Telco national security draft legislation released, again

While the legislation was supposed to be implemented from late 2015, the government has instead released another exposure draft for industry consultation.

The Australian government has released a second exposure draft of legislation requiring telecommunications providers to increase network protection and provide greater oversight to government agencies to intervene for the purpose of protecting national security.

"The security and resilience of telecommunications infrastructure is increasingly critical to the social and economic wellbeing of the nation," Attorney-General George Brandis and Minister for Communications Mitch Fifield said in a joint statement on Friday.

"Today, the government announces a further round of consultation on the Telecommunications and Other Legislation Amendment Bill, which will introduce a framework to better manage national security risks of unauthorised interference and access to telecommunications networks."

The government announced in June its intention to amend the Telecommunications Act with additional national security-related measures, which would force telcos to provide information about their networks and services to the Attorney-General's Department (AGD), or face injunctions, enforceable undertakings, and civil penalties such as fines.

Under the proposed legislation, carriers and carriage service providers (CSPs) "must do their best" to protect their networks against unauthorised access. The Bill requires them to manage the risk of interference on their networks, protect the information they stored, and notify the government of any planned changes that could affect their security, with some exemptions to be made.

The Bill also vests an information-gathering power "to facilitate compliance monitoring and compliance investigation activity" with the secretary of the AGD; provides the attorney-general with the vague power to direct a CSP "to do or not do a specified thing"; and outlines enforcement mechanisms and remedies for non-compliance.

The latest exposure draft [PDF], released on Friday afternoon, also contains a number of amendments made after industry consultation.

These include narrowing the scope of the legislation; vesting directional power in the attorney-general rather than the secretary of the AGD; making directions from the attorney-general reviewable; and increasing the implementation time frame from six to 12 months after the legislation gains Royal Assent.

The government has also increased the threshold for the exercise of powers by requiring an adverse security assessment from the Australian Security Intelligence Organisation (ASIO), as well as requiring the attorney-general to be satisfied that the activity is prejudicial to security and that all reasonable steps have been taken to negotiate an outcome in good faith.

Safeguards, such as requiring the attorney-general to consult with the minister for communications and the affected company, and take into account the impact of a direction on a company, its customers, and the market, have also been added.

The process will be more transparent, with a notification regime being created and CSPs having the option of submitting an annual security plan.

The legislation is necessary due to the growing volume of data stored on networks, the government explained.

"Government and business are increasingly storing and communicating large amounts of information on and across telecommunications networks and facilities," the explanatory memorandum [PDF] says.

"Telecommunications networks and facilities also by their nature hold information of a sensitive nature, which includes information about the network itself; for example, lawful interception systems, customer billing, and management systems, which, if unlawfully accessed, can reveal sensitive law-enforcement operations, or the location of people such as politicians or protected persons. This information presents a rich intelligence target for those who wish to harm Australian interests.

"For these reasons, the telecommunications networks and infrastructure of carriers, carriage service providers, and carriage service intermediaries are attractive targets and for espionage, sabotage, and foreign interference activity for state and non-state actors."

The explanatory memorandum states that currently, the government manages national security risks through cooperative arrangements with the telco industry, and that this Bill will simply formalise these arrangements and ensure that national security is prioritised over commercial interests. It added that the rollout of the National Broadband Network (NBN) will "magnify" the risks.

In addition to risk assessment, telcos will be forced to give notice to security agencies of any modification they make to their networks and management systems that could impact the security of their networks, and must comply with government oversight in regards to the IT equipment they may purchase.

"Advances in technology and communications have introduced significant vulnerabilities, including the ability to disrupt, destroy, or alter telecommunications networks and associated critical infrastructure as well as the information held on these networks. Vulnerabilities in telecommunications equipment and managed service providers can allow state and non-state actors to obtain clandestine and unauthorised access to networks and thereby extract information and control, and to disrupt and potentially disable networks," the explanatory memorandum says.

"[The] new Section 314A of the Telecommunications Act outlines the types of changes in arrangements that should be notified to the CAC, which include but are not limited to: Outsourcing or offshoring arrangements affecting sensitive parts of a network and/or procuring new equipment or services for sensitive parts of a network, and changes to the management of services."

Turnbull and Brandis had previously said that these new powers "will only be used as a last resort, to protect the national interest", but argued the changes are necessary for Australian national security due to increasing numbers of online attacks from "nation states and hacktivists".

The telecommunications industry spoke out against the legislation in July, with Communications Alliance CEO John Stanton arguing that the draft laws are too vague.

"We think it's adding unjustifiably significant additional and intrusive powers to government, when a more collaborative approach might be a better alternative," Stanton told ABC Radio

Greens communications spokesperson Senator Scott Ludlam added that Brandis, who once famously struggled to define metadata during an interview on data-retention legislation, should not be telling telecommunications experts which technology to buy.

"I think the last thing we would want to see is Commonwealth bureaucrats telling computer security experts who run these big telecommunications companies how to run their networks and their datacentres," Ludlam said.

The financial impact is estimated to amount to ongoing costs of AU$1.6 million annually for ASIO and the AGD to resource and administer the scheme.

The government is accepting submissions on the second exposure draft until January 18, 2016.