Brandis introduces telco national security legislation in Parliament

The telco national security legislation has been introduced to Parliament after consultation with industry that did not achieve much in the way of changes.
Written by Corinne Reichert, Contributor

Australian Attorney-General George Brandis has introduced the telco national security legislation to Parliament, saying the government has implemented recommendations made by industry to its last draft.

The introduction of the Bill comes a year after the government released its second exposure draft with additional national security-related measures forcing telcos to provide information about their networks and services to the Attorney-General's Department (AGD) or face injunctions, enforceable undertakings, and civil penalties such as fines.

The Telecommunications and Other Legislation Amendment Bill 2016 [PDF] will "enhance the existing security framework", with the legislation designed to prevent the compromise or degradation of networks, compromise sensitive data, impair the availability of networks, and impact other critical infrastructure according to the explanatory memorandum [PDF].

"Australia's national security, economic prosperity, and social wellbeing increasingly depend on the security and resilience of telecommunications services. This is why the government, with the benefit of input from key telecommunications stakeholders, has developed this important legislation, which provides greater certainty for the industry and better protects telecommunications networks from national security threats," Brandis said in a statement.

"The Bill is the result of extensive public consultation and responds to recommendations from the telecommunications industry. The government will refer the Bill to the bipartisan Parliamentary Joint Committee on Intelligence and Security for public inquiry. The proposed legislation reflects the approach previously recommended by the committee."

Under the Bill, telco carriers and carriage service providers (CSPs) are vested with a "duty" to "do their best" to protect their networks from unauthorised access or interference for the purpose of security, and carriers and CSPs must notify the government of any changes to their services or systems that could have a "material adverse effect" on their ability to comply with this duty, including any outsourcing or changes in network equipment.

The communications access coordinator (CAC) has the power to assess whether those changes bring a risk of exposing the network to unauthorised access or interference, and may suggest changes to a CSP's security capability plan.

Section 315A also gives the attorney-general the power, after consulting with the prime minister and the minister, to order that a carriage service be suspended if it is deemed to be "prejudicial to security". Under s315B, if the attorney-general is satisfied that a network carries the risk of unauthorised access or interference then they may order the service to be suspended without consulting anyone.

Under s315C, the AG secretary has the power to "obtain information and documents" from carriers, CSPs, and CSP intermediaries if it is "relevant to assessing compliance with the duty", and may retain those documents for as long as possible. The AG secretary may also disclose any documents or information to any Commonwealth officer.

The AG is required to present a report to Parliament annually on the operation of the legislation.

While Brandis claimed that the Bill was amended after consulting with industry, it still contains provisions argued against by Australia's telcos earlier this year.

In February, the government published the submissions made by the major telcos, with none accepting the draft legislation.

While Telstra and Optus offered up exhaustive lists of what should be amended in the draft legislation, Vodafone and TPG delivered a complete smackdown, with the latter recommending that "abandonment is a better option than amendment".

The obligation for CSPs to do their "best" to protect networks and facilities against unauthorised access and interference is too broad, according to both Optus and TPG, with telcos unable to ascertain what this obligation actually requires; that it opens up telcos to claims of breach of statutory duty; and that "unauthorised access" is also too ambiguous, as the legislation does not state who is able to authorise whom, especially on global networks.

CAC employees also won't be best positioned to understand telco business operations, TPG said, and the AG's ability to direct telcos to suspend or cease using or supplying services under s315A allows for relationships between the government and a particular telco to inform decisions without any need for the AG to consult impacted telcos.

TPG and Vodafone also suggested that the exercise of the AG's power to suspend a service should be subject to judicial oversight rather than being solely part of the executive arm of the legal system.

When announcing the legislation, the government said it is necessary due to the growing volume of data stored on networks.

"A key source of vulnerability for espionage, sabotage, and interference activity is in the supply of equipment, services, and support arrangements. Australian telecommunications networks rely on global suppliers of equipment and managed services which are often located in, and operate from, other countries," the explanatory memorandum says.

"Advances in technology and communications have introduced significant vulnerabilities, including the ability to disrupt, destroy, or alter telecommunications networks and associated critical infrastructure as well as the information held on these networks. Vulnerabilities in telecommunications equipment and managed service providers can allow state and non-state actors to obtain clandestine and unauthorised access to networks. Such access could be used to extract information and disrupt or potentially disable networks."

The explanatory memorandum states that currently, the government manages national security risks through cooperative arrangements with the telco industry, and that this Bill will simply formalise these arrangements and ensure that national security is prioritised over commercial interests. It added that the rollout of the National Broadband Network (NBN) will "magnify" the risks.

Prime Minister Malcolm Turnbull and Attorney-General George Brandis had previously said that these new powers "will only be used as a last resort, to protect the national interest", but argued the changes are necessary for Australian national security due to increasing numbers of online attacks from "nation states and hacktivists".

The telecommunications industry also spoke out against the legislation last July.

Editorial standards