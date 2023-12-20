The Australian Federal government launched the Cyber Security Legislative Reforms consultation paper on 10 December to gather citizens and businesses views on new legislative initiatives and proposed amendments to the Security of Critical Infrastructure Act 2018.

This consultation paper, published by the Department of Home Affairs, outlines reforms that were in the 2023-2030 Australian Cyber Security Strategy action plan and covers nine areas.

New cybersecurity legislation

In short, the four proposed legislative initiatives are secure-by-design standards for internet of things devices, ransomware reporting obligations, limited use obligation for information provided to the Australian Signals Directorate (ASD) and the National Cyber Security Coordinator (Cyber Coordinator) and establishing a cyber incident review board.

Secure-by-design standards for internet of things devices

The federal government is seeking views on designing a mandatory cyber security standard for consumer-grade IoT devices. It intends to align with international standards such as the ETSI EN 303 645 which aligns with the UK's PSTI Act, ensure consistency between jurisdictions and minimise regulatory burden on Australian businesses, while also meeting Australia's national security objectives.

The paper seeks views on whether the first three principles of the ETSI EN 303 645 standard would be an appropriate minimum standard to mandate for cyber security of smart devices in the Australian market. These are to ensure that smart devices do not have universal default passwords, implement a means to receive reports of cyber vulnerabilities in smart devices, and provide information on minimum security update periods for software in smart devices.

Ransomware reporting obligations

The Australian government says it want to collect information on ransomware demand and possible payments made to attackers to understand and act quickly in order to identify and stop attackers.