[LINK] The new Aussie cyber security laws

Roger Clarke Roger.Clarke at xamax.com.au
Sat Oct 12 21:40:24 AEDT 2024 

 > The Australian government has introduced new cyber security laws. 
Here’s what you need to know
 > By David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, 
Griffith University.
...
 > These standards will establish a baseline level of security for 
consumers. They will include secure default settings, unique device 
passwords, regular security updates and encryption of sensitive data.
...
 >This is a welcome step that will ensure everyday devices meet minimum 
security criteria before they can be sold in Australia.

Dreamland.

Oh, sorry, I forgot.  David's an ethicist.  Outcomes are optional.

My posting on the privacy list on Thu morning said:

[ This Bill contains lots that government agencies want, so it may be 
one of the exceptions and might survive the near-future proroguing of 
the Clth Parlt.

[ It seemed that one part of it that could be of some actual value.

[ "Mandatory security standards", even if only "for smart devices" (a 
poor attempt at a populist expression of the Bill's scope), might 
finally set baseline security safeguards.

[ But it's a lie.

[ See below for my first-pass assessment of why it's an absolute 
travesty, like so much that goes on in the federal parliament.


HTML: 
https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;db=LEGISLATION;id=legislation%2Fbills%2Fr7250_first-reps%2F0002;query=Id%3A%22legislation%2Fbills%2Fr7250_first-reps%2F0000%22;rec=0#15a99341fa41445b994fc13518d5ca5e

[ "The rules may provide mandatory security standards ...
   "for products that can directly or indirectly connect to the internet 
(called relevant connectable products) that will be acquired in 
Australia in specified circumstances"

[ The definition of 'network-connected product' is dopey - invented by a 
lawyer with no sense of IT architecture.  The sensible approach would be 
to define 'A network-connectable product' in physical-connection terms 
and make no mention of inter-connectability in the definition, and 'An 
internet-connectable product', as it is, relative to "a communication 
protocol that forms part of the internet protocol suite".

The Rule-making power is in s.87.
https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;db=LEGISLATION;id=legislation%2Fbills%2Fr7250_first-reps%2F0007;query=Id%3A%22legislation%2Fbills%2Fr7250_first-reps%2F0000%22;rec=0#114ceec97c7c4f1a8a98fe04021199f3

[ But they're not real Rules (no enforcement) and they're not 
Regulations, and they're not a disallowable instrument.

_________________

On 12/10/2024 14:34, Stephen Loosley wrote:
> 
> 
> The Australian government has introduced new cyber security laws. Here’s what you need to know
> 
> By David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith University. October 9, 2024
> https://theconversation.com/the-australian-government-has-introduced-new-cyber-security-laws-heres-what-you-need-to-know-240889
> 
> 
> The Albanese government today introduced long-awaited legislation to parliament which is set to revolutionise Australian cyber security preparedness.
> 
> The legislation, if passed, will be the first Australian standalone cyber security act. It’s aimed at protecting businesses and consumers from the rising tide of cyber crime.
> 
> So what are the key provisions, and will it be enough?
> 
> What’s in the new laws?
> 
> The new laws have a strong focus on victims of “ransomware” – malicious software cyber criminals use to block access to crucial files or data until a ransom has been paid.
> 
> Help us fight misinformation.
> 
> People who pay a ransom do not always regain lost data. The payments also sustain the hacker’s business model.
> 
> Under the new law, victims of ransomware attacks who make payments must report the payment to authorities. This will help the government track cyber criminal activities and understand how much money is being lost to ransomware.
> 
> The laws also involve new obligations for the National Cyber Security Coordinator and Australian Signals Directorate. These obligations restrict how these two bodies can use information provided to them by businesses and industry about cyber security incidents. The government hopes this will encourage organisations to more openly share information knowing it will be safeguarded.
> 
> Separately, organisations in critical infrastructure – such as energy, transport, communications, health and finance – will be required to strengthen programs used to secure individuals’ private data.
> 
> The new legislation will also upgrade the investigative powers of the Cyber Incident Review Board. The board will conduct “no-fault” investigations after significant cyber attacks. The board will then share insights to promote improvements in cyber security practices more generally. These insights will be anonymised to ensure the identities of victims of cyber attacks aren’t publicly revealed.
> 
> The legislation will also introduce new minimum cyber security standards for all smart devices, such as watches, televisions, speakers and doorbells.
> 
> These standards will establish a baseline level of security for consumers. They will include secure default settings, unique device passwords, regular security updates and encryption of sensitive data.
> 
> This is a welcome step that will ensure everyday devices meet minimum security criteria before they can be sold in Australia.
> 
> A long-overdue step
> 
> Cyber security incidents have surged by 23% in the past financial year, to more than 94,000 reported cases. This is equivalent to one attack every six minutes.
> 
> This dramatic increase underscores the growing sophistication and frequency of cyber attacks targeting Australian businesses and individuals. It also highlights the urgent need for a comprehensive national response.
> 
> High-profile cyber attacks have further emphasised the need to strengthen Australia’s cyber security framework. The 2022 Optus data breach is perhaps the most prominent example. The breach compromised the personal information of more than 11 million Australians, alarming both the government and the public, not to mention Optus.
> 
> Cyber Security Minister Tony Burke says the Cyber Security Act is a “long-overdue step” that reflects the government’s concern about these threats.
> 
> Prime Minister Anthony Albanese has also acknowledged recent high-profile attacks as a “wake-up call” for businesses, emphasising the need for a unified approach to cyber security.
> 
> The Australian government wants to establish Australia as a world leader in cyber security by 2030. This goal reflects the government’s acknowledgement that cyber security is fundamental to national security, economic prosperity and social well being.
> 
> Man with white hair wearing suit and tie standing at microphone in parliament house in front of green leather bench.
> Minister for Cyber Security Tony Burke says the creation of a new cyber security act is long overdue. Mick Tsikas/AAP
> Broader implications
> 
> The proposed laws will enhance national security. But they could also present challenges.
> 
> For example, even though the laws place limitations on how the National Cyber Security Coordinator and Australian Signals Directorate can use information, some businesses might still be unwilling to share confidential data because they are worried about damage to their reputation.
> 
> Businesses, especially smaller ones, will also face a substantial compliance burden as they adapt to new reporting requirements. They will also potentially need to invest more heavily in cyber security measures. This could lead to increased costs, which might ultimately be passed on to consumers.
> 
> The proposed legislation will require careful implementation to balance the needs of national security, business operations and individual privacy rights.
> 
> --
> 
> _______________________________________________
> Link mailing list
> Link at anu.edu.au
> https://mailman.anu.edu.au/mailman/listinfo/link

-- 
Roger Clarke                            mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916   http://www.xamax.com.au  http://www.rogerclarke.com

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA 

Visiting Professorial Fellow                          UNSW Law & Justice
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list