Telcos: National security Bill 'unjustifiably intrusive', risks cyber threats

Carriers and cybersecurity groups have again made submissions against the telco national security Bill, saying it will impede innovation and consequently make networks more vulnerable to cyber attacks.

Almost two years after first criticising the telecommunications national security Bill, Australia's carriers have again spoken up against it, calling the powers granted to the government under the draft laws "unjustifiably intrusive".

Attorney-General George Brandis introduced to Parliament the Telecommunications Sector Security Reforms (TSSR) in the Telecommunications and Other Legislation Amendment Bill in November, saying the government had implemented recommendations made by industry to its last draft.

The Bill forces telco carriers and carriage service providers (CSPs) to "do their best" to protect their networks from unauthorised access or interference for the purpose of security, with carriers and CSPs to notify the Attorney-General's Department (AGD) of any changes to their services, systems, or equipment that could have a "material adverse effect" on their ability to comply with this duty.

The communications access coordinator (CAC) has the power to assess whether those changes bring a risk of exposing the network to unauthorised access or interference, and may suggest changes to a CSP's security capability plan.

Five submissions have been published following the introduction of that Bill -- from Macquarie Telecom; Optus; Foxtel; the Australian Centre for Cyber Security; and by the Australian Industry Group (Ai Group), Australian Information Industry Association (AIIA), Australian Mobile Telecommunications Association (AMTA), and Communications Alliance in a joint submission.

"The draft legislation still provides for unjustifiably intrusive powers for government to intervene in telecommunications infrastructure without adequate consultation or protections for industry," Macquarie Telecom said in its submission.

In combination with the data-retention laws that came into effect in October 2015, the TSSR obligations would add considerable cost and interruption to its business operations and hinder its capability to innovate -- which would have the effect of increasing security threats due to it being unable to embrace new technologies promptly, Macquarie Telecom argued.

Macquarie Telecom said it already has significant business interest in protecting its own network against security threats without government intervention, and pointed out that the burdens being levelled at Australian providers by the draft legislation do not apply to global competitors, a point also made in the joint submission.

The Australian Centre for Cyber Security similarly addressed the creation of cyber threats, arguing that the data retention Act and the TSSR "duplicate the metadata creation, retention, and disclosure obligations" for telcos -- but that the latter has limited oversight.

"Both regimes essentially address the same metadata but with different procedures. These differences may result in oversight, governance and ethical risks," the centre said.

"However, the oversight mechanisms regarding access for security under the two regimes differ vastly. The purpose for this difference in treatment is not made clear. Metadata under the TSSR, which is the vast majority of session metadata and may have greater privacy implications, require no authorisation and notification process, and little independent oversight, unlike the source IP and port addresses under the metadata creation, retention, and disclosure regime."

The joint submission [PDF] from telco groups agreed that the "onerous" and "one-way" notification requirements would do the adverse of their express purpose by making Australian telecommunications networks more exposed to cyber threats and sabotage by hindering their responsiveness.

"The legislation, explanatory memorandum, and the associated guidelines still fail to answer the fundamental question of what specific failings and/or weaknesses government is seeking to address," the group argued.

The joint submission points to the collaborative approaches to cybersecurity between government and industry in the United States, the United Kingdom, and Canada and suggests that Australia utilise these techniques rather than developing expensive, "out of step" practices that hinder innovation, particularly in the software-defined networking and network function virtualisation sectors.

Optus called the notification requirement a "logic trap" wherein providers may not have the same information available to them on a certain security risk as the CAC, and suggested that more guidance be given on the apparent new telecommunications regulatory role the legislation vests in the AGD and CAC.

In order to make this more effective, Optus also advised that a formal consultative mechanism for sharing information between industry and the government be formed.

Foxtel used its submission to argue that there would be a regulatory imbalance in the broadcasting industry if Foxtel were subject to the legislation and other broadcasters were not, and added that the notification obligation is "broad and unclear".

A year ago, the government published the submissions made by the major telcos to the last form of the Bill, with none accepting the draft legislation.

While Telstra and Optus offered up exhaustive lists of what should be amended in the draft legislation, Vodafone and TPG delivered a complete smackdown, with the latter recommending that "abandonment is a better option than amendment".

The telecommunications industry also spoke out against the legislation in July 2015 due to the intrusive powers given to the government; under Section 315A, for instance, the attorney-general has the power, after consulting with the prime minister and the minister, to order that a carriage service be suspended if it is deemed to be "prejudicial to security".

Under s315B, if the attorney-general is satisfied that a network carries the risk of unauthorised access or interference then they may order the service to be suspended without consulting anyone.

The attorney-general secretary also has the power to "obtain information and documents" from carriers, CSPs, and CSP intermediaries if it is "relevant to assessing compliance with the duty", and may retain those documents for as long as possible under s315C. The attorney-general secretary may also disclose any documents or information to any Commonwealth officer.

The attorney-general is required to present a report to Parliament annually on the operation of the legislation.