Government accepts recommendations on telco national security Bill
The Australian government is pushing ahead with the Telecommunications and Other Legislation Amendment Bill 2016 after accepting all recommendations made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
A joint statement by Communications Minister Mitch Fifield and Attorney-General George Brandis said the Telecommunications Sector Security Reforms (TSSR) will establish a framework for better managing national security threats within the telco sector with an emphasis on "the shared responsibility between government and the telecommunications industry".
"The proposed reforms create an obligation on carriers and carriage service providers to do their best to protect their networks from unauthorised access and interference. This includes providing early advice to government of any changes to their network that may be of security concern, so that agencies can assess risks and cooperate with industry on mitigation strategies," they said.
"Telecommunications networks are a fundamental component of other critical sectors such as health, finance, transport, water, and power. With the increasing threat of interference from malicious actors, including through cyber intrusions, protecting these networks is a priority of this government."
The PJCIS had submitted its advisory report on June 30, making 13 recommendations on changes to be made to the TSSR including that the Bill be passed.
According to Brandis and Fifield, the Bill will be debated in the Senate "soon".
The recommendations accepted by the government include the Attorney-General's Department (AGD) in consultation with industry reviewing and revising guidance within 12 months on companies' obligation in cases where a service is being resold or provided over-the-top; where telco infrastructure is used but not owned or operated by the company; where infrastructure is located in another country; and in the provision of cloud services.
The Bill will now require the PJCIS to review it within three years of royal assent, with the government saying that the scope of the next review will be expanded "to include consideration of the security of offshored telecommunications data that is retained by a service provider for the purpose of the data-retention regime".
Also among the accepted recommendations was that the government work with industry to create mechanisms for information sharing within the 12-month implementation period; and that the AGD provide regularly updated guidance on notifiable items "in response to identified risks or trends in the security environment and ongoing feedback from industry".
The government will also amend the Bill to require carriers to notify the Communications Access Coordinator (CAC) if they intend to store information or documents subject to the Bill outside of Australia; ensure it does not impact the operation of the Privacy Act; specify annual reporting requirements; allow the CAC to issue class exemptions on notification requirements and set out the application process for exemptions; and ensure it does not apply to broadcasters exempt from being treated as a carriage service provider under the Telecommunications Act.
The government will also amend the explanatory memorandum to specify that "negotiating in 'good faith' includes consideration of whether the CAC has complied with the applicable statutory timeframes"; and to clarify that the Compensation for Detriment caused by Defective Administration (CDDA) scheme applies where actions or inactions amount to defective administration.
Back in February, Australia's telcos again spoke out against the Bill a year after their criticisms of the initial draft legislation, calling the powers granted to the government "unjustifiably intrusive".
The Bill, introduced by Brandis to Parliament in November last year, forces carriers to "do their best" to protect their networks from unauthorised access or interference for the purpose of security, with carriers to notify the AGD of any changes to their services, systems, or equipment that could have a "material adverse effect" on their ability to comply with this duty.
The CAC has the power to assess whether those changes bring a risk of exposing the network to unauthorised access or interference, and may suggest changes to a carrier's security capability plan.
"The draft legislation still provides for unjustifiably intrusive powers for government to intervene in telecommunications infrastructure without adequate consultation or protections for industry," Macquarie Telecom argued earlier this year.
In combination with data-retention laws, the TSSR obligations would add considerable cost and interruption to its business operations and hinder its capability to innovate -- which would have the effect of increasing security threats due to it being unable to embrace new technologies promptly, Macquarie Telecom added.
Macquarie Telecom pointed out that telcos already have significant business interest in protecting its own network against security threats without government intervention, and that the burdens being levelled at Australian providers by the draft legislation do not apply to global competitors.
The Australian Centre for Cyber Security added that the data retention Act and the TSSR "duplicate the metadata creation, retention, and disclosure obligations" for telcos -- but that the latter has limited oversight.
However, Optus' call for a formal consultative mechanism for sharing information between industry and the government was answered by the government accepting the PJCIS' recommendations, as was Foxtel's submission asking for a clearer notification obligation for broadcasters.
The telecommunications industry had also spoken out against the legislation in July 2015 due to the intrusive powers given to the government; under Section 315A, the attorney-general has the power, after consulting with the prime minister and the minister, to order that a carriage service be suspended if it is deemed to be "prejudicial to security".
Under s315B, if the attorney-general is satisfied that a network carries the risk of unauthorised access or interference then they may order the service to be suspended without consulting anyone.