Telco national security law passage planned for spring

The Australian government has announced its intention to both introduce and pass the Telecommunications and Other Legislation Amendment Bill during the spring sitting of parliament, a law that would require telecommunications companies to increase network protection and allow government agencies to intervene for the purpose of protecting national security.

The government announced at the end of June its intention to amend the Telecommunications Act with additional national security-related measures. Under the proposed changes (PDF), released by Communications Minister Malcolm Turnbull and Attorney-General George Brandis on June 26, telcos "must do their best" to protect their networks against unauthorised access, or risk facing fines.

The Bill provides the secretary of the Attorney-General's Department, in consultation with the head of the Australian Security Intelligence Organisation and the secretary of the Department of Communications, with the power to force carriers to provide information and refrain from undertaking certain activities on their networks, with the threat of fines to ensure compliance.

Any information obtained by the secretary in relation to assessing the risk of unauthorised access to or interference with networks, or is for "the purposes of security", could then be shared with anyone for security or risk assessment reasons.

"Australia's economic prosperity and social well-being are increasingly dependent on telecommunications networks and data that flows across them. It is vital that we maintain the security and resilience of these networks in a global environment of increasingly sophisticated national security risks," Brandis and Turnbull stated when introducing the draft Bill.

"The reforms will ensure that businesses, individuals, and the public sector can continue to rely on telecommunication networks to store and transmit data safely and securely, and to support other critical infrastructure sectors."

In addition, telecommunications carriers will be forced to give notice to Australian security agencies when they make any modifications to their networks and management systems that could impact security, and must comply with government oversight regarding equipment they may purchase.

"Vulnerabilities in telecommunications equipment and managed service providers can allow state and non-state actors to obtain clandestine and unauthorised access to networks and thereby extract information and control, disrupt and disable networks. The Bill implements a framework to better manage those threats and risks, and protect networks and the information stored on and carried across them from unauthorised interference and access," the explanatory memorandum to the Bill (PDF) states.

While Turnbull and Brandis said that these new powers "will only be used as a last resort, to protect the national interest", they argued that oversight on security and equipment is necessary for national security due to increasing numbers of online attacks from "nation states and hacktivists".

Just last month, the telecommunications industry spoke out against the proposed amendments, saying that the draft laws are too vague.

"We think it's adding unjustifiably significant additional and intrusive powers to government, when a more collaborative approach might be a better alternative," Communications Alliance CEO John Stanton told ABC Radio.

The government accepted submissions from the industry and other bodies on the draft legislation until July 31.

Greens communications spokesperson Senator Scott Ludlam had also pointed out that Brandis, who once famously struggled to define metadata during an interview on data-retention legislation, should not be "telling computer security experts who run these big telecommunications companies how to run their networks and their datacentres".

According to the mostly censored regulatory impact statement (PDF), the proposed framework to comply with the amendment will cost the telco industry a combined AU$558.4 million, with ongoing costs of more than AU$184,000 per annum for each telecommunications company.

Telcos are already fighting to meet the tight August 13 deadline to comply with the recently passed mandatory data-retention legislation, which has been estimated to cost telcos approximately AU$4 per customer per year -- totalling around AU$49.68 million per year for ISPs, and AU$120 million per annum for mobile operators -- with an estimated setup fee of AU$319 million.

The annual estimated cost for the government in administering and enforcing this latest national security scheme is AU$1.6 million, with the government hoping to pass it through both houses (PDF) by November.