October 11, 2024

The Weekly Cybers #39

Australia’s massive new cybersecurity legislation package, a move to keep NBN in public hands, the continuing push for social media age bans but with hints of a rollback strategy, and much more.

The Weekly Cybers #39 | 11 October 2024

Welcome

You wanted cybers, you got cybers! The massive Cyber Security Legislative Package dropped this week, despite not even being mentioned in the draft legislation program last week. All to better manage the news cycle, right?

There’s also legislation intended to prevent the National Broadband Network (NBN) ever being sold off.

Meanwhile governments around Australia continued their push to introduce a minimum age for using social media, and a Senate committee has called for a focus on AI-generated election material.

Look at all the cybersecurity legislation!

Here it is, the Cyber Security Legislative Package 2024. Well, that’s the press release.

The legislation comes in three parts: the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024.

To summarise a summary at The Conversation, the package includes:

• A strong focus on ransomware, with victims having to report ransomware payments to the government.

• Obligations on the National Cyber Security Coordinator and the Australian Signals Directorate (ASD) that any information given to them will be safeguarded.

• Stronger privacy protection programs for individuals’ data held by critical infrastructure providers.

• More investigative powers for the Cyber Incident Review Board, established last year, which will conduct “no-fault” investigations, much as happens with air safety investigations.

• Minimum cybersecurity standards for all smart devices.

There’s a lot in the 175 pages of legislation, so I may well have more to say next week. But during my first run-through I discovered the curious definition of significant cyber security incident.

Section 34(a) of the Cyber Security Bill has some standard boilerplate setting out when the National Cyber Security Coordinator needs to step in.

“[If] there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice: (i) the social or economic stability of Australia or its people; or (ii) the defence of Australia; or (iii) national security”

Fair enough. But section 34(b) adds:

“[or] the incident is, or could reasonably be expected to be, of serious concern to the Australian people.”

Given that “serious concern” is not defined, one might imagine this being manipulated by confected media outrage or for political purposes — although I am not a lawyer.

This whole package of legislation will of course be reviewed by the Parliamentary Joint Committee on Intelligence and Security (PJCIS). Submissions close in just two weeks, on Friday 25 October, and you should indicate your intention to make a submission by Friday 18 October.

Yet another wake-up call, just like a decade ago lol

You writer was amused to see in that The Conversation piece this paragraph:

Prime Minister Anthony Albanese has also acknowledged recent high-profile attacks as a “wake-up call” for businesses, emphasising the need for a unified approach to cyber security.

Amused because literally a decade ago I wrote: Enough with the cyber “wake-up calls”. “We already know information security is in dire shape, so let's get on with fixing it — because we do know how.”

AustCyber reborn as Australian Cyber Network

Also launched this week was a new organisation to encourage cyber cooperation between the government and private sector, the Australian Cyber Network (ACN).

As InnovationAus notes, this is essentially AustCyber reborn. AustCyber was the government-funded cybersecurity Industry Growth Centre, which later developed ties with startup incubator Stone and Chalk.

Call for focus on AI-generated election material

The Senate Select Committee on Adopting AI has issued an interim report which makes five recommendations relating to AI-generated election material, which I’ll briefly paraphrase:

1. Introduce “voluntary codes relating to watermarking and credentialling [sic] of AI-generated content” before the next election.

2. Conduct a “thorough review” of potential regulatory responses to AI-generated political or electoral deepfakes.

3. Ensure that laws relating to such material “complement rather than conflict with the mandatory guardrails for AI in high-risk settings” and other recent reforms.

4. Make sure that the mandatory guardrails do in fact relate to such material.

5. Look into “mechanisms, including education initiatives, to improve AI literacy for Australians, including parliamentarians and government agencies”.

I should note that there’s a number of dissenting views. In particular, the Coalition senators are reserving their views “until the United States’ policy response to AI is holistically assessed following the US election”.

“Unlike the theme of the report, the Coalition members of the committee hold that freedom of speech is not a mere constitutional guardrail, but that freedom of speech is integral to the success of our liberal democracy.”

The committee’s full report is due by 26 November. I doubt the US will have completed its review by then.

IF YOU FIND THIS NEWSLETTER HELPFUL, PLEASE SUPPORT IT: The Weekly Cybers is currently unfunded, so it’d be lovely if you threw a few dollars into the tip jar at stilgherrian.com/tip. Many thanks to Anthony Cabrera, Jason Snelders, Martin English, Matthew Moyle-Croft and others for your recent contributions.

Governments keep pushing social media age bans

Last Friday prime minister Anthony Albanese wrote to state and territory leaders asking them to work together on an age ban to prevent under-16s using social media.

Some of them heeded the call with enthusiasm.

On Thursday and Friday this week the premiers of NSW and South Australia held a two-day summit which began from the position that the ban was happening.

As Professor Axel Bruns from QUT’s Digital Media Research Centre observed about Thursday’s session:

“’The results are in, the science is settled’, says SA Premier Peter Malinauskas in his opening remarks at an event that seems set to ignore so much of the world-leading research on social media and children that is coming out of Australia.”

Needless to say, NSW Premier Chris Minns is also on board with the ban. “The rates of self-harm, of suicide, anxiety of mental health and depression almost exactly correlate with the widespread, ubiquitous use of social media.

Of course it also coincides with living through the Great Financial Crisis, the COVID-19 pandemic, wars in Europe and the Middle East, and a worsening climate crisis.

Bruns posted about the cherry-picking of data, and the focus on risk rather than safety, and even the fact that it was well into the afternoon before anyone even tried to define “social media”, before concluding:

“What a strange event — it feels like we’ve done it back to front. We started with a commitment to a social media ban for young people, and then the sessions highlighted all the reasons why that’s a terrible idea.”

However on Friday we saw the first signs of how the government’s hardline approach might be rolled back.

Communications minister Michelle Rowland said some platforms could escape the age ban if they can demonstrate a “low risk of harm to children”.

In her speech to the summit, she said:

“The aim of an exemption is to create positive incentives for digital platforms to develop age-appropriate versions of their apps, and embed safe and healthy experiences by design... We will set a 12-month implementation timeframe to provide industry and the regulator time to implement systems and processes.”

You can watch the recording of Thursday's main sessions in Sydney and Friday’s main sessions in Adelaide for yourself. Your writer doesn’t have the time today. But do check your favourite media outlets for some analysis on the weekend.

Also this week:

• Eating disorder experts say the age ban won’t be enough, and instead want to force platforms to be more transparent about algorithms. The phrase “knee-jerk” policy response was used.

• ACT’s chief minister Andrew Barr says it “doesn’t make sense” for existing users to be banned for a year or two before regaining access. Opposition to banning younger teens from social media is growing.

• “More than 120 experts and academics and dozens of youth, mental health and legal organisations [have signed] an open letter (PDF) to the prime minister arguing against it.”

• At ABC News, national technology reporter Ange Lavoipierre asks: “Australia’s push for a teen social media ban is a lonely path. Are we brave or just lost?”

New legislation aims to prevent NBN sell-off

On Wednesday the government introduced legislation to ensure the NBN remains in government hands. As Michelle Grattan wrote:

The move is designed to set up a test for the Coalition, putting pressure on the opposition ahead of the election to declare whether it would try to privatise the NBN.

I won’t comment any further on the politics of this, because the NBN has long since become a political football rather than a properly thought-through infrastructure strategy. That’s why I eventually stopped writing about it.

However here’s the National Broadband Network Companies Amendment (Commitment to Public Ownership) Bill 2024.

The amendments remove everything in legislation relating to the potential sale of the NBN, and replace it with a statement of intent that “NBN Co remains wholly owned by the Commonwealth”.

The Greens are pushing for a wider inquiry, which would also look at NBN accessibility, affordability, and executive pay.

NEW PODCAST: Last week I recorded a fun and cynical conversation with AI realist David Gerard, co-editor of the newsletter Pivot to AI. Look for The 9pm Edict in your podcast app, or listen at The 9pm AI Just Doesn’t Work with David Gerard (#NotAllAI).

Also in the news

• The Crimes and Other Legislation Amendment (Omnibus No. 1) Bill 2024 was passed, which among other things clarifies police powers relating to the seizure of digital assets such as cryptocurrency; increases the penalty unit for Commonwealth crimes from $313 to $330; and creates the position of Communications Security Coordinator in the Department of Home Affairs.

• Under new legislation to prevent another robodebt, the Oversight Legislation Amendment (Robodebt Royal Commission Response and Other Measures) Bill 2024, agencies may be forced to give investigators access to their IT systems and devices, including “by remote means”. And on top of that, the burden of proof will be on public servants to show they did the right thing.

• Cyber Daily has news of quite a few data breaches and ransomware hits this week, including at Qantas, Marriott, Perfection Fresh, security firm ADT, and TPG Aged Care.

• The report from the senate committee looking at the Murdoch Media Inquiry Bill 2023 has recommended the bill not be passed, although the Greens senators disagreed, saying “The fight for a strong Fourth Estate is existential — it deserves a Royal Commission”. Because royal commissions are magic.

• Australian Federal Police (AFP) continues to work with Thai counterparts on scams and organised crime. A new Australia Room at Royal Thai Police (RTP) will be a forensics training hub serving cops from Cambodia, Laos, Thailand, and Vietnam.

• I missed this last Friday, but it’s worth reporting. The Federal Court of Australia has upheld the eSafety Commissioner's fine of $610,500 for failing to cooperate with a regulator's request for information about anti-child-abuse practices, per this judgment.

• CORRECTION: Some three weeks ago I pondered whether evidence taken during the takedown of the Ghost encrypted comms network would be admissible in court, given a challenge to evidence gathered via the AN0M encrypted network. I have since discovered that South Australia’s Court of Appeal ruled that evidence admissible back in June.

Elsewhere

• Most of Australia’s popular car brands collect and share “driver data”, and some even sell it to train AI models. The details are in research by CHOICE.

DOES SOMETHING IN THE EMAIL LOOK WRONG? If there’s ever a factual error, editing mistake, or confusing typo, it’ll be corrected in the web archives.

Inquiries of note

• Just the inquiry into the Cyber Security Legislative Package mentioned above, but that should keep you busy.

What’s next?

Parliament is now on a break until 4 November, when the House of Representatives kicks off its next session and the Senate holds its Supplementary Budget Estimates hearings.

The Parliamentary Joint Committee on Law Enforcement's inquiry into the capability of law enforcement to respond to cybercrime has scheduled public hearings in Canberra for Wednesday 16 and Tuesday 22 October.

Also on 22 October, a public hearing in Canberra for the inquiry into the Privacy and Other Legislation Amendment Bill 2024.

---

The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).

If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.

If you find this newsletter useful, please consider throwing a tip into the tip jar.

This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.