The Telecommunications and Other Legislation Amendment Bill is set to be waved through Australian Parliament with a bipartisan report stating that after a number of clarifications, it should become law.
The Bill forces telco carriers and carriage service providers (CSPs) to "do their best" to protect their networks from unauthorised access or interference for the purpose of security, with carriers and CSPs to notify the Attorney-General's Department (AGD) of any changes to their services, systems, or equipment that could have a "material adverse effect" on their ability to comply with this duty.
The communications access coordinator (CAC) has the power to assess whether those changes bring a risk of exposing the network to unauthorised access or interference, and may suggest changes to a CSP's security capability plan.
In its report [PDF], the Parliamentary Joint Committee on Intelligence and Security (PJCIS) asks for clarification within the administrative guidelines for when a company is providing an over-the-top service; when telco infrastructure is used but not owned or operated by a company; when a company provides cloud-based services; and when infrastructure is overseas and provides services to, or stores information on, Australians.
The guidelines should also include details and examples of changes the CAC is not interested in, the report said.
As for the wording of the Bill itself, the committee recommended it clarify that broadcasters are not subject to the legislation; allow for carriers to request partial or complete exception for certain changes; make it clear the Bill does not change the operation of existing privacy laws; outline ways for industry to recover costs; and for the Attorney-General to take into account how quickly the CAC responded to a notification before issuing a direction.
It was also recommended the Bill spell out that an annual report on the scheme to Parliament include the number of occasions the information-gathering powers have been exercised, the number of notifications and security plans received, average response timeframes of the CAC, number of occasions the directions-powers have been used, and details of how the government is sharing information with industry.
The Bill provided a "proportionate and escalating framework for addressing national security risks" and gave certainty to industry, the committee said.
"The committee supports a legislative framework approach which establishes the security of Australia's telecommunications infrastructure as a joint responsibility between government and industry," it said.
"It continues to allow industry to make its own commercial decisions within the risk assessment framework and with access to security advice. Where necessary, there exists the option for enforcement in order to ensure the protection of telecommunications infrastructure."
PJCIS also said as part of its review into Australia's metadata laws, it should be allowed to examine the security of metadata retained and stored overseas.
"The Committee is greatly concerned that existing laws do not provide government with visibility about where and how data is being stored," the report stated.
During hearings of the committee, AGD said it did not believe the storage of metadata overseas was a security concern.
"That is not true, because we've been briefed to the fact that that isn't, that's not a true statement," Labor member of Holt Anthony Byrne said in February. "It was one of the concerns of the committee that if you did offshore it, it did impact the capacity of the agencies and the Attorney-General's Department to actually protect the data."
"And we've seen, publicly, fairly significant issues of data being stored offshore and it being susceptible to infiltration."
Byrne said it was an "incredibly significant concern" that the department is not currently able to answer his questions on whereabouts the nation's telecommunications metadata is stored.
Earlier in February, a number of submissions said the Bill would impede innovation and consequently make networks more vulnerable to attacks.
"The draft legislation still provides for unjustifiably intrusive powers for government to intervene in telecommunications infrastructure without adequate consultation or protections for industry," Macquarie Telecom said in its submission.
The new obligations would add considerable cost and interruption to its business operations and hinder its capability to innovate -- which would have the effect of increasing security threats due to it being unable to embrace new technologies promptly, Macquarie Telecom argued.
With a number of clarifications needed, PCJIS said in its report that AGD must work closely with industry in the next year to provide certainty.
"The 12 month implementation period for the Bill will be crucial," it said.
Communications Alliance CEO John Stanton said the committee had done an excellent job of highlighting the Bill's weaknesses, and said the clarifications should have been in the legislation, rather than the guidelines, with a six-month rather than twelve-month deadline.
"This work should be done within the first six months -- and with full industry involvement -- so that industry has some breathing space in which to complete its compliance work, before the legislation takes full effect."
The committee said it should review the laws three years after gaining Royal Assent.
"The key areas of focus of the review should be the security of critical and sensitive data, the adequacy of information-sharing arrangements between government and industry, and the adequacy of the administrative guidelines," it said.