Telcos urge government to dump telco national security laws

The Australian government has published the submissions made by the major telecommunications providers on the telco national security Bill, with none accepting the draft legislation in its current form.

While Telstra and Optus offered up exhaustive lists of what should be amended in the draft legislation, Vodafone and TPG delivered a complete smackdown, with the latter recommending that "abandonment is a better option than amendment".

In November, the government released its second exposure draft of the Telecommunications and Other Legislation Amendment Bill containing additional national security-related measures, which would force telcos to provide information about their networks and services to the Attorney-General's Department (AGD), or face injunctions, enforceable undertakings, and civil penalties such as fines.

Under the proposed legislation, carriers and carriage service providers (CSPs) "must do their best" to protect their networks against unauthorised access. The Bill also vests an information-gathering power "to facilitate compliance monitoring and compliance investigation activity" with the secretary of the AGD; provides the attorney-general with the vague power to direct a CSP "to do or not do a specified thing"; and outlines enforcement mechanisms and remedies for non-compliance.

Telcos continue to take issue with the Bill, despite the latest exposure draft [PDF] containing a number of amendments made after industry consultation, including narrowing the scope; vesting directional power in the AG rather than the secretary of the AGD; making directions from the AG reviewable; and increasing the implementation time frame from six to 12 months.

The government had also increased the threshold for the exercise of powers by requiring an adverse security assessment from the Australian Security Intelligence Organisation (ASIO), as well as requiring the AG to be satisfied that the activity is prejudicial to security, and that all reasonable steps have been taken to negotiate an outcome in good faith.

Telstra's submission [PDF] acceded that CSPs must be conscious of security threats to networks, but added that they "should still retain the discretion to assess the risks and make informed decisions based on their knowledge of their networks, taking into account any advice shared by government and agencies".

Telstra labelled the Bill as being "workable in a practical sense", saying the amendments made late last year have rendered the legislation more effective. Australia's incumbent telco did, however, propose a set of additional amendments.

One of these was that Section 313(5) should extend the scope of statutory immunity to protect CSPs from civil liability in disclosing information to the government in breach of a duty of confidence owed to a third party. Vodafone agreed, saying the Bill does not protect CSPs against the risk of civil litigation.

In regards to the AG's ability to give directions to telcos under s315B, Telstra welcomed the requirement for the AG to consult with a CSP, but said the AG should only be able to give a direction that is "reasonably necessary" to eliminate or reduce a security risk.

Optus, Vodafone, and TPG all argued that s315B gives too much weight to ASIO's security assessment above and to the detriment of all other decision-making factors, with Optus' submission [PDF] suggesting that another factor be added: "Whether the network or service to which the proposed direction would apply is critical national infrastructure or a critical service".

For s315C, which enables the AG secretary to obtain information and documents from CSPs, Telstra and TPG argued that as there are no scope limits to what information may be required, it could be time consuming, costly, and difficult for CSPs to respond.

"The class of documents and information that can be called for in Section 315C(1) is still very wide, and provides the attorney-general's secretary with the power to require the telco to go on a fishing expedition to establish compliance," TPG argued.

"Generally, in Australia, citizens, including corporate citizens, are entitled to go about their business without unreasonable search. Searches are generally subject to judicial oversight, such as by warrant. Telcos should not be required to provide any information that the attorney-general's secretary calls for without the attorney-general at the very least having evidence to establish that there has been a breach of the obligation."

Optus added that the section should be changed so that only copies of documents, not originals, need to be handed over during the information-gathering process.

Under s315C, information must be de-identified by the AGD before being disclosed to a person other than a Commonwealth officer. Telstra said that the government must go further in its process of de-identification, as it is not sufficient to protect CSPs from competitor threats, while Optus suggested that confidentiality requirements be extended from covering just documents and information obtained during information gathering to also cover the original notifications and security plans obtained at the beginning of the process.

Only Vodafone and Internet Australia raised concerns over the AGD's ability to share these documents with other commonwealth officers in the first place, with Vodafone saying the provision is too broad. In its submission, Internet Australia said the sharing process should be redefined in a more restricted way, as the term "for the purposes of security" is too vague.

The obligation for CSPs to do their "best" to protect networks and facilities against unauthorised access and interference, as described under s313(1A), is also too broad, according to both Optus and TPG. Optus said the duty asks for all national and global networks and facilities to be protected by CSPs, and should be refined to simply protecting their own networks.

TPG added that "do their best" is too broad a term, with telcos unable to ascertain what this obligation actually requires; that it opens up telcos to claims of breach of statutory duty; and that "unauthorised access" is also too ambiguous, as the legislation does not state who is able to authorise whom, especially on global networks.

Optus suggested that the obligations imposed on intermediaries should be lessened, as they do not have the same capacity for control as CSPs.

Under the proposed law, in addition to risk assessment, telcos will be forced to give notice to security agencies of any modification they make to their networks and management systems that could impact the security of their networks, and must comply with government oversight in regards to the IT equipment they may purchase.

"Advances in technology and communications have introduced significant vulnerabilities, including the ability to disrupt, destroy, or alter telecommunications networks and associated critical infrastructure as well as the information held on these networks. Vulnerabilities in telecommunications equipment and managed service providers can allow state and non-state actors to obtain clandestine and unauthorised access to networks and thereby extract information and control, and to disrupt and potentially disable networks," the explanatory memorandum [PDF] says.

"[The] new Section 314A of the Telecommunications Act outlines the types of changes in arrangements that should be notified to the CAC, which include but are not limited to: Outsourcing or offshoring arrangements affecting sensitive parts of a network and/or procuring new equipment or services for sensitive parts of a network, and changes to the management of services."

Optus called this notification requirement a "logic trap", pointing out that it will be difficult for CSPs to form the same security assessment as the communications access coordinator (CAC) when they don't have access to the same information.

In addition, Optus pointed out that any and all changes to a network carry a risk of interference -- with TPG adding that s314A effectively makes it a requirement for telcos to tell the government about every single change to network and equipment, as there is no way for a telco to tell whether a change will carry a more substantial risk of threat -- so the wording should be amended for the AG to interfere only where there is "an unacceptable movement in the risk profile introduced by the change".

The Law Council of Australia snowballed off this, saying that adverse security risks need to be subject to a transparent standards-of-proof test before assessments can be fairly issued.

"The specific criteria by which ASIO make their assessments are also largely unknown, making it uncertain as to when a cyber risk or threat will be considered to be of a sufficient level of seriousness to warrant the issuing of a direction by the AG," the Law Council pointed out.

"For example, it is unclear whether a risk or prejudice to security must be substantial, likely, imminent, or of severe potential impact."

"Prejudicial to security" must therefore also be more clearly defined, the Law Council added.

Sections 314B and 314D place "an unacceptable commercial risk" on CSPs, as they do not specify what will occur if a CAC does not respond to individual notifications or security plans within the timeframe set out, Optus argued. The time periods that the CAC may take to decide on individual notifications and security capability plans should be unable to be restarted, as they create too lengthy a process, Optus concluded.

Optus lastly asked for a policy to be developed framing whether the CAC is subject to the government's regulator performance framework, and whether KPIs will be made available for the CAC's activities.

While Vodafone Hutchison Australia (VHA) agreed that telcos should coordinate with the government to ensure national security, it disagreed strongly with the legislation in its current form.

"It is essential that the telecommunications industry and government agencies have a robust, collaborative working relationship when it comes to national security and network resilience," Vodafone's submission [PDF] said.

"What is not appropriate is the establishment of a national security regime that is prescriptive, inflexible, and promotes a government decision-making process that does not allow for commercial and technical flexibility and imposes substanital [sic] commercial risk. A regime, we might add, that offers no guarantee of success in a dynamic and fluid global telecommuncations [sic] environment."

Vodafone argued that the Bill vests "unjustifiably significant" powers to the AGD; intrudes on commercial decisions for no apparent justification; contains the possibility for arbitrary orders, as directions by the AGD are not subject to independent judicial review or appeal; will deter innovation and the rollout of new network technologies; doesn't allow for offshoring; affects choice and competition; and favours larger CSPs.

VHA summarised the Bill as containing "regulatory overreach through the relatively unfettered powers proposed to be given to government officials to influence decisions".

TPG's own assessment [PDF] of the Bill was similar, with the telco recommending the legislation be dumped altogether.

Among other arguments, TPG disputed that telcos are the most likely source of threats to national security; that competition already provides incentives for telcos to have tight security; that red tape will increase costs for CSPs; and that the legislation won't prevent unauthorised access to networks, such as malware and hacking attacks, which TPG called "regrettable but probably inevitable".

CAC employees also won't be in best position to understand telco business operations, TPG said, and the AG's ability to direct telcos to suspend or cease using or supplying services under s315A allows for relationships between the government and a particular telco to inform decisions without any need for the AG to consult impacted telcos.

TPG added its voice to the suggestion by Vodafone that the exercise of the AG's power to suspend a service should be subject to judicial oversight rather than being solely part of the executive arm of the legal system.

Internet Australia also suggested [PDF] that a review of the legislation be conducted by the Parliamentary Joint Committee on Security and Intelligence after three years, and that the AGD retain detailed records of actions taken as a result of this legislation to be provided to the same parliamentary committee annually.

The burden of costs has yet to be mentioned by the government, TPG pointed out -- something also addressed by the joint submission of industry bodies, and by Vodafone.

"VHA shares the concern of the industry groups about the ongoing costs associated with the introduction of this regime and the additional red-tape it will introduce," Vodafone said.

"VHA already bears a considerable regulatory cost overhead through a range of recent imposts being placed on Industry as a result of recent government initiatives in the form of the mandatory two-year data retention scheme, online copyright notice scheme, and the newly legislated website-blocking regime, which all drive up costs that may then have to be passed on to consumers.

"The TSSR legislation will add a further significant regulatory cost overhead."

The financial impact is estimated to amount to ongoing costs of AU$1.6 million annually for ASIO and the AGD to resource and administer the scheme -- though if telcos are required to rebuild systems and networks to comply, as well as spend resources on producing large amounts of documents upon the AGD's request, this could increase their own expenditure drastically.

The joint submission [PDF] by the Communications Alliance, Australian Information Industry Association (AIIA), Australian Mobile Telecommunications Association (AMTA), and Australian Industry Group (Ai Group) said the purpose of the legislation is unclear, compliance will prevent CSPs from responding to cybersecurity breaches in a timely manner, and the scope is too broad thanks to vague drafting.

The Law Council of Australia added [PDF] that due to this broad, vague scope, the legislation is actually inconsistent with the rule of law, as it is not readily known and available, or certain and clear.

The submission [PDF] by pay-TV provider Foxtel simply sought to have broadcasting and content services separated from telco services in definitions under the legislation, so that it would not be subject to the requirements under the Bill.

"Foxtel seeks amendments to sections 313(1A) and 313(2A) that expressly exempt telecommunications networks and facilities 'to the extent these are used to supply broadcasting services and content services as defined in the Broadcasting Services Act 1992'," Foxtel wrote.

Government agency the Office of the Australian Information Commissioner (OAIC), meanwhile, welcomed the draft legislation [PDF], saying the government had implemented all recommendations made during the previous round of consultations.

When first announcing the legislation, the government said it is necessary due to the growing volume of data stored on networks.

"Government and business are increasingly storing and communicating large amounts of information on and across telecommunications networks and facilities," the explanatory memorandum says.

"Telecommunications networks and facilities also by their nature hold information of a sensitive nature, which includes information about the network itself; for example, lawful interception systems, customer billing, and management systems, which, if unlawfully accessed, can reveal sensitive law-enforcement operations, or the location of people such as politicians or protected persons. This information presents a rich intelligence target for those who wish to harm Australian interests.

"For these reasons, the telecommunications networks and infrastructure of carriers, carriage service providers, and carriage service intermediaries are attractive targets and for espionage, sabotage, and foreign interference activity for state and non-state actors."

The explanatory memorandum states that currently, the government manages national security risks through cooperative arrangements with the telco industry, and that this Bill will simply formalise these arrangements and ensure that national security is prioritised over commercial interests. It added that the rollout of the National Broadband Network (NBN) will "magnify" the risks.

Prime Minister Malcolm Turnbull and Attorney-General George Brandis had previously said that these new powers "will only be used as a last resort, to protect the national interest", but argued the changes are necessary for Australian national security due to increasing numbers of online attacks from "nation states and hacktivists".

The telecommunications industry also spoke out against the legislation in July.