Trio of Home Affairs Bills covering cyber, ransomware, telco data enter Parliament

Legislation for Home Affair's ransomware action plan that was announced in October has now been tabled.
Written by Campbell Kwan, Contributor

Home Affairs Minister Karen Andrews.

Image: Tracey Nearmy/Getty Images

Home Affairs Minister Karen Andrews introduced three new Bills into Parliament on Thursday, covering the federal government's ransomware action plan, critical aviation and marine cybersecurity, and mobile phone access in prisons.

The first of the three Bills contains criminal law reforms announced in October last year as part of Home Affairs' ransomware action plan to create tougher penalties for cybercriminals. Chief among these penalties are an increased maximum penalty of 10 years' imprisonment for cybercriminals that use ransomware and a new maximum penalty of 25 years' imprisonment for criminals that target Australia's critical infrastructure.

Labelled by Home Affairs Secretary Mike Pezzullo earlier this week as the government's "offence" against cyber threats, the Bill also seeks to criminalise individuals buying and selling malware for the purpose of committing a computer offence and dealing with stolen data.

The Bill, if passed, would also expand law enforcement's ability to monitor, freeze, and seize ill-gotten gains of criminals to also cover digital assets, including those held by digital currency exchanges.

According to Andrews, the reforms are a response to the growing threat of malicious cyber attacks.

"This Bill gives Australian law enforcement agencies the legal tools and capabilities they need to pursue and prosecute ransomware gangs and the pervasive threat of ransomware attacks on Australia and Australians," Andrews said.

"The Morrison government will not tolerate attacks on Australia's critical infrastructure, small businesses, or targeting the most vulnerable members of our community. Cybercriminals use ransomware to do Australians real and long-lasting harm."

When the ransomware action plan was first announced, Andrews said the legislation would sit alongside a mandatory ransomware incident reporting regime, which would require organisations with a turnover of over AU$10 million per year to formally notify government if they experience a cyber attack. Concrete details of the ransomware reporting regime are still yet to surface, however.

The second Bill that was introduced into Parliament by Andrews on Thursday was the Transport Security Amendment (Critical Infrastructure) Bill 2022 (TSACI Bill), which Andrews said is aimed at bolstering the cyber defence of Australia's airports and seaports.

"The aviation and maritime transport sectors that support our economy and way of life are targets for criminals, terrorists. and malicious foreign actors. This is why in times of emergency we must be prepared to protect our critical aviation and maritime sectors," Andrews said.

Unlike the pair of Critical Infrastructure Bills that already entered Parliament, with the first of them becoming law last year, the TSACI Bill is focused on creating additional reporting requirements for aviation and maritime entities whereas the other two Bills were drafted to generally cover entities across Australia's 11 designated critical infrastructure sectors.

The federal government said critical aviation and maritime needed additional reporting requirements against cyber threats due to the impact of the COVID-19 pandemic, as well as for times of emergency. This includes a new requirement for critical aviation and maritime entities to report cybersecurity incidents to both Home Affairs and the Australian Signals Directorate (ASD). 

Examples of cybersecurity incidents are malware, phishing, denial of service, and cross-site scripting, the Bill's explanatory memorandum details. 

The new Bill also classifies cybersecurity incidents that have a relevant impact on a critical aviation or maritime asset to be unlawful interference. If the person who created the cybersecurity incident that had a relevant impact is convicted, they could potentially face the tougher penalties proposed in the aforementioned ransomware action plan legislation. A cybersecurity incident will be deemed to have created a relevant impact if it affected the availability, integrity, reliability or confidentiality of information about the asset.

The Bill also seeks to create an "all hazards" reporting framework that will require critical aviation and maritime entities to consider and be resilient to any natural disasters, cyber vulnerabilities, and supply chain disruptions that could impact their ability to provide services.

According to the TSACI Bill's explanatory memorandum, the new reporting requirements align with the reporting requirements contained in the first Critical Infrastructure Bill and work alongside the existing reporting requirements for other types of aviation and maritime security incidents.

The last of three Bills is legislation to assist state and territory corrective services authorities identify, investigate, and prevent illegal mobile phone criminal activity in Australia's prisons.

If passed, the Bill would amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to provide prison authorities with the ability to access telecommunications data to track down illegal mobile phone use activity in prisons.

"It is vital for prison authorities to have the powers they need to uncover illicit mobile phones and access their telecommunications data to prevent and prosecute criminal and national security offences inside Australia's prisons," Andrews said.

"Australians expect our prison authorities to have the legal powers they need to identify and prosecute an inmate or inmates found to be linked to illegal mobile phones, to stop criminal activity, and to stop inmates establishing criminal networks within our prison system.

Prior to the prison mobile phone legislation coming before Parliament, Andrews already provided immediate access to these powers to Corrective Services NSW, using her temporary declaration powers under the TIA Act.

Related Coverage

Editorial standards