Lieutenant General Michelle McGuinness CSC, Australia’s National Cyber Security Coordinator and Hamish Hansford, Deputy Secretary of Cyber and Infrastructure Security Group, discuss the four key measures of Australia’s first Cyber Security Act.
Michelle McGuiness CSC:
The Australian Government has introduced Australia’s first Cyber Security Act – a key step forward in uplifting Australia’s cyber security and the resilience of our critical infrastructure.
This is a large part of implementing the Cyber Security Strategy, addressing gaps in previous legislation to bring us in line with international best practice and ensure Australia is on track to become a global leader in cyber security by 2030.
Hamish Hansford:
So the Cyber Security Act does four things. Firstly it mandates minimum cyber security standards for smart devices and connectable products. So what are they? They are everything from baby monitors to smart watches, and manufacturers and suppliers of these products will be responsible for complying with the minimum standards and then be able to provide a statement of compliance to supply these goods in the Australian economy. So that’s a really big and important change. And it’s an important change because it will better protect Australian consumers and make us rely on secure products.
The second thing that the Act will do is establish mandatory ransomware reporting for certain businesses. And this is really because we don’t understand the true nature and quantum of payment to criminals and for people who are victims of cybercrime and this reporting requirement really does get us to understand the basis of the quantum in the economy and but also who is reporting, so we can better help you, better help understand the threat landscape and tailor advice back to you so that we can be continuously improving and disrupting the ransomware business model.
Michelle McGuiness CSC:
The third aspect is a limited use obligation that has been established under the Cyber Security Act for me and my team, as the National Cyber Security Coordinator, is to clarify and control how information provided voluntarily during a cyber incident may be shared or used.
This Limited Use provision will better enable me to lead whole-of-Government coordination in response particularly to significant cyber security incidents by providing assurance to impacted entities that information they share won’t be used for civil or regulatory action. It will improve my team’s ability to assist entities particularly early in their days of an incident response.
The final key feature of the Cyber Security Act is the establishment of the Cyber Incident Review Board. The Board will be empowered to conduct independent, no-fault, post-incident reviews of significant cyber security incidents.
The Board will issue findings and make concrete recommendations to aid in the prevention, detection, response and minimisation of future cyber incidents across our economy.
Independent in the performance of its functions and exercise of power, the Board will not interfere with ongoing incident response or regulatory, operational or law enforcement processes that will be surrounding the same incident.
Hamish Hansford:
And so through the efforts of government, and industry and indeed the community working together, we’re going to be really well positioned to try and prevent and respond to some of the threats that we will face over the coming years, and the Cyber Security Act is a really important component in this work.
Michelle McGuiness CSC:
You can find out more about the Cyber Security Act, including some really helpful factsheets at our website: homeaffairs.gov.au/cybersecurity.