The Australian House of Representatives has passed the Telecommunications and Other Legislation Amendment Bill 2016, with the Telecommunications Sector Security Reforms (TSSR) to establish a framework for national security threats within the telco industry.
Communications Minister Mitch Fifield and Attorney-General George Brandis in August said the TSSR has an emphasis on "the shared responsibility between government and the telecommunications industry".
"The proposed reforms create an obligation on carriers and carriage service providers to do their best to protect their networks from unauthorised access and interference. This includes providing early advice to government of any changes to their network that may be of security concern, so that agencies can assess risks and cooperate with industry on mitigation strategies," they said.
"Telecommunications networks are a fundamental component of other critical sectors such as health, finance, transport, water, and power. With the increasing threat of interference from malicious actors, including through cyber intrusions, protecting these networks is a priority of this government."
The Bill, introduced by Brandis to Parliament in November 2016, forces carriers to "do their best" to protect their networks from unauthorised access or interference for the purpose of security, with carriers to notify the Attorney-General's Department (AGD) of any changes to their services, systems, or equipment that could have a "material adverse effect" on their ability to comply with this duty.
The Communications Access Coordinator (CAC) has the power to assess whether those changes bring a risk of exposing the network to unauthorised access or interference, and may suggest changes to a carrier's security capability plan.
The PJCIS had submitted its advisory report on June 30, making 13 recommendations on changes to be made to the TSSR including that the Bill be passed.
The recommendations accepted by the government include the AGD in consultation with industry reviewing and revising guidance within 12 months on companies' obligation in cases where a service is being resold or provided over-the-top; where telco infrastructure is used but not owned or operated by the company; where infrastructure is located in another country; and in the provision of cloud services.
The Bill will require the PJCIS to review it within three years of royal assent, with the government saying that the scope of the next review will be expanded "to include consideration of the security of offshored telecommunications data that is retained by a service provider for the purpose of the data-retention regime".
Also among the accepted recommendations was that the government work with industry to create mechanisms for information sharing within the 12-month implementation period; and that the AGD provide regularly updated guidance on notifiable items "in response to identified risks or trends in the security environment and ongoing feedback from industry".
The government also amended the Bill to require carriers to notify the CAC if they intend to store information or documents subject to the Bill outside of Australia; ensure it does not impact the operation of the Privacy Act; specify annual reporting requirements; allow the CAC to issue class exemptions on notification requirements and set out the application process for exemptions; and ensure it does not apply to broadcasters exempt from being treated as a carriage service provider under the Telecommunications Act.
The explanatory memorandum was additionally amended to specify that "negotiating in 'good faith' includes consideration of whether the CAC has complied with the applicable statutory timeframes"; and to clarify that the Compensation for Detriment caused by Defective Administration (CDDA) scheme applies where actions or inactions amount to defective administration.
Macquarie Telecom had earlier this year argued in its submission on the draft legislation that in combination with data-retention laws, the TSSR obligations would add considerable cost and interruption to its business operations and hinder its capability to innovate -- which would have the effect of increasing security threats due to it being unable to embrace new technologies promptly.
Telcos already have significant business interest in protecting their networks against security threats without government intervention, Macquarie Telecom added.
Optus' submission calling for a formal consultative mechanism for sharing information between industry and the government was answered by the government accepting the PJCIS' recommendations, as was Foxtel's call for a clearer notification obligation for broadcasters.
The telecommunications industry had initially spoken out against the legislation in July 2015 due to the intrusive powers given to the government; under Section 315A, the attorney-general has the power, after consulting with the prime minister and the minister, to order that a carriage service be suspended if it is deemed to be "prejudicial to security".
Under s315B, if the attorney-general is satisfied that a network carries the risk of unauthorised access or interference then they may order the service to be suspended without consulting anyone.