than an additional hurdle.
Balancing Security with Practicality
The Cyber Security Act 2024 underscores the urgent need to address Australia’s growing cyber vulnerabilities. However, its implementation must be carefully managed to ensure it doesn’t inadvertently hinder the very organisations it seeks to protect. Striking a balance between robust security measures and practical, business-friendly approaches is essential.
The government now faces the challenge of turning legislation into action. It must work closely with businesses, security experts, and other stakeholders to refine these measures and address the concerns raised by industry. Only then can Australia truly move forward “with clarity and confidence” in its cyber security journey.
Paul Budde