The Australian Parliamentary Joint Committee on Intelligence and Security (PJCIS) has announced that it is seeking submissions from industry as part of its inquiry into the telecommunications national security Bill, despite the government largely ignoring the last two series of submissions on its previous exposure drafts.
The Telecommunications and Other Legislation Amendment Bill 2016 [PDF] was introduced into Parliament last week by Attorney-General George Brandis, but still contained provisions argued against by Australia's telcos earlier this year.
In February, the government published the submissions made by the major telcos, with none accepting the draft legislation. Telstra and Optus offered up lengthy, exhaustive lists of what should be amended in the draft legislation, while Vodafone and TPG delivered a complete smackdown, with the latter recommending that "abandonment is a better option than amendment".
The telecommunications industry had also spoken out against the first draft a year and a half ago.
Brandis, however, last week claimed that the government had implemented recommendations made by the telco industry to its second exposure draft that included additional national security-related measures.
"Australia's national security, economic prosperity, and social wellbeing increasingly depend on the security and resilience of telecommunications services. This is why the government, with the benefit of input from key telecommunications stakeholders, has developed this important legislation, which provides greater certainty for the industry and better protects telecommunications networks from national security threats," Brandis said in a statement.
"The Bill is the result of extensive public consultation and responds to recommendations from the telecommunications industry. The government will refer the Bill to the bipartisan Parliamentary Joint Committee on Intelligence and Security for public inquiry. The proposed legislation reflects the approach previously recommended by the committee."
Under the Bill, telco carriers and carriage service providers (CSPs) are vested with a "duty" to "do their best" to protect their networks from unauthorised access or interference for the purpose of security, and carriers and CSPs must notify the government of any changes to their services or systems that could have a "material adverse effect" on their ability to comply with this duty, including any outsourcing or changes in network equipment.
Telstra and Optus had previously said the obligation for CSPs to do their "best" to protect networks and facilities against unauthorised access and interference is too broad, with telcos unable to ascertain what this obligation actually requires; that it opens up telcos to claims of breach of statutory duty; and that "unauthorised access" is also too ambiguous, as the legislation does not state who is able to authorise whom, especially on global networks.
Under the legislation, the attorney-general may, after consulting with the prime minister and the minister, order a carriage service to be suspended if it is deemed to be "prejudicial to security"; and can order a service to be suspended without consulting anyone if they are satisfied that a network carries the risk of unauthorised access or interference.
TPG said the AG's ability to direct telcos to suspend or cease using or supplying services allows for relationships between the government and a particular telco to inform decisions without any need for the AG to consult impacted telcos. TPG and Vodafone also suggested that the exercise of the AG's power to suspend a service should be subject to judicial oversight rather than being solely part of the executive arm of the legal system.
The communications access coordinator (CAC), meanwhile, may suggest changes to a CSP's security capability plan, despite TPG pointing out that CAC employees aren't the best positioned to understand telco business operations.
The AGD secretary also has the power to "obtain information and documents" from carriers, CSPs, and CSP intermediaries if it is "relevant to assessing compliance with the duty", and may retain those documents for as long as possible. The AG secretary may disclose any of these documents or information to any Commonwealth officer.
When announcing the legislation, the government said it is necessary due to the growing volume of data stored on networks.
"A key source of vulnerability for espionage, sabotage, and interference activity is in the supply of equipment, services, and support arrangements. Australian telecommunications networks rely on global suppliers of equipment and managed services which are often located in, and operate from, other countries," the explanatory memorandum says.
"Advances in technology and communications have introduced significant vulnerabilities, including the ability to disrupt, destroy, or alter telecommunications networks and associated critical infrastructure as well as the information held on these networks. Vulnerabilities in telecommunications equipment and managed service providers can allow state and non-state actors to obtain clandestine and unauthorised access to networks. Such access could be used to extract information and disrupt or potentially disable networks."
Prime Minister Malcolm Turnbull and Attorney-General George Brandis had previously said that these new powers "will only be used as a last resort, to protect the national interest", but argued the changes are necessary for Australian national security due to increasing numbers of online attacks from "nation states and hacktivists".
The PJCIS is accepting submissions until February 3, with its report due in April.