Committee inquiries and legislative history
2.1
The Parliamentary Joint Committee for Intelligence and Security (the Committee) has examined telecommunications sector security, either in relation to the initial identification of need for reform or proposed legislation, in various inquiries and reports, dating back to the 43rd Parliament.
Initial inquiry into reforms of Australia’s national security legislation
2.2
In July 2012 the Committee commenced an Inquiry into Potential Reforms of Australia’s National Security Legislation, after a referral from the then Attorney-General, the Hon Nicola Roxon MP.
2.3
The purpose of that inquiry was to investigate a number of potential reforms into Australia’s national security legislation. The Committee was provided with a discussion paper from the Government containing 18 reform proposals and the terms of reference for that inquiry. The terms of reference broadly covered reforms in relation to three areas:
1
Reform of the Australian Security Intelligence Organisation Act 1979 and the Intelligence Services Act 2001;
2
Reform of the telecommunications security aspects of the Telecommunications Act 1997; and
3
Access to data and interception of communications under the Telecommunication (Interception and Access) Act 1979.
2.4
The report from this inquiry produced 43 recommendations. Recommendation 19 of the report stated:
The Committee recommends that the Government amend the Telecommunications Act 1997 to create a telecommunications security framework that will provide:
a telecommunications industry-wide obligation to protect infrastructure and the information held on it or passing across it from unauthorised interference;
a requirement for industry to provide the Government with information to assist in the assessment of national security risks to telecommunications infrastructure; and
powers of direction and a penalty regime to encourage compliance.
2.5
Further to this, in 2015, the Committee’s Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, recommended, amongst other things, that the Government’s telecommunication sector security framework be enacted before the end of the implementation period of the data retention regime.
Inquiry into the Telecommunications and Other Legislation Amendment Bill 2016
2.6
On 9 November 2016 the Telecommunications and Other Legislation Amendment Bill 2016 (the Bill) was introduced to the Parliament by the then Assistant Minister to the Prime Minister, Senator the Hon James McGrath. On the same date, the then Attorney-General, Senator the Hon George Brandis QC, wrote to the Committee requesting that it inquire into the Bill. On 15 November 2016 the inquiry was announced by the Committee via media release.
2.7
In his second reading speech for the Bill, Senator McGrath noted the importance of Australia’s telecommunications network as critical infrastructure and its vulnerability to cyber-attacks. He stated:
Telecommunications networks are a key pathway for unauthorised interference by malicious actors. The [Australian Cyber Security Centres’ Threat] Report identifies that diverse state-based adversaries are attempting cyber espionage against Australian systems to satisfy strategic, operational and commercial intelligence requirements. It also acknowledges that the ongoing theft of intellectual property from Australian companies continues to pose significant challenges to the future competitiveness of Australia's economy.
2.8
The Bill sought to primarily amend the Telecommunications Act 1997, but also made amendments to related legislation, being the Telecommunications (Interception and Access) Act 1979, the Administrative Decisions (Judicial Review) Act 1977 and the Australian Security and Intelligence Organisation Act 1979.
2.9
The Bill’s primary objectives were to:
1
Establish security obligations on all carriers and carriage services providers (C/CSPs) to ‘do their best’ to protect their networks from interference and unauthorised access;
2
Introduce requirements for carriers and nominated carriage service providers (NCSPs) to inform the Communications Access Co-ordinator (CAC) of planned changes to their services which may compromise their security obligations;
3
Give the Attorney-General and the Secretary of the Attorney-General’s Department powers to make orders in relation to and request information from C/CSPs in order to monitor and manage security risks;
4
Create obligations around confidentiality and information sharing as well as an obligation to provide an annual report on the effect of the law which would then be tabled in Parliament; and
5
Expand existing civil enforcement mechanisms within the Telecommunications Act 1997 in order to address the new obligations within the Bill.
2.10
On 30 June 2017, the Committee tabled its report into this inquiry, making 13 recommendations to the Australian Government. All of the inquiry’s recommendations were accepted by the Government.
2.11
The Committee recommended that the Bill be passed and made recommendations to the Government largely around clarifying aspects of the Bill and its administrative guidelines, the form of the annual report presented to Parliament, and that the effect of the Bill be reviewed by the Committee within three years of the Bill receiving Royal Assent.
2.12
The Telecommunications and Other Legislation Amendment Bill 2017 was passed by both houses of Parliament and received Royal Assent on 18 September 2017, becoming the Telecommunications and Other Legislation Amendment Act 2017. These amendments were incorporated as Part 14 of the Telecommunications Act 1997 and are known as the Telecommunications Sector Security Reforms (TSSR).
2.13
Following a twelve-month implementation period, the TSSR commenced on 18 September 2018.
2.14
The authority and roles provided to the Attorney-General and the Secretary of that Department were transferred to the Minister for Home Affairs and Department of Home Affairs after its creation and commencement in December 2017.
Part 14 of the Telecommunications Act 1997 and its operation since introduction
2.15
Part 14 of the Telecommunications Act 1997 (the Telco Act) relates to national interest matters and telecommunications networks and facilities.
2.16
Section 312 places an obligation on the Australian Communications and Media Authority (ACMA) to do its best to prevent telecommunications networks and facilities from being used to commit offences against the Australian Government and the States and Territories. ACMA is required to give Government authorities such help as is reasonably necessary to enforce the law, protect public revenue and safeguard national security.
2.17
Section 313 of the Telco Act places an obligation on C/CSPs to ‘do their best’ to:
Prevent telecommunications networks and facilities from being used to commit offences under laws of the Commonwealth or the States and Territories; and
Protect telecommunications networks and facilities from unauthorised interference and access for the purposes of security (i.e. from espionage, sabotage, foreign interference and attacks on Australia’s defence system).
2.18
The Telco Act contains powers for the Minister for Home Affairs (the Minister) and also imposes obligations on carriers and nominated carriage service providers.
Directions powers
2.19
Under section 315A and section 315B of the Telco Act, the Minister may direct a C/CSP to:
Cease supplying or using a carriage service where the use or supply would be prejudicial to security; and
Where there is a risk of unauthorised interference or access to networks or facilities which may be prejudicial to security, to do or not do a specified act.
2.20
The Minister may only use these powers in the event that the Australian Security Intelligence Service (ASIO) has provided an adverse security assessment (such security assessments are subject to notification requirements and are available for review upon application by the Administrative Appeals Tribunal (AAT), as per Part IV, Division IV of the Australian Security Intelligence Organisation Act 1979).
2.21
Section 315A is intended to be used in extreme circumstances as a power of last resort, where the continued operation of the service would have such severe consequences that the entire service needs to be shut down. In such circumstances the Minister must consult with the Prime Minister and Minister for Communications prior to issuing a writing direction under this section.
2.22
Under s315B, there is an additional safeguard that the Minister may only issue such a direction where they are satisfied that all reasonable steps have been taken to negotiate in good faith with the C/CSP to eliminate or reduce the security risk.
2.23
Further to this, the Home Affairs Secretary has the power to obtain information and documents from C/CSPs that are relevant to assessing whether a C/CSP is in compliance with their duty under s313(1A).
Notification obligations
2.24
Section 314A of the Telco Act places an obligation on carriers and NCSPs (C/NCSPs) to notify the CAC (as part of the Critical Infrastructure Centre within the Department of Home Affairs) of proposed changes to a telecommunications service or system if they become aware that the proposed change may have an adverse effect on the capacity of the carrier to comply with its existing security obligations.
2.25
Once a C/NCSP has notified the CAC, security agency partners perform a security assessment. Within 30 calendar days of receipt of a notification the CAC must provide the carrier with one of the following notices:
A request for further information, detailing the further information required by the CAC to assess whether there is a risk to the telecommunications networks or facilities;
A notice that there is some risk associated with the carrier’s proposed change and recommending controls to mitigate the identified risk; or
A notice identifying that there no risk from the carrier’s proposed change to their telecommunications network or facility.
2.26
Under subsections 314A(4) and (5) the CAC may grant an exemption to a C/NCSP if the carrier in question makes an application in writing to be exempted. The CAC must respond to such an application within 60 days, either providing the exemption or refusing the exemption and advising the carrier with reasons for the refusal.
2.27
If an application for an exemption is refused by the CAC, the C/NCSP may apply to the AAT for a review of the CAC’s decision.
2.28
As an alternative to informing the CAC of individual changes, a C/NCSP may provide the CAC with a security capability plan under section 314C ,setting out one or more proposed changes to a telecommunications service or system. A C/NCSP cannot provide more than one security capability plan in any 12-month period.
Information sharing and engagement
2.29
The Department of Home Affairs (the Department) has stated that its ‘regulatory objective is to achieve national security outcomes on a cooperative basis rather than through the formal exercise of regulatory powers.’
2.30
Prior to the introduction of the TSSR, the telecommunications industry and Australian Government had informal engagement and information sharing practices. Part of the purpose of the TSSR is to formalise and strengthen these existing arrangements.
2.31
The Department states that it engages with the telecommunications industry through:
Providing technical workshops and assistance;
Developing guidance material which is available on a dedicated TSSR webpage (including administrative guidelines, fact sheets, sample forms and frequently asked questions); and
Developing a secure communication pathway for the Department to provide sensitive information to the industry.
TSSR Annual Reports
2.32
Since the implantation of the TSSR, the Department has produced three annuals reports on the progress of the reforms; the TSSR 2018-19 Annual Report, the TSSR 2019-20 Annual Report, and the TSSR 2020-21 Annual Report.
2.33
These annual reports are required under section 315J of the Telco Act and are presented to Parliament and published for public access.
Directions powers
2.34
The Minister has not made any directions orders under subsections 315A(1) or 315B(2) in the financial years ending 2019, 2020 and 2021.
Notification obligations
2.35
During the financial year 2018-19, the CAC received 34 subsection 314A(3) notifications, 32 notifications in 2019-20, and 30 notifications in 2020-21.
2.36
In all three years, the CAC responded to all subsection 314B(3) and subsection 314B(5) notifications within the required 30 day period. In situations where the CAC requested further information from a carrier or provider, the CAC provided subsection 314B(3) or subsection 314B(5) notices to the carrier within 30 days of receiving the further information.
2.37
Table 2.1 sets out the number of notices provided by the CAC over the three years since the commencement of the TSSR.
Table 2.1: Subsection 314B (1), (3) and (5) notices provided by the CAC 2018-21
|
|
|
|
|
|
314B(1) ‘required further information’
|
16
|
14
|
22
|
314B(3) ‘some risk’
|
28
|
24
|
24
|
314B(5) ‘no risk’
|
1
|
6
|
6
|
Source: Department of Home Affairs, Telecommunications Sector Security Reforms: 2018-19 Annual Report, pp. 2-3; Department of Home Affairs, Telecommunications Sector Security Reforms: 2019-20 Annual Report, p. 3; Department of Home Affairs, Telecommunications Sector Security Reforms: 2020-21 Annual Report, pp. 2-3.
2.38
During the financial years 2018-19, 2019-20 and 2020-21, the CAC did not receive any security capability plans from any C/NCSP. In the same periods the Home Affairs Secretary gave no notices to a C/NCSP to produce documents or information under powers in subsection 315C(2).
Information sharing arrangements
2.39
In the 2018-19 financial year, the Department participated in 53 engagements with the telecommunications industry. This increased in 2019-20 to 98 engagements, and is reported as being 98 engagements for the 2020-21 period as well. The Department stated in its 2019-20 TSSR Annual Report it ‘is encouraged by an increase in the number of these engagements during the reporting period, as they foster stronger relationships with industry.’ This relationship continues at the same rate for 2020-21.
2.40
The Department noted in all three TSSR Annual Reports that engagement with the telecommunications industry has been ‘generally positive’ and has worked with carriers to explain the intent of legislation and the importance of submitting notifications to the Department.
2.41
As part of the guidance materials the Department publishes, there are guides available to the industry outlining when network changes will meet the threshold for a notification. In the 2019-20 TSSR Annual Report the Department confirmed it was in the process of updating the guidance materials it provides to the industry, with confirmation in the 2020-21 Annual Report that these guidelines had been updated in June 2021.
Trends and Issues
2.42
In the three TSSR Annual Reports to date, the Department identified several trends and issues. Some trends continued across all reporting periods, while others only became apparent as the regime continued operating across the three years.
Trends across 2018-19, 2019-2020, and 2020-2021
2.43
The following trends were identified across all three reporting periods, to differing extents of focus or emergence, but common to all three annual reports:
5G and other mobile networks: The Department provided guidance on 5G security to Australian carriers on 23 August 2018 after extensive review. It continued to work closely with carriers to ensure they understood their obligations. In the 2019-20 and 2020-21 TSSR Annual Report the Department noted that it has been working with non-5G mobile network operators in order to ‘manage potential sustainment risks associated with the United States’ export restrictions affecting certain telecommunications infrastructure vendors.’
Approach to notification obligations: In the 2018-19 TSSR Annual Report the Department stated that carriers have been engaging positively with the Department about their obligations under the TSSR. The 2019-20 and 2020-21 TSSR Annual Reports noted however that there had been some variation in how carriers approached their obligations, which will be expanded on in Chapter 3.
Insufficient detail within notifications: In all three reporting periods, the Department noted that insufficient detail in notifications from carriers was a continuing issue and the primary obstacle to shorter response times from the CAC. In the 2018-19 TSSR Annual Report, the Department stated it had updated the TSS1 notification form in order to collect more targeted and relevant information from carriers, as well as updating the available guidance material to provide more clarity on this issue.
Trends emerging in 2019-20 and 2020-21.
2.44
The 2019-20 and 2020-21 TSSR Annual Reports noted the following emerging trends and issues for those periods:
Managed service providers (MSPs): The Department noted an increase in the number of notifications involving carriers’ use of MSPs (businesses that are employed to remotely manage a company’s IT infrastructure/end-user systems). The CAC notified the Department of several situations where a carrier’s proposed use of a MSP would have affected its ability to maintain appropriate supervision and control over its networks and facilities. In these situations the CAC advised carriers of its concerns and risk mitigation strategies.
Network function virtualisation (NFV) and orchestration: The CAC was notified by multiple carriers about changes involving NFV during the reporting periods. NFV notifications were also usually made at the same time as ‘automated’ network orchestration solutions and typically featured high levels of technical complexity and complex supply chains. The CAC was concerned that carriers were not aware of the security risks of these changes, particularly around the risks associated with multi-jurisdictional supply chains and complex vendor/subcontractor relationships, as well the risks of outsourcing parts of a carrier’s infrastructure. In all instances of these kinds of notifications, the CAC advised the carrier of its concerns and how these risks could be mitigated.
5G Cloud compute: A number of technical discussions with carriers during 2020-21 featured discussions of 5G cloud orchestration and the balance required between ideal virtualised computing technologies and their threat to carriers and their existing and emerging business.
COVID-19 Implications: As would be expected, the increased demand on telecommunications was an emerging factor for the 2020-21 Annual Report. Working from home arrangements for carriers’ staff and associated security risks were raised as an issue and ongoing dialogue with all carriers was undertaken by the Department.
Supply chain risk assessments: Vendor equipment and services risk assessments continued to be a focus of encouragement for notifications from carriers, with the Department highlighting in the 2020-21 Annual Report that more guidance materials specific to supply chain risk assessment are being developed.
Observations from the sector regarding notifications
2.45
The Committee received a limited number of submissions from telecommunications carriers and service providers, but received information from Telstra, Optus and the Communications Alliance regarding their organisational or representative experiences under the regime since its introduction.
2.46
More information regarding submissions and evidence from these providers and others will be outlined in Chapter 3, but in general the observations from these organisations have acknowledged the intention of the reforms and the impact of the notification provisions.
2.47
Optus noted that it had provided 36 formal TSSR notifications in its submission, which it updated to 45 at the public hearing. Telstra did not provide a number of formal notifications it had made under the regime but made the distinction that it is practice to engage with the CAC on an informal basis, early in a project, therefore not triggering a formal notification.
2.48
The consistency of notifications and framework expectations will be expanded on in Chapter 3, as well as the impact of the proposed expansion of the Security of Critical Infrastructure framework.
High profile decisions and impacts
2.49
The most significant decision made during the operation of the TSSR to date has been that limiting vendors authorised to supply equipment for the rollout of 5G telecommunications within Australia’s network.
2.50
In a joint statement issued on 23 August 2018, the then Treasurer and acting Minister for Home Affairs, the Hon Scott Morrison MP, and the then Minister for Communications and the Arts, Senator the Hon Mitch Fifield, announced that security guidance had been issued to Australian carriers excluding vendors ‘subject to extrajudicial directions from a foreign government that conflict with Australian law’.
2.51
Whilst not stated directly in the statement, media reports revealed that this decision had effectively banned Huawei from the 5G rollout, much like its exclusion from the NBN rollout in 2012, based on ASIO advice.
2.52
This decision and advice related to carrier obligations under the TSSR and did not constitute a direction under Part 14 of the Telco Act.
2.53
More commentary regarding this advice and its impact is included in Chapter 3.