Australian telco security coordinator concerned at network virtualisation plans

Communications Access Coordinator received 32 notifications from the nation's telcos in the year to June 30.

Australia's Communications Access Coordinator (CAC) is concerned by the level of understanding within the nation's telcos about the risk that network virtualisation can introduce.

The CAC role was beefed up under Australia's Telecommunications Sector Security Reforms (TSSR) and is charged with assessing whether changes made by telcos to their networks expose them to unauthorised access or interference, and if that is the case, it issues recommendations for changes.

In the Telecommunications Sector Security Reforms -- Report for 2019-20 tabled in Parliament on Tuesday, a number of Australian telcos notified the CAC that they were automating their network configurations.

"These changes featured high levels of technical complexity and equally complex supply chains. In several instances the CAC had concerns about the notifying carrier's understanding and appreciation of the risks presented by the proposed change, particularly the risks associated with complex multi-vendor/subcontractor, multi-jurisdiction supply chains," the report said.

"The CAC also had concerns in several instances with carriers misunderstanding the level of exposure they had in proposing to outsource or 'hybridise' their infrastructure environment.

"In each of these instances during the reporting period the CAC informed the relevant carriers of the concerns and suggested measures that they could implement to ensure they could continue to comply with their security obligation while proceeding with the change."

The report also said the CAC received multiple notices of a carrier proposing to use a managed service provider, where the CAC thought the carrier would lose its ability to "maintain competent supervision of, and effective control over, telecommunications networks and facilities owned or operated by the carrier".

The CAC was concerned by the lack of supervision over the provider's activities, the lack of consideration over the location from where the provider would be serving the telco out of, and "limited assurance" the carrier had "effective control" over the network or facilities being provided. In these instances, the CAC recommended changes.

Over the course of the year to June 30, the CAC responded with 24 "some risk" notices to telcos, 6 "no risk" notices, and had two notices outstanding. The Minister for Home Affairs did not issue any directions over the year.

The TSSR laws were used in 2018 to ban Huawei and ZTE from Australia's 5G networks.

"The Department [of Home Affairs] has continued to work closely with telecommunications operators to ensure they understand their TSSR obligations with respect to deploying and operating 5G networks and services," the report said.

"The department has also worked with non-5G mobile network operators to understand and manage the potential sustainment risks associated with the United States' export restrictions affecting certain telecommunications infrastructure vendors."

The report said CAC would be able to respond quicker if telcos provided sufficient information.

The TSSR was passed by Parliament in September 2017, after the Parliamentary Joint Committee on Intelligence and Security recommended a number of changes, including an annual reporting mechanism to Parliament.

Also tabled on Tuesday was a report on the operation of the Critical Infrastructure Act for the year to June 30.

Passed in March 2018, the Act created a register of critical infrastructure assets which included asset ownership, access, and control.

Over the year, the nation's electricity, water, gas, and port sectors reported 118 notifications to Home Affairs, which consisted of 109 changes, and nine new additions to the register.

None of the ministerial directions, information gathering powers, enforcement powers, nor any private declarations were issued.

The recent 2020 Cyber Security Strategy said the federal government was looking to impose an enforceable "positive security obligation" on designated critical infrastructure operators through amendments to the Act.

Updated at 10:25am AEDT, 7 October 2020: Corrected the history of the CAC role.

Related Coverage