Home Affairs wants to expand telco security reform notification requirements

Under Australia's Telecommunications Sector Security Reforms (TSSR), all carriers and nominated carriage service providers (C/NCSPs) are required to notify the Communications Access Coordinator (CAC) of proposed changes to their telecommunications systems or services if they become aware of any proposed changes that are likely to have a "material adverse effect" on their capacity to comply with security obligations.

As of 30 June 2020, the Department of Home Affairs has received a total of 66 notifications. It told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) the notifications received from carriers to date represented the vast majority of the fixed-line and mobile telecommunications market in Australia.

In its submission [PDF] to the PJCIS, Home Affairs suggested additional types of notices "with more nuanced language" to reflect various levels and types of risk and the urgency of adopting further mitigations.

See also: The disappointment of Australia's new cybersecurity strategy

"Home Affairs notes that there has been some variation among C/NCSPs in their approach to the TSSR notification obligation. The obligation relies on self-determination by C/NCSPs of whether a proposed change warrants a notification, regardless of the guidance provided by Home Affairs," it wrote.

"There have been instances where Home Affairs has engaged with a carrier about a proposed change to their networks and subsequently recommended that the carrier submit a notification as it was Home Affairs' view that the features and characteristics of the proposed change introduced significant risk."

Despite Home Affairs' recommendations to these carriers, the department said they did not proceed to submit a formal notification, as in the carrier's view, the proposed changes to their networks or facilities did not meet the carrier's internal risk assessment thresholds for formal notification.

"In the absence of a notification, government has no visibility of changes to networks or steps taken to mitigate risks and cannot provide advice," Home Affairs said.

The PJCIS is currently conducting a statutory review of the operation of Part 14 of the Telecommunications Act 1997 to the extent that it was amended by the Telecommunications and Other Legislation Amendment Act 2017 TSSR.

The reforms passed in September 2017 and commenced exactly one year later, which established a regulatory framework for managing the national security risks of Australia's telecommunications networks and facilities.

Home Affairs said telecommunications networks and facilities, and the carriers and CSPs that own or operate them, are attractive targets for espionage, sabotage, and foreign interference activity by state and non-state actors.

"TSSR is a principles-based framework that formalises the good faith engagement between Home Affairs and Australia's telecommunications sector to better manage national security risks to telecommunications networks," the department says.

The TSSR introduced four key elements: Security obligation, notification obligation, information gathering power, and a directions power.

Home Affairs said amending the Act to allow it to request notification about a proposed change, including in circumstances where a C/NCSP has internally determined that it need not notify, would ensure that any changes to telecommunications networks and systems do not introduce national security risks.

Amending the Act to give Home Affairs the ability to impose conditions, including conditions relating to the use of entities in the supply chain, or require a C/NCSP to take specific action would help to mitigate identified risks with a proposed change, the department said. It explained this would ensure the conditions or mitigations are implemented and appropriate for the lifecycle of the change. 

In making this statement, the department noted amendments to include a formal mechanism that requires the C/NCSP to continue to engage with Home Affairs after conditions or mitigations have been imposed.

The department also flagged the requirement for C/NCSPs to have in place a security capability plan that can demonstrate they are meeting their baseline security requirements as another potential TSSR enhancement.

This is tackled in the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which seeks to amend the Security of Critical Infrastructure Act 2018 to implement "an enhanced framework to uplift the security and resilience of Australia's critical infrastructure".

Read more: Tech giants not convinced Australia's critical infrastructure Bill is currently fit for purpose

"Noting that telecommunications remains a key sector of critical infrastructure, the [positive security obligation (PSO)], if applied to the telecommunications sector  … could replace the current security capability plan provision," Home Affairs said.

Further enhancements were listed under the directions powers, which grants the Minister for Home Affairs the power to issue a written direction to a C/CSP not to use or supply, or to cease using or supplying, a carriage service if, after consulting the Prime Minister and the Minister for Communications, Cyber Safety and the Arts, the minister considers the proposed use or supply of the carriage service is or would be prejudicial to security.

"The directions powers are considered to be appropriate last resort mechanisms. However, the graduated powers that will be available under the [Protecting Critical Infrastructure and Systems of National Significance] reforms, should they be passed by Parliament, would assist to provide options for government to address risks that are of a lower order," it said.

"Graduated powers being designed under the … reforms could extend the positive security obligation that includes risk management planning obligations which would allow government to indicate where telecommunications entities may need to take steps to address risks in their supply chains without resorting to the directions power."

Telstra used its submission [PDF] to the PJCIS to highlight its support of the use of the existing TSSR framework and that it believes there will be significant benefits in using it to meet the government's objectives of strengthening the existing security of critical infrastructure framework.

It asked for the informal engagement model to be legislated into the TSSR and that formal notifications be used as a last resort mechanism where entities fail to engage with government.

Telstra also recommended that the information gathering and direction powers under the TSSR remain in place and be carried into the sector-specific rules under the proposed Critical Infrastructure and Systems of National Significance reforms.

"Whilst this regime has not been tested, the safeguards and guardrails were heavily negotiated during the TSSR implementation and should remain," the telco said.

Global cybersecurity firm Palo Alto Networks also submitted [PDF] its opinion to the committee, asking the PJCIS look at ways to "encourage and incentify ISPs and telcos to maintain constant real-time visibility across traffic passing through their networks and be able to detect and stop cybersecurity threats in real time within that traffic for all customers".

It also noted the merits of adopting a clean pipes solution to protect the nation from cyber threats and make it a less attractive target to adversaries.

RELATED COVERAGE

• Australian telco security coordinator concerned at network virtualisation plans
• Australia's critical infrastructure definition to span communications, data storage, space  
• AWS concerned with government powers in Australia's new critical infrastructure Act
• Cyber must be part of all-hazards national resilience: Home Affairs chief