Australian telcos face more national security regulation

While the Australian telecommunications industry struggles to meet tight deadlines to comply with the mandatory data-retention scheme, the government has announced another round of national security legislation targeting telecommunications carriers in Australia, this time giving the Attorney-General's Department greater control, access, and oversight of telecommunications networks.

The draft (PDF) of another amendment to the Telecommunications Act released by Attorney-General George Brandis and Communications Minister Malcolm Turnbull on Friday afternoon outlined plans to introduce the legislation later this year.

Under the proposed changes, carriers will be required to ensure that they "must do their best" to protect their networks from unauthorised access.

The secretary of the department will also be able to issue telcos with a direction to refrain from undertaking certain activity on their networks, after consultation with the head of the Australian Security Intelligence Organisation (ASIO) and the Department of Communications secretary.

The secretary can also write to telcos and force them to hand over information in the format of the secretary's choosing, or face fines. This information can then be shared with anybody by the secretary, provided it relates to assessing the risk of unauthorised interference with or access to telecommunications networks, or is for "the purposes of security".

Telcos must also notify security agencies of changes to networks and management systems that could potentially affect the telcos' ability to protect their networks.

"Australia's economic prosperity and social well-being are increasingly dependent on telecommunications networks and data that flows across them. It is vital that we maintain the security and resilience of these networks in a global environment of increasingly sophisticated national security risks," the ministers stated on Friday.

"The reforms will ensure that businesses, individuals, and the public sector can continue to rely on telecommunication networks to store and transmit data safely and securely -- and to support other critical infrastructure sectors."

The government will go through an industry consultation period on how the changes should be implemented, and the ministers claimed the new powers "will only be used as a last resort, to protect the national interest".

Much of the regulatory impact document is censored, but the government has said the change is needed because attacks are coming from a wide variety of sources including "nation states and hacktivists" and industry "goodwill" alone was not enough to encourage telcos to work with the government on national security.

The government has also indicated it would have oversight into the equipment carriers can purchase.

"Australian telecommunications networks rely on global suppliers of equipment and managed services which are often located in and operate from foreign countries. This can create further challenges in implementing controls to mitigate personnel, physicaland ICT security risks in some locations and therefore make networks and facilities more vulnerable to unauthorised and interference," the government stated.

According to the regulatory impact statement, complying with the proposed framework will cost the industry AU$558 million to set up, and there are ongoing costs expected to cost each telco AU$184,000 per year.

Submissions on the draft legislation are being accepted until July 31, 2015.