Australian federal government opens consultation on mandatory ransomware reporting obligation for businesses

The Australian Federal government launched the Cyber Security Legislative Reforms consultation paper on 10 December to gather citizens and businesses views on new legislative initiatives and proposed amendments to the Security of Critical Infrastructure Act 2018.

This consultation paper, published by the Department of Home Affairs, outlines reforms that were in the 2023-2030 Australian Cyber Security Strategy action plan and covers nine areas.

New cybersecurity legislation

In short, the four proposed legislative initiatives are secure-by-design standards for internet of things devices, ransomware reporting obligations, limited use obligation for information provided to the Australian Signals Directorate (ASD) and the National Cyber Security Coordinator (Cyber Coordinator) and establishing a cyber incident review board.

Secure-by-design standards for internet of things devices

The federal government is seeking views on designing a mandatory cyber security standard for consumer-grade IoT devices. It intends to align with international standards such as the ETSI EN 303 645 which aligns with the UK’s PSTI Act, ensure consistency between jurisdictions and minimise regulatory burden on Australian businesses, while also meeting Australia’s national security objectives.

The paper seeks views on whether the first three principles of the ETSI EN 303 645 standard would be an appropriate minimum standard to mandate for cyber security of smart devices in the Australian market. These are to ensure that smart devices do not have universal default passwords, implement a means to receive reports of cyber vulnerabilities in smart devices, and provide information on minimum security update periods for software in smart devices.

Ransomware reporting obligations

The Australian government says it want to collect information on ransomware demand and possible payments made to attackers to understand and act quickly in order to identify and stop attackers.

It also claims it does not want to add another burden to businesses so it is trying to gauge what types of businesses should fall within this mandatory reporting. But, even though the government has referred to this action as “mandatory no-fault, no-liability ransomware reporting obligation”, it is not that simple.

In the consultation paper the government states that “while the proposed ransomware reporting obligation is not intended to enforce penalties on victims of cyber incidents, a proportionate compliance framework for the mandatory reporting scheme, such as a civil penalty provision, will also be required should a business not comply with its ransomware reporting obligations. This would not violate the intention of the no-fault, no-liability principles, as discussed above.”

When it comes to make it less burdensome it might fall short as the proposed obligations are that an entity reports to government:

  • if an entity is impacted by a ransomware or cyber extortion attack and receives a demand to make a payment to decrypt its data or prevent its data from being sold or released.
  • if an entity makes a ransomware or extortion payment.

So, if a business pays a ransom, then they would need to make two reports — once on being impacted and again if a payment is made.

Design a limited use obligation for ASD and the Cyber Coordinator

The government is looking to develop legislation to “encourage” businesses to voluntarily provide information to ASD and the Cyber Coordinator about a cyber incident under a limited basis that would prevent the agencies from using this information for compliance action against the reporting organizations. The idea is to give more information than current regulation requires so the agencies can provide better support when businesses are under attack and to mitigate harms to individuals arising from cyber security incidents.

Create a cyber incident review board

Home Affairs t is seeking input from industry on the design and implementation of a cyber incident review board (CIRB). It is proposed that the CIRB would conduct no-fault incident reviews to reflect on lessons learned from cyber incidents, and share these lessons learned with the Australian public. The paper stated that the CIRB would not be a law enforcement, intelligence or regulatory body. It would be allowed to request information related to a cyber incident but would not have powers to compel and organization to do so.

Amendments to the Security of Critical Infrastructure Act 2018

In light of the country-wide Optus outage that left all its customers without service for approximately nine hours affecting EFTPOs machines among many other services and the cyber incident that had DP World stop most of its port activities for a whole weekend, the Australian government is seeking views on:

  • clarifying obligations for critical infrastructure entities to protect data storage systems that store ‘business critical data’, where vulnerabilities in these systems could impact the availability, integrity, reliability or confidentiality of critical infrastructure.
  • introducing a last resort consequence management power for the Minister for Home Affairs to authorise directions to a critical infrastructure entity (with safeguards in place and where no other powers are available) in relation to the consequences of incidents that may impact the availability, integrity, reliability or confidentiality of critical infrastructure.
  • simplifying information sharing to make it easier for critical infrastructure entities to respond to high-risk, time-sensitive incidents.
  • providing a power for the Secretary of Home Affairs or the ‘relevant Commonwealth regulator’ to direct a critical infrastructure entity to address deficiencies in its risk management program.
  • consolidating security requirements for the telecommunications sector under the SOCI Act.

Driving this is what the government learned following recent incidents impacting critical infrastructure, which highlighted that there are several gaps in the SOCI Act that limit its ability to prepare, prevent and respond to cyber incidents.

Protecting critical infrastructure’s data storage systems and business critical data

To adequately protect secondary systems operated by existing critical infrastructure entities outside the data storage and processing sector the government is proposing to include data storage systems holding ‘business critical data’ in the definition of ‘asset’ under section 5 of the SOCI Act. Furthermore, it proposes an amendment to the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (CIRMP Rules), to include risks to data storage systems holding ‘business critical data’ and the systems that access the data as ‘material risks’ (section 6 of the CIRMP Rules).

Last resort power for the Minister for Home Affairs

The Government proposes to establish last resort powers that would seek to help critical infrastructure entities manage the consequences of significant incidents. This includes preventing or mitigating serious or long-term harm to Australians or critical infrastructure or address consequences that prejudice the socioeconomic stability, national security or the defence of Australia.

As per the proposal, all-hazards power of last resort may only be authorized by the Minister for Home Affairs if there is no existing power available to support a fast and effective response. Among the long list of safeguards, the paper stated that prior to exercising the power, the minister must consult with the affected entity and must be satisfied that the responsible entity is unwilling or unable to address the consequences that prejudice the socioeconomic stability, national security or defence of Australia.

Simplify how government and industry share information

The government is proposing a revision of the ‘protected information’ definition currently in the SOCI Act as it is broad and has led to varying interpretations by industry and government. It proposes that the definition be given greater clarity and specificity. The government is also proposing the clarification of disclosure provisions to allow entities to disclose information for the purpose of the continued operation of, or mitigation of risks to, an asset.

Review and remedy powers to Home Affairs

This proposes to introduce a formal, written directions power — in Part 2A of the SOCI Act — when the Secretary of Home Affairs formed a reasonable belief that an entities’ critical infrastructure risk management program (CIRMP) is seriously deficient, and the deficiency carries a material risk to the socioeconomic stability, defence, or national security of Australia. Or when there is a severe and credible threat to national security; and the Secretary is satisfied that the direction is likely to compel an effective response to address that risk.

Align telco providers to the same standards as other critical infrastructure providers

This last one is due to the telecommunications sector being both under the SOCI Act and the Telecommunications Act. Therefore, the government proposes e to consolidate security regulation for the telecommunications sector under the SOCI Act.

This will mean security obligations from Part 14 of the Telecommunications Act, including the security obligation and the notification obligation, will move to the SOCI Act. Any ‘SOCI-like’ obligations currently applied under the Telecommunications Act will be repealed and activated under the SOCI Act. The new framework will harmonise the current security obligation and notification obligation, into a new Telecommunications Security and Risk Management Program (TSRMP) within the SOCI Act. This will hopefully minimise duplication and scalable obligations.

Home Affairs will accept submissions to the Cyber Security Legislative Reforms consultation paper until 5pm AEDT, Friday 1 March 2024 and these can be done via the consultation online form.

Critical Infrastructure, Government IT, Ransomware

Go to Source