Proposed Federal Cyber Security Act: A Necessity or an Unjustified Intrusion?

The federal government is proposing standalone legislation which it claims is an essential part of its Cyber Security Legislation Package, the stated objective of which is to combat cyber security threats to Australia.

The Cyber Security Bill 2024 (Cth) was introduced to the House of Representatives by Cyber Security Minister Tony Bourke on 9 October 2024, who in his First Reading Speech touted it as ‘long overdue for our country’, claiming it ‘reflects the government’s focus on these [security] threats’ and  ‘ensures we keep pace with emerging threats and bounce back from cyber security threats.’

However, there are concerns that the proposed laws are just another way to bolster state control at the expense of individual freedoms such as privacy, and have the potential to create databases that represent honeypots of information for cyber criminals.

In that regard, critics point to the proposed increase in powers to government agencies in terms of regulating internet activity, which can lead to even greater restrictions on internet freedoms than those already being introduced by the federal government – which can see governments suppress content that is critical of its agencies or otherwise politically undesirable.

In terms of entrusting authorities with more powers and greater access to data, critics point to the government’s appalling track record in matters of internet security, from disastrous data breaches of My Health Record and Census data to costly, failed and abandoned schemes such as facial recognition projects and the National Digital ID Scheme, to the metadata retention scheme which was intended to catch serious criminals but has instead overwhelmingly been used for the government’s own purposes including targeting journalists and hunting downing whistleblowers, and even identifying and threatening medical practitioners who have been outspoken about government policy.

The proposed laws

The proposed laws seek to impose a range of new rules and regulations regarding internet security such as data storage and file sharing, and give government agencies far greater power to regulate and indeed prosecute breaches. 

Security standards for smart devices

One of the main aspects of the new Bill is the updated security standards for smart devices, ensuring:

1. manufacturers must comply with the security standard requirements, 
2. manufacturers must comply with other security obligations, 
3. the product cannot be supplied in Australia if it doesn’t comply with the regulations, and
4. the suppliers must supply the product in Australia with a statement of compliance. 

In short, the Act clarifies cybersecurity minimums for smart devices, including watches, cameras, doorbells, and other electronic items. Australia will follow the Product Security and Telecommunications Infrastructure Act framework, which is already established in the United Kingdom. 

Ransomware reporting obligations

A second update in the Bill imposes ransomware reporting obligations for entities directly influenced by cybersecurity incidents and aware that another entity has provided a payment or benefit. 

The information necessary in the ransomware payment report includes information relating to the incident, the demand made, and the payment. 

More powers for authorities

Another important focal point of the legislation involves new rules for the Australian Signals Directorate and the National Cyber Security Coordinator. 

The obligations control how these two governmental organisations use information about cyber security incidents. The updated laws aim to encourage organisations to share data with the government.

Cyber incident review board

Another change made with the new Bill is the creation of the Cyber Incident Review Board, which conducts reviews of cyber security incidents to make recommendations to the government, determine how to minimise the impact of cyber incidents, and avoid issues in the future. 

Greater regulatory powers

Every penalty provision in this Act is subject to monitoring according to Parts 2 and 3 of the Regulatory Powers Act.

Civil penalty orders can also be sought from a relevant court under Part 4. Infringement notices are allowable under Part 5 for civil penalty provisions. Lastly, undertakings for civil penalty provisions can be carried out under Part 6 of the Regulatory Powers Act. 

Overall, the legislation brings a host of changes—but will they prove to be for good, or will personal data, business security, and the economy be compromised in the process? 

Implications of the Act 

Although the new legislation can prevent cybersecurity threats, it could also cause long-term concerns that can change how businesses and the government operate. 

Firstly, businesses could be unwilling to share crucial data with the government to prevent future attacks. Companies might view sharing their data as a threat to their current security and as a deterrent for future clients and businesses, as a data breach could threaten one’s reputation. 

Next, businesses may face challenges in adapting to the new framework for reporting cyber threats and attacks to managers and government organisations. Learning the correct processes could be time-consuming and costly, potentially harming small businesses.

Lastly, the Act must strike a delicate balance between Australia’s national security concerns and the need to safeguard individual data rights and streamline business operations. 

Existing laws

Until now, Australia has not had any cybersecurity-specific legislation— but it does have a web of legislation which aims to address a number of related areas. These areas include: 

• Security: The Security of Critical Infrastructure Act governs infrastructure in various sectors, such as communications, education, defence, health care, technology, and transport. 
• Privacy: The Privacy Act requires entities to protect users’ personal information, which they must hold to prevent misuse, unauthorised access, or disclosure to third parties. 
• Government Privacy: Public sectors must adhere to the Protective Security Policy Framework as part of the Australian Commonwealth. 
• National Security: Australia has a host of national security laws that can correlate to cybersecurity legislation, such as the Australian Security Intelligence Organisation Act 1979, Crimes Act 1914, Criminal Code Act 1995, and Intelligence Services Act 2001.

NSW legislation

There is NSW-specific legislation that directly relates to cybersecurity, privacy, and freedom of information, including:

Privacy and Personal Information Protection Act 1998 details how New South Wales manages personal information to protect an individual’s privacy. 

Health Records and Information Privacy Act 2002 NSW protects individuals’ health records and information. 

Surveillance Devices Act 2007 NSW regulates the use and retrieval of surveillance devices.

Government Information (Public Access) Act 2009 facilitates the release of government information to the public to maintain transparency.

NSW Cyber Security Policy outlines the requirements that all NSW government agencies must follow to mitigate cybersecurity risks to their systems, including forming an assurance assessment, cyber security risk ratings, and security attestations.  

Cyber threats are on the rise

Cyber threats not just in Australia but across the globe are on the rise – a situation only exacerbated by the increasing availability and use of advanced artificial intelligence. 

Cybersecurity incidents—whether threats, data breaches, or hacks—have increased by 23% in the last 12 months, totalling nearly 100,000 cases in the country. The severe increase highlights the evolving maturity of cyber criminals and their understanding of individuals and Australian businesses. 

Concerns

But is even more legislation and powers to government agencies really the way to go? Many believe the potentially adverse impact on personal freedoms in favour of handing over even greater control to authorities is just not worth it.

Ther indeed is an argument that government control of personal data, information sharing and requirements for obligatory reporting restrict both freedom of expression and privacy, while doing little to actually protect our nation from cyber threats.

And distrust in the ability of government departments to use our personal data in the right way as well as protect it against infiltration is at an all time low – and given the examples at the start of this article, perhaps that distrust is justified.