• Legal database
Legal database
EmailPrint
Back to browse
View full documentView full document Previous section | Next section
Senate

Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024

Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024

Revised Explanatory Memorandum

(Circulated by authority of the Minister for Home Affairs and Minister for Cyber Security, the Honourable Tony Burke MP)
THIS EXPLANATORY MEMORANDUM TAKES ACCOUNT OF AMENDMENTS MADE BY THE HOUSE OF REPRESENTATIVES TO THE BILL AS INTRODUCED

GENERAL OUTLINE

The Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (the Bill) amends the Intelligence Services Act 2001 (IS Act), to legislate a limited use obligation to protect the information voluntarily provided to, or acquired or prepared by the Australian Signals Directorate (ASD) during an impacted entity's engagement in relation to a cyber security incident or a cyber security incident that may potentially occur. The information protected by this obligation is referred to as 'limited cyber security information' both throughout the Bill, and in this explanatory memorandum.

The amendments in this Bill complement the 'limited use' obligation applicable to the National Cyber Security Coordinator outlined under Part 4 of the Cyber Security Bill 2024.

The Bill also amends the Freedom of Information Act 1982 to include an exemption from Freedom of Information requests for a document given to, or received by, the National Cyber Security Coordinator (the Coordinator) for the purposes set out under Part 4 of the Cyber Security Bill 2024.

Schedule 1: Amendments establishing a limited use obligation on ASD

Schedule 1 of the Bill implements a key initiative of the 2023-2030 Australian Cyber Security Strategy, designed to encourage industry engagement with Government regarding a cyber security incident. Industry engagement is encouraged by providing entities with assurance through a legislative mechanism that information reported to ASD will not be on shared and subsequently used by recipients for reasons other than permitted cyber security purposes.

ASD is the lead technical authority in providing cyber security advice and assistance to Australian Government departments, businesses and individuals. Critical to ASD's success in performing this role is its ability to:

a.
mitigate harms in early stages of cyber incidents through aggregating information derived from diverse sources;
b.
provide advance warning of potential threats to Australia and Australia's interests;
c.
provide technical incident management advice and assistance to entities affected by a cyber security incident;
d.
develop and maintain a comprehensive national cyber threat picture; and
e.
provide advice on the uplift of cyber security.

ASD is best enabled to perform its cyber security function where partnerships are underpinned by high levels of trust that, in turn, enable the free flow of rich cyber security related information between industry and government. The amendments in the Bill are necessary to address a decline in the quality, quantity and timeliness of proactive engagement with ASD in light of the evolving regulatory environment.

Both industry feedback and ASD's operational experience indicates a declining willingness from entities to share technical cyber security incident, network telemetry, and vulnerability information in a timely fashion with ASD. This trend has been driven in part by compliance and risk based considerations as entities assess their obligations against various regulatory regimes, and potential exposure to litigation. This decreasing engagement and information flow between industry and ASD presents a significant risk to Australia's national cyber security posture, as it impedes ASD's ability to maintain a comprehensive national cyber threat picture and provide timely technical cyber security advice and assistance.

Schedule 1 of the Bill amends the IS Act to establish a clear legislative obligation in relation to cyber security information that is voluntarily provided by entities or through their representatives to, or acquired or prepared by, ASD. As amended, the IS Act will make clear that ASD will only on-share limited cyber security information for permitted cyber security purposes. Schedule 1 of the Bill also prescribes how a receiving party may use limited cyber security information when on-shared by ASD.

Cyber security incident information must meet a prescribed threshold in order to be classified as limited cyber security information to be protected by the limited use obligation. The information must relate to a cyber security incident that has occurred, is occurring or has the potential to occur. This broad applicability allows the limited use obligation to protect information relating to the discovery of vulnerabilities on a system, in addition to incident information where exploitation has occurred. Further, Schedule 1 applies to information which has been voluntarily provided to ASD by an impacted entity or a representative of the impacted entity, such as an incident response provider. Information that is acquired or prepared by ASD, through the performance of its functions and with the consent of the entity, is also eligible for classification as limited cyber security information. This enables technical programs administered by ASD where an entity is informed of a breach to be covered by the Schedule, to promote early and open engagement with ASD.

Schedule 1 of the Bill does not restrict ASD's internal use of the relevant information or mandate any sharing of information with others. ASD maintains discretion as to whether and how much information is on-shared for a permitted cyber security purpose. The limited cyber security information will only apply to the information provided to, or acquired or prepared by, ASD and any communication of that information on-shared by ASD. The limited use obligation does not apply to any information relating to the cyber security incident held by the impacted entity that is shared by them through other means at its discretion.

Subject to specific provisions, Schedule 1 also provides protections to limited cyber security information in Commonwealth, State and Territory court proceedings, such that the information is not admissible in court proceedings against the impacted entity, subject to certain exceptions. Additional protections apply to the Director General of ASD and staff members of ASD from being subpoenaed or compelled to provide limited cyber security information in State, Territory or Commonwealth proceedings.

Schedule 1 of the Bill strikes an appropriate balance between providing assurance to entities to encourage early and open engagement with ASD, and protecting broader public interests by not impeding an effective and efficient regulatory environment. The amendments do not:

f.
impact the reporting and notification requirements of entities under existing legislation to Australian regulatory bodies;
g.
preclude other government agencies, including regulators, from seeking or acquiring such information directly from entities under existing information gathering powers; or
h.
provide a shield or safe harbour for entities against legal liability.

Australia's cyber threat environment continues to evolve. Australia's critical infrastructure networks are regularly targeted by opportunistic and persistent threat actors. Malicious cyber actors are quick to exploit critical vulnerabilities and consistently adapt their already disruptive tactics to obtain maximum benefit. The speed with which cyber threats spread and evolve means that no single organisation or person can effectively defend against all threats alone. By promoting early and fulsome engagement with ASD, the limited use obligation will bolster ASD's ability to mitigate harms in early stages of cyber incidents, warn others of potential threats, provide incident management advice and assistance, provide advice on cyber security uplift, and maintain a comprehensive national cyber threat picture. Cooperation on a national scale is one of Australia's greatest advantages against malicious cyber activity.

ASD is subject to a range of legislative requirements in the IS Act. The limited use obligation is not intended to impede on or fetter ASD's existing legislative oversight arrangements. However, information that is provided to, or acquired or prepared by, ASD will fall under existing exemptions under the Freedom of Information Act 1982 (FOI Act) and Privacy Act 1988 (Privacy Act) applicable to ASD information.

CONSULTATION

On 19 December 2023, the Minister for Home Affairs and Minister for Cyber Security released the Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper. Consultation remained open until 1 March 2024. The Department of Home Affairs received over 130 written submissions and stakeholders were broadly supportive of the limited use proposal with feedback focused on ensuring the measure achieves its intended outcomes.

On 4 September 2024, the Department for Home Affairs released a targeted exposure draft of the proposed legislative reform package. The exposure draft period closed on 11 September 2024, with over 60 written submissions received, and over 200 attendees at two closed door virtual town halls. Feedback on the limited use proposal was broadly supportive, with stakeholders keen to ensure the sharing of information is limited in order to achieve the stated intent.

FINANCIAL IMPACT STATEMENT

There are no financial impacts arising from this Bill.

STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS

A Statement of Compatibility with human rights in respect of the amendments contained in the Bill is at Attachment A . The Statement assesses the amendments to be compatible with Australia's human rights obligations.


View full documentView full documentBack to top