Anthony Albanese’s seven-year cyber security strategy released on Tuesday will address major barriers to businesses reporting malicious intrusions and ransomware attacks launched by state-sponsored actors and criminal gangs.

With companies, governments and critical infrastructure operators coming under unprecedented attack from hackers across the globe, including Chinese state-sponsored actors, security chiefs are worried that thousands of cyber incidents are going unreported due to concerns over legal ramifications.

In response to calls for a “legal safe harbour” for businesses, Home Affairs and Cyber Security Minister Clare O’Neil told The Weekend Australian the government will legislate a “limited use obligation”.

With information in the early stages of a cyber incident considered critical, the new laws will limit how information shared with the Australian Signals Directorate and national cyber co-ordinator can be used by other government entities, including regulators.

The government is also establishing a Cyber Incident Review Board, based on international and domestic models including the US Cyber Safety Review Board and Australian Transport Safety Bureau. The board will run no-fault, post-incident investigations into major cyber attacks, similar to how investigators are sent in following aviation and maritime incidents.

Cyber black-box investigations will seek to “uplift collective cyber security, boosting our ability to hone incident preparation and response”. Investigators will not make findings of fault or interfere with incident responses, intelligence, law enforcement and regulatory functions and judicial proceedings.

Post-incident reports will be publicly shared and fed into “national threat intelligence sharing and blocking networks, cyber awareness programs and national cyber exercises”.

The Weekend Australian can reveal that a single online reporting portal will be developed to help companies navigate mandatory obligations. It will bring key reporting links together in one place, making it “easier for a business or entity which has been targeted by a cyber-attack to understand their reporting responsibilities”.

The Business Council of Australia has previously warned that levels of complexity under current reporting arrangements were “highly problematic”.

“Businesses have reported responding to information requests from upwards of 30 different government agencies for a single incident on an “urgent” basis. This is not helpful: as noted earlier, businesses need to be focused on protecting citizens and customers, not filling out forms,” the BCA cyber security strategy submission said.

An industry code of practice will also be established to “clearly define the service quality and professional standards that are expected from third-party cyber incident response providers”.

The government’s cyber security strategy will be released one week after Air Marshal Darren Goldie – appointed as the inaugural national cyber security co-ordinator by the Prime Minister and Ms O’Neil in June – stepped aside over a workplace complaint. Chief of the Defence Force, General Angus Campbell, this week ordered that he be recalled from his secondment for the matter to be dealt with under Australian Defence Force disciplinary processes.

The sudden departure shocked senior industry figures who had worked closely with Air Marshal Goldie in the lead-up to the strategy’s release.

The ASD this week released its cyber threat update, revealing that nearly 94,000 reports were made to law enforcement through ReportCyber in 2022-23. The ASD revealed China was a major backer of cyber attacks and hacking targeting Australian critical infrastructure and companies. The report found there had been an overall decrease in voluntary reporting from critical infrastructure operators compared to an economy-wide increase.

Ms O’Neil said “when a cyber-incident occurs, every moment matters … that’s why we are making it easier for businesses to get the advice and support they need”.

The limited use obligation regime would not impact regulatory or law enforcement actions, or provide immunity from legal liability. The government will work with business to co-design legislation but is moving to develop an interim approach for the ASD.

“We need industry and the community to trust us, so that when crisis strikes they will take our hand to pull themselves up and bounce back quickly. We know that many businesses and organisations worry that any information they share during a cyber incident could be used against them,” Ms O’Neil told The Weekend Australian.

“Our proposed model, that we will be consulting on, strikes the right balance. Firstly, by encouraging early and open engagement with the ASD and the national cyber security co-ordinator. Secondly, by maintaining an effective regulatory environment that protects the broader public interests.”

The Australian this week revealed that companies will be forced to report cyber ransom demands under Australia’s first mandatory no-fault reporting system but will not be banned from paying criminal gangs and state-sponsored offenders. The new regime comes following last week’s suspected ransomware attack against DP World Australia, which operates 40 per cent of the nation’s maritime freight.

Ms O’Neil said the new incident review body would help “make sure that we learn from the mistakes made”.

“That means understanding what gaps in the system enabled a particular attack and how that knowledge can be used to improve our future cyber readiness,” she said.

The Weekend Australian understands the initiatives are linked to key recommendations of the government’s review, led by Cyber Security Cooperative Research Centre chief executive Rachael Falk, into the Optus and Medibank cyber attacks.

Ahead of the cyber strategy release, a new SEC Newgate Mood of the Nation poll found that 69 per cent of Australians trusted healthcare providers – who have been targeted by foreign actors – to protect their personal data.

The survey of more than 1,600 Australians conducted between October 19-23 showed similar levels of trust across education (68 per cent), banking (67 per cent) and government services (61 per cent). In the wake of last year’s Optus ransomware attack, Australians had the least trust in the telecommunications (46 per cent) and retail (44 per cent) sectors.

SEC Newgate managing partner Brian Tyson said “the series of recent high profile cyber-attacks have rattled the confidence of the community in the ability of major corporations to ensure their personal data is safe and not sold to the highest bidder through the dark web”.

CyberCX chief strategy officer Alastair MacGibbon, a former Australian Cyber Security Centre head and cyber security adviser to former prime minister Malcolm Turnbull, said it is “clear that Australians are thinking more and more about who they trust with the services they rely on, and with their sensitive and personal information”.

“While some industries are clearly trusted more than others, all organisations in every part of our economy have more work to do to safeguard our businesses, government, and the broader community as the cyber threat environment continues to evolve,” Mr MacGibbon said.

More Coverage

Optus fiasco to spill over to rival telcos

JARED LYNCH

Optus had no plan for network outage

Jared Lynch, Joseph Lam

Telco fears new cyber laws will bring red tape

Jared Lynch

Vulnerable firms risk cyber attack

Joseph Lam

More related stories

Politics

Taylor delivers zilch in a policy-free outing

Angus Taylor has been unable to say whether the Coalition would increase defence spending, repeal price caps on coal and gas, or by how much it would reduce net overseas migration.

Read more

Commentary

Both the major parties have a ‘women problem’

Not only are female voters unhappy with the federal government, they are deeply unimpressed with both Anthony Albanese and Peter Dutton as leaders.

Read more