Telstra recommends amending existing telco Acts instead of creating duplication

Telstra has asked Australia's pending national critical infrastructure laws to avoid creating duplicate or conflicting requirements for the telecommunications sector, highlighting that existing regimes it is bound by already "work well".

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 aims to implement "an enhanced framework to uplift the security and resilience of Australia's critical infrastructure".

Among other things, the Bill introduces a positive security obligation (PSO) for critical infrastructure entities, along with sector-specific requirements and mandatory reporting requirements to the Australian Signals Directorate (ASD). Telecommunications is one such sector that would be deemed as "systems of national significance" under the Bill, which would update the Security of Critical Infrastructure Act 2018 (SOCI Act).

As a telecommunications provider, Telstra is covered by the Telecommunications Sector Security Reforms (TSSR) regime.

"The telecommunications sector has a well-established and robust security regime in the TSSR," Telstra told the Parliamentary Joint Committee on Intelligence and Security (PJCIS). "Industry has invested capital and resources into its network security and resilience to comply with the TSSR security obligation. The TSSR works well and has resulted in excellent engagement with the Department of Home Affairs along with operational compliance with the security requirements."

As a result, Telstra has recommended that government achieve its systems of national significance objectives by leveraging existing obligations under the TSSR as far as possible and working closely with industry to ensure those obligations align with those under the SOCI Act.

"The TSSR framework has been in place for more than two years, enabled the telecommunications sector to mature and uplift its security awareness and posture, more so than other sectors, and is a regime that works well," it said.

It suggested that this be done by applying the Act to only those critical telecommunications assets declared as systems of national significance which, therefore, would have the enhanced cybersecurity obligations applied to only those assets; enhancing the TSSR to have the new Bill's PSO applied there; and having more "objective" criteria and thresholds applied to elements of the PSO and government assistance powers.

"Telstra's recommended approach avoids potential operational and compliance issues resulting from duplicated security regimes for the telecommunications sector," Telstra said.

"It also recognises the maturity of the sector and the significant capital and resources this sector has already invested into network security and resilience over several years, to comply with the TSSR security obligation."

The Bill also introduces government assistance to entities in response to significant cyber attacks on Australian systems.

Tech giants operating in Australia, such as Amazon Web Services (AWS), Cisco, Microsoft, and Salesforce, have all taken issue with these "last resort" powers, but the ASD expects intervention in the cyber attack response of companies considered critical infrastructure to only occur in rare circumstances.

Telstra has asked these powers be inserted into the TSSR and for them to be used only as a final resort.

Meanwhile, despite reiterating many of the concerns it shared during the Bill's pre-consultation, AWS has provided the PJCIS with a further 11 recommendations to consider when reporting on the draft legislation.

One of the recommendations is the complete removal of government powers to respond to serious cybersecurity incidents.

"The powers are too broad and give the government exceptionally broad powers to gather information, issue directions, or act autonomously to directly intervene in an asset without adequate limitations or guardrails," it wrote [PDF].

Instead, AWS recommends talking with industry about what its aims actually are to come to a more appropriate resolution.

The cloud giant also wants the removal of government ability to enact sector-specific rules without consultation.

Meanwhile, the Group of Eight (Go8) -- comprising the University of Adelaide, the Australian National University, the University of Melbourne, Monash University, UNSW Sydney, the University of Queensland, the University of Sydney, and the University of Western Australia -- believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector.

As a result, the Go8 wants the government to set out a detailed and compelling case for why higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.

In doing so, it has suggested the use of established mechanisms, such as the Guidelines to Counter Foreign Interference in the Australian University Sector, as a way of meeting the PSO for the sector.

"The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highly disproportionate to the likely degree and extent of criticality of the sector," its submission [PDF] to the PJCIS reads.

The group is concerned Australia is the only Five Eyes nation to consider higher education and research as critical infrastructure.

MORE ON THE BILL

• Tech industry concerns put aside as Critical Infrastructure Bill enters Parliament
• Australia's critical infrastructure definition to span communications, data storage, space
• Microsoft asks government to stay out of its cyber attack response in Australia
• ASD says cyber attack intervention will be 'rare' under critical infrastructure Bill
• Tech giants not convinced Australia's critical infrastructure Bill is currently fit for purpose
• AWS concerned with government powers in Australia's new critical infrastructure Act
• Home Affairs likens critical infrastructure protections to insurance and crime-fighting