Government flags possible Cyber Security Act
The federal government is considering a specific Cyber Security Act – or an expansion of the existing Security of Critical Infrastructure Act – as a major reform under its cyber security strategy.
A long list of proposed reforms – posed as a series of questions – are contained in a discussion paper released by Home Affairs today.
The release of the paper was flagged this morning by cyber security minister Clare O’Neil, who said the government wanted to add “strategy, structure and spine” to its cyber security policy.
A revised national cyber security strategy will replace the $1.7 billion plan inherited from the previous government.
The strategy discussion paper [pdf] proposes expanding the Security of Critical Infrastructure Act – SoCI – to cover “customer data” and “systems”.
This could mean a lot more companies must answer to SoCI, including those standing up customer data platforms (CDPs) and other systems used in marketing.
The paper also flags the possibility of more specific cyber security legislation: “Should Australia consider a Cyber Security Act, and what should this include?” it asks.
In addition, it is set to explore the role of government in policy and practical security settings; whether paying ransoms should be outlawed; and the issue of cooperation between authorities and industry.
The consultation suggests that critical industry participants are unhappy with the requirement that they call in the Australian Signals Directorate (ASD) if attacked or breached, because of concerns that the information might reach regulators.
“During a cyber incident, would an explicit obligation of confidentiality upon the ASD’s Australian Cyber Security Centre (ACSC) improve engagement with organisations that experience a cyber incident so as to allow information to be shared between the organisation and ASD/ACSC without the concern that this will be shared with regulators?” it asks.
Industry engagement with the ASD has been an issue in the past. In 2021, Toll was criticised for paying more attention to its incident response than to the ASD.