Comms Alliance argues TSSR duplicates obligations within Critical Infrastructure Bill

Industry body requests only one of the two requirements apply to critical infrastructure entities in the telecommunications sector.

The Communications Alliance has asked the government to avoid duplication when introducing new obligations to telco providers under the Telecommunications Sector Security Reforms (TSSR).

Under the TSSR, all carriers and nominated carriage service providers (C/NCSPs) are required to notify the Communications Access Coordinator (CAC) of proposed changes to their telecommunications systems or services if they become aware of any proposed changes that are likely to have a "material adverse effect" on their capacity to comply with security obligations.

As it currently stands under TSSR obligations, telcos need to "do their best" to protect infrastructure.

In its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review of the TSSR, Comms Alliance has asked for the repeal of the TSSR notification obligation or exemption from this obligation for entities subject to the positive security obligation (PSO) under the nation's newly introduced critical infrastructure Bill.

Read more: Tech industry concerns put aside as Critical Infrastructure Bill enters Parliament

The PSO contained in the Security of Critical Infrastructure Act (SoCI Act) is intended to result in the same outcome as the TSSR, Comms Alliance argued. It said imposition of the PSO on entities already subject to the TSSR's security and notification obligations will result in duplication of regulatory regimes that have the same intended outcome.

"We, therefore, recommend either repeal of the TSSR notification obligation or exemption from this obligation for entities subject to this PSO," it wrote.

"The review of the TSSR must have regard to the evolving horizontal regulations such as the SoCI Act and ensure that the rules of those regulations avoid overlap, redundancy, or even inconsistencies with existing sector-specific regulations.

"Service providers which are already subject to cybersecurity requirements in sector-specific legislation must remain excluded from the scope of the horizontal requirements or see a removal of sector-specific regulation where those would create duplication."

The industry body said this exclusion is necessary to ensure legal clarity, certainty, and proportionality of obligations.

"We argue that, in effect, this makes the TSSR notification requirements redundant as assessment of the risks of proposed changes would necessarily form part of a broader, annually endorsed and reported risk management plan," it continued.

"Subjecting entities to the TSSR notification requirements (and subsequent risk mitigation if deemed necessary) as well as the PSO of the revised SoCI Act would result in a substantial amount of duplication and inefficiencies -- the opposite of government's stated aim."

It also said maintaining both sets of obligations would create duplicative efforts for the CAC/Critical Infrastructure Centre.

"We believe that there should only be one authority designated for CSPs in the security space. Currently, the legislative and regulatory environment around security, cybersecurity, and data protection is rather crowded," the submission added.

Instead, Comms Alliance has thrown its support behind a "high-level principles-based approach to ensuring security". It said such an approach allows CSPs the necessary flexibility to implement measures as appropriate for their business while being able to rapidly adapt to technological change.

"This approach is also more likely to avoid duplication or inconsistencies with existing (or future) international standards and best practice, and provides the necessary flexibility for globally operating organisations to comply with a more limited set of security specifications, thereby contributing to increased operational efficiency and legal certainty," it said.

On two-way threat sharing, Comms Alliance said communications-specific threat information has not been shared with its members.

"Consequently, our members have borne substantial costs to implement the Reforms -- and government decisions that were taken as a result of the Reforms -- without having had the promised benefit of additional risk and threat information to guide investment decisions," it wrote.

"This is regrettable and ought to be remedied with urgency, particularly in light of the additional layer of security regulation that the revised SoCI Act (even in its 'lightest version') is likely to represent for our sector."

Comms Alliance added the communications sector has already incurred substantial costs in the course of the implementation of the TSSR and that it continues to bear high regulatory expenses for ongoing compliance with the various security-related legislative and regulatory requirements.

"Against this background and noting the additional costs that are likely to result from the requirements of the revised SoCI Act, we encourage the committee to consider cost recovery options for telecommunications providers covered under these extensive security regimes," it said. "We deem it important that the critical infrastructure reforms and the TSSR preserve the principle of cost recovery, which is well established under the Telco Act."

HERE'S MORE