3.1
As outlined in Chapters 1 and 2, submissions were received from a number of interested stakeholders, government, and relevant telecommunications providers for the Committee’s review. However, as also outlined, the release of the draft Security of Critical Infrastructure Bill (SOCI Bill) in December 2020 complicated the review process and impacted the scope and relevance of the evidence received in submissions to this review.
3.2
The Committee acknowledges the concerns of the submitters regarding the unclear effect that the SOCI Bill was going to potentially have on the TSSR regime, however the Committee’s intent for the statutory review of the regime was challenged by the shift in the evidence base due to the SOCI Bill’s impact.
3.3
Whilst the Committee requested information in submissions regarding operation, effectiveness and implications of the reforms, as well as information regarding the security of critical and sensitive data, the adequacy of information-sharing arrangements between government and industry, and the adequacy and effectiveness of the administrative guidelines in providing clarity to industry on how it can demonstrate compliance with the requirements set out in the TSSR reforms, the evidence received on these areas was modified by the SOCI Bill’s potential impact. The unknown nature of the full impact of the proposed Bill when the majority of submissions were written and tendered had an undue effect on the focus of evidence contained within those submissions.
3.4
Accordingly, the Committee does not intend to address all of the evidence received regarding the unknown nature of the impact of the SOCI Bill in this report. The Committee concluded its review of that Bill in August 2021 and the recommendations of that report are yet to be fully realised, as multiple pieces of legislation will result, with further Committee review to be undertaken.
3.5
Additionally, as a number of submissions contained information that was either replaced or clarified in hearing evidence, or through the Committee’s processes in its review of the SOCI Bill, the focus will be on the main points considered by the Committee that remained most relevant.
3.6
The Committee acknowledges and thanks all submitters and witnesses that have provided valuable evidence and insight into the TSSR review.
3.7
This report intends to outline the main issues raised regarding the operation of the TSSR, where improvements may be made in the shorter term (independent of any future impacts of SOCI legislation), acknowledging that the operation of telecommunications sector security is not a static element of national security.
Operational context and intent
3.8
The telecommunications industry in Australia is a central part of the economy and is an enabler for so many aspects of Australian societal fabric, as outlined by the Department of Infrastructure, Transport, Regional Development, and Communications (DITRDC):
Telecommunications are critical for Australia’s modern society and economy. Whilst the telecommunications sector directly comprises only two per cent of Australia’s Gross Domestic Product (GDP), it enables a further 25 per cent of GDP, and employs one per cent of the Australian workforce.
3.9
Telecommunications underpins commerce, safety and supply across the nation. It is for this reason that the security of providers, their networks and the technology compromising them must be assured.
3.10
As outlined by DITRDC, Australians have an expectation of telecommunications security and integrity:
The community expects high standards of security will apply to the telecommunications industry, given the importance of telecommunications to the economy and their lives and given the sensitivity of information carried on networks. In addition, other critical infrastructure such as power, financial services and health relies on telecommunications networks and systems. Going hand in hand with secure telecommunications is a need for ready access to telecommunications, as starkly demonstrated during the COVID-19 pandemic. We need to continue to ensure that carriers are continuing to invest in their networks and can continue to provide high-quality services to Australian homes and businesses.
3.11
However, financial considerations and impacts from telecommunications regulation must be factored into an ever-changing market:
The telecommunications market is facing challenges. While our telecommunications companies are profitable, the return on capital they have been able to achieve is falling. Analysts estimate the average revenue per user has decreased from around $65 per user in 2010 to around $57 per user in 2018. At the same time, to support Australia being a leading digital economy, carriers are rolling out 5G technology that needs to deploy more base stations in smaller cells. For example, Optus reported to the parliamentary inquiry into 5G that, to offer high speeds, cells would have to be around 200 to 300 metres apart. This means that the capital intensity required in the industry is rising.
3.12
Profit margins and capital investment must be considered in tandem with security requirements, both company-led and regulated. The Communications Alliance highlighted:
If you look at the consumer prices in various industries, you will see that the prices in our industry have remained stable or actually have fallen, while the services and innovation have dramatically improved over the last 20 years, while profit margins have slimmed quite significantly. So we are facing a very uncertain future in terms of sustainable investment for our industry, especially with substantial investment in infrastructure for 5G and 6G coming up. Our industry, especially the network operators, are best placed to manage the security of their infrastructure: If we are not being careful and offering a regulatory environment that makes it possible to sustainably invest in that industry, then we are also equally risking the security of that infrastructure and of that entire environment.
3.13
Security requirements have to be led by carriers, but must balance the evolving threat, with an acknowledgement that telecommunications is a key enabler for the digital shift in espionage, foreign interference and sabotage. The CSCRC identified this balance that informed the 5G security advice decision:
…during the 5G decision, it became clear that, particularly as we move into a world of 5G, everything will be connected at a very fast pace. So the threat is serious when we think of underpinning everything we do and having a carrier, a high-risk vendor, in that supply chain. It was deemed sufficiently serious enough for government to, obviously, ban high-risk vendors. From a telecommunications and reach point of view, once you have access to telecommunications a network, you have the master key to switch things on and off and to access. As was noted by, I think, the Director-General of Security several times—and by others who have commented on this—it really underpins everything…TSSR was first talked about in 2012, but it's a very different landscape now in 2021. There were risks evident then that wouldn't have been imagined when this was first discussed back in 2012. So it's incredibly serious. Telecommunications underpins everything we do—every system—and will do even more so. Colonial Pipeline is a good example. They were able to get onto a pipeline that controlled 45 per cent of the east coast of America's fuel consumption via a cyber-enabled breach.
3.14
DITRDC acknowledges that protection of the telecommunications industry is best left to the providers themselves, where competition and innovation can occur within an environment where ultimate security direction can be provided with the best threat information and supported by all relevant government agencies.
3.15
The Communications alliance agreed with this position:
Obviously, effective self-regulation is preferable to the stick, and that's what TSSR tried to achieve.
Operation and impact of the TSSR
3.16
The intent of the TSSR reforms and its operation to date, has been underpinned by early engagement and relationships between carriers and government:
If I can remind the committee about the purpose of the TSSR reforms: one of those was to encourage early engagement on proposed changes in networks and services that could give rise to any national security concerns, and that there be collaboration on those issues. We think that purpose has been achieved. If we look at the information…provided in the Home Affairs annual reports—for the last 2½ years the TSSR has been in operation, there has been a significant number of notifications made to Home Affairs about security issues so that they can be managed in a collaborative and cooperative way. Our conversations with industry also indicate that they feel they have been benefiting from hearing more from government about security issues and being able to manage those issues in a more effective way. So I think our view would be that both industry and government are supportive of the TSSR reforms and perceive that they have been working well.
3.17
The operation and impact of the TSSR up to the early part of 2021 was covered in submissions made to the Committee for the review.
3.18
DITRDC, the department responsible for the relationship between the market and government, provided a submission outlining the context in which the TSSR operates, the practical results of the TSSR and principles to help guide potential reform (discussed at relevant parts of this chapter).
3.19
The Department of Home Affairs provided a submission with contextual information regarding the development and operation of the TSSR, identification of potential crossover with the SOCI Bill, and some potential enhancements. Those enhancements being:
alignment of positive security obligations with those suggested in the SOCI Bill;
changes to notification requirements regarding network changes assessed as not requiring notification by a carrier, and imposition of conditions related to a change with ongoing engagement and monitoring;
alignment of security capability plans with those proposed in the SOCI Bill; and
alignment of directions and information gathering powers with those proposed in the SOCI Bill.
3.20
Telstra provided a brief submission to the review outlining support for the TSSR and interactions with the SOCI Bill. This submission was supplemented by public hearing evidence, as referenced in this chapter.
3.21
Optus provided a detailed submission outlining its support for the TSSR as a shared national endeavour, identifying the significant commercial impacts that TSSR decisions can have on carriers, as well as concern regarding the potential impact of the SOCI Bill. The submission also highlighted a number of areas for potential reform regarding :
notification thresholds and the assessment of risk and impact and how different carriers may engage with this process(more commentary from the public hearing is included in this chapter);
clearer timelines for notifications in project lifecycles; and
improvements in guidelines and awareness of security standards and risk frameworks.
3.22
Optus also provided the Committee with a confidential submission regarding the operational and commercial impacts of TSSR decisions.
3.23
Huawei made a submission to the review, critical of the decisions made under the TSSR that effectively barred its inclusion in 5G and future generation telecommunications infrastructure.
3.24
The Communications Alliance, a representative body for the communications industry, submitted to the Committee its concerns regarding the potential impact of the SOCI Bill, but also regarding the operating environment, notifications obligations, threat sharing and costs to industry (discussed at relevant parts of this chapter).
3.25
The Cyber Security Cooperative Research Centre (CSCRC) provided a helpful summary of the TSSR regime’s operation and highlighted its support for the regime. The CSCRC supports the intent of the TSSR and its operation to date, highlighting a number of factors:
the definition of ‘security’ for the purposes of the regime, taken from the ASIO Act, is broad and flexible and allows for existing and emerging threats to be considered;
supply chain integrity is central to the TSSR’s intent and operation, as well as ensuring the intent of the Modern Slavery Act 2018 is upheld;
5G and future generation technologies must be introduced and managed in the most sustainable way possible through assessment and management of suppliers; and
the use of MSPs must be carefully monitored and managed.
3.26
The Law Council of Australia provided a submission identifying concerns regarding the potential impact of the SOCI Bill, but also raising specific issues and suggesting recommendations regarding:
the definition of security for the purposes of the TSSR and the breadth of that contained in section 4 of the ASIO Act;
transparency of adverse security assessments as a basis for Minsisterial directions;
implementation of outstanding recommendations from the Committee’s Report on the Review of the Mandatory Data Retention Regime, regarding offshore storage of data and disclosure;
application of the Regulator Performance Framework and related reporting;
powers of delegation and authorisation, oversight and ongoing review of the regime.
3.27
A number of cybersecurity industry submitters provided general technical commentary and observations regarding the areas of industry concern that the Committee received evidence of during the original TSSR Bill review in 2017. These comments regarded the security of critical and sensitive data, adequacy of information-sharing arrangements between government and industry and adequacy and effectiveness of the administrative guidelines. The comments outlined a perception that Part 14 and the administrative guidelines do not include specific information regarding decision-making criteria, appeals, transparency to customers and guidance on data sovereignty or emerging technologies.
Industry impact
3.28
As previously mentioned, the industry impact of the TSSR regime has been characterised by a varied response to regulatory obligations, most notably notifications (covered below), but also in relation to the decision to bar Huawei from 5G network rollout.
3.29
In its submission Huawei makes numerous claims about the grounds for, and effect of, this decision, but summarises the impact as:
In practice the TSSR legislation destroyed Australia’s global mobile network leadership, reduced vendor competition, forced up prices for operators and consumers, isolated Australia from the world’s leading 5G innovation (as well as the ongoing leading innovation in 6G, 7G etc) and failed to make the nation any safer.
3.30
When invited to expand on these claims at a public hearing, Huawei declined the opportunity to appear.
Security obligations
3.31
Part 14, Division 2 of the Telco Act sets out the obligations of both the Australian Communications Media Authority (ACMA) and telecommunications carriers and carriage service providers (C/CSPs).
3.32
The expanded obligations in Part 14 for C/CSPs, as explained in Chapter 2, require the entity to ‘do its best’ to protect networks and facilities from unauthorised interference or access or from being used in relation to offences.
3.33
These expanded obligations were acknowledged by providers and stakeholders in regards to intent, but the general nature of the wording and the endeavour of C/CSPs could be clarified.
3.34
DITRDC acknowledged this lack of clarity:
I think there is consensus that, though they have worked well, they could work better, and that some of the provisions in the TSSR could benefit from greater clarity. The obligation to use their best endeavours to keep the network secure could be improved to provide more direction to industry as to what's expected. Similarly—and this is a view also shared with Home Affairs—the way the notification obligation is expressed has led to varying interpretations between industry players. We think that, too, could be improved to make it more clear, and that would help industry to comply more fully and in a way that's more efficient.
3.35
When asked about the differing interpretations of the obligation, DITRDC explained that setting standards could aid in addressing the variance:
We had observed that some of the language in the security obligation was a bit subjective and the way that a telecommunications company interprets it might differ depending on their perspectives. The idea is that there could perhaps be a process whereby the government, potentially through a delegated instrument, could specify a security standard. There are already provisions in the Telecommunications Act that allow standards to be read into the framework. Indeed, in other contexts they've been used to specify safety standards or consumer protection standards.
3.36
The CSCRC agreed that clearer guidance would aid providers:
With TSSR I think the struggle has always been that to 'do your best' has been opaque and hard to manage. Greater guidance, which we've seen in other submissions—make the guidance tighter and interaction with government agencies more frequent where it is challenging for a telco to know whether they are straying into space that may bring them into a breach, or they're interacting with a vendor that may cause them harm. I think to 'do your best' is always a little bit challenging, because it's not defined. When it's something self-defined, the world of cybersecurity breaches has told us that self-definition and self-regulation doesn't always work well.
3.37
When asked for a C/CSP perspective, Telstra and Optus provided insight into the varying triggers that industry are using, as well as the communication that was coming from the Critical Infrastructure Centre (CIC), now the Cyber and Infrastructure Security Centre, in the Department of Home Affairs:
3.38
Telstra outlined its interpretation of the obligation:
…the do-your-best obligation is very general and it allows industry participants to make their own call about what 'do your best' means. In our view, that involves an enterprise risk management framework that takes an all-hazards approach.
3.39
Optus outlined a similar approach:
…we would also say that doing your best means doing your very best; and that, by its nature, means you've got to look at the full end-to-end value chain and assessment of risk here. So it drives you to an all-hazards approach.
3.40
This security obligation often has to be based on threat advice, or feedback regarding potential projects (highlighted as an informal advice/notification process). Telstra acknowledged the advice received, but acknowledged that better overall obligation guidance would be beneficial for the day-to-day operation of networks:
Currently we get really good and detailed advice, but it has to be triggered by us putting in a notification or providing a briefing, and then that advice will come back. It will be very detailed and will help us to understand the risk for that particular project, but it would be very helpful to have more upfront, because then, when I'm working day to day with our network engineers and operational staff, I can provide them with the guardrails to start with, and that really helps decision-making and speeds up projects.
Notification obligations
3.41
Part 14, Division 3 of the Telco Act establishes the notification obligations for C/CSPs.
3.42
As outlined earlier in this report, the nature of the notification, the point at which it may be required, and the variation in end result was raised by stakeholders and providers.
3.43
The variation between the two major providers will be covered below, however the risk profile being assessed and mitigated can affect the resultant action, as outlined by Optus:
What's not clear, when you are undertaking a new initiative or program, is whether the security risk that is being examined and therefore requires notification is what we might call the unmitigated risk, which is the risk before you've implemented any mitigating controls or factors—do you have to notify that level of risk, or do you look at an initiative, having regard to all the controls and processes that you have put in place to mitigate that risk? That can lead to quite different outcomes, and it can clearly impact the number of notifications that you bring forward.
3.44
The variation in risk assessment and the nature of communication and advice received has led to what the Committee heard are informal and formal notification processes, both of which can garner very different results.
Informal vs formal processes
3.45
Telstra outlined in its submission and in hearing evidence that it engages early with the CIC, which could ultimately result in a formal notification not being made:
For example, this might mean briefing the Critical Infrastructure Centre on a proposed change, receiving risk advice and changing the project in a manner that avoids or at least mitigates any identified risks. This process results in an improved security outcome without the need for a formal notification, because the controls or mitigations introduced in the design phase mean that any material adverse effect has been avoided.
3.46
This position may not fulfil the intent of the obligation mechanism, but is likely due to the long-standing relationship that Telstra has with government and national security apparatus:
…one reflection we've had through the TSSR regime is that we have established some really positive relationships with a number of national security agencies, particularly the Critical Infrastructure Centre, whereby we've been able to establish more informal early-engagement opportunities when we reach a point where we are undertaking a particular project and can share risk advice back and forward. That has meant that we are able to make changes to our programs early in the piece so we are not triggering a formal notification threshold. I think that has been quite a successful outcome of the TSSR, but I would echo the comments of our Optus colleagues that we would appreciate further clarity where it can be provided.
3.47
The ultimate result of this approach was that Telstra would only notify the CIC of a project where mitigated risks still triggered the notification requirement.
…we have deliberately taken an approach where we notify on mitigated risk. We only lodge a notification after all the systems and controls are in place, where we still believe that there's a material adverse effect to our ability to meet the security obligation.
3.48
Inversely, Optus outlined to the Committee in its submission and in hearing evidence that it had undertaken analysis of all its proposed network changes and taken a formal notification process approach to all projects that it believed engaged the TSSR requirements. This resulted in Optus identifying that it had made 34 of the 66 notifications up to 30 June 2020.
3.49
At the Committee’s public hearing Optus identified that as time had progressed and interactions had increased, the process of engagement and advice from the CIC had matured:
I think it's fair to say that, as the regime has gone on and the interactions have deepened, we've got more understanding of the types of information that they would expect to receive, and therefore that introduces some improvements and streamlining of the engagement versus maybe at an earlier stage in the regime.
Security capability plans
3.50
Limited evidence was received regarding security capability plans enabled under section 314C of the Telco Act.
3.51
The Department of Home Affairs identified in its submission that:
Similar to individual notifications, C/NCSPs have conveyed concerns to Home Affairs that lodging a Security Capability Plan may be viewed as an admission that the C/NCSP is proposing to breach its security obligation or to do an act that is prejudicial to security.
Despite being included in the TSSR regime as a result of industry feedback, engagement with the telecommunications sector has indicated that C/NCSPs do not see the merit in submitting a Security Capability Plan and to date, the CAC has not received any Security Capability Plans since the commencement of TSSR.
3.52
The requirement to meet baseline security requirements was identified as having numerous legacy and cost considerations, especially for the larger carriers, as identified by the CSCRC:
The difference with telecommunications is that our larger telecommunications companies are large organisations with an enormous amount of legacy, platforms, systems and networks alone. So they may understand the risk. It's rolling out the risk profile and diminishing and mitigating that risk across their entire structure that is challenging. I think it's fair to say that the legacy network part of a telecommunications provider is always the greatest risk. For them, it's probably a risk well understood. But, if you're dealing with sometimes 40, 50, 70 or 100 systems, it's how you manage all those systems—and even patching programs are enormous in large telcos—to mitigate those risks and its costs. As you heard from the Comms Alliance, it's often cost, cost-benefit analysis and how many systems. All sorts of systems run on different platforms, which the committee would be aware of in metadata alone.
Directions powers and information gathering powers
3.53
As identified in Chapter 2, the directions power in Part 14, Division 5 and the information gathering power in Pert 14, Division 6 of the Telco Act have not been used since the commencement of the TSSR regime.
3.54
These powers were introduced as measures of last resort to address adverse security assessments (ASA) from ASIO in relation to a C/CSP or Carriage Service Intermediary (CSI) regarding a risk of unauthorised access to networks or facilities that would be prejudicial to security (for the directions power) or to compel information to assess compliance with a security obligation (for information gathering).
3.55
These powers are identified as not having to be used due to the functional working relationship and voluntary good faith exchanges with carriers.
3.56
Some commentary was made by other submitters regarding the reliance on the definition of national security from the ASIO Act for potential directions actions and the process for ASAs.
Engagement, information and threat sharing
3.57
At the core of the TSSR reforms is an inherent reliance on voluntary and frequent dialogue, notification and sharing of information, between industry and government.
3.58
During the Committee’s inquiry into the originating Bill for the reforms, industry expressed concerns regarding the nature of information sharing, privacy concerns and threat awareness, resulting in one of the focuses for Recommendation 12 of that report and this review - the adequacy of information-sharing arrangements between government and industry.
3.59
Submissions to the review from carriers outlined that the exchange of information between carriers and the CIC were robust regarding the official processes required under the TSSR, but that there was a sparsity of information being shared back to industry regarding threats and emerging issues.
3.60
The Communications Alliance presented the following on behalf of its members:
The criticism that we made in our submission, and I think Optus has also put forward, was that we still feel what is missing is the specific threat sharing, so to say the secret stuff that is not forthcoming from the agencies on a very specific level between the agencies going back to the telecoms organisations as to what specific threats agencies have identified for that specific network, for specific components, so that these organisations could incorporate that into their network design. That would help them. And that could be formal or informal, but that is the component that they feel is still missing. They have not raised concerns about the engagement between the CAC and the organisation when making notifications. I think that seems to flow reasonably well. It is the specific threat sharing that is still a concern.
…our members feel that potential improvements to the two-way exchange of risk information has been suboptimal to date.
3.61
When questioned about the nature of the relationship experienced and the fulfilment of the type of dialogue expected from industry with the creation of the TSSR reforms, the Communications Alliance further stated:
The feedback to us from our members is that they don't feel they are enjoying the two-way street that was promised, where they provide notifications of the risks they see and the changes they propose to make to networks, and, in exchange, they get intelligence about existing or potential threats which will help them to design against those threats. They feel that it's been pretty much a one-way flow so far.
3.62
The dialogue required between the relevant regulatory agencies, as well as relevant intelligence and national security agencies is the goal from industry:
At the end of the day, my experience is that there should always be a free flow of information, not just from Home Affairs but from security agencies as well, where it's appropriate. Because that's just one part of the picture. Lodging a capability plan change is one thing, but having a proper dialogue—I think John Stanton seemed to be alluding to that too—information sharing is key. Home Affairs is just one part of the government puzzle. You need good information sharing and good intelligence from agencies, where there is a true threat.
3.63
In response to expressed concern within submissions, government highlighted the existence of the Trusted Information Sharing Network (TISN) engagement platform. This platform, its members and purpose was expanded on in hearing evidence:
Under the TISN, there is a group called the Communications Sector Group, the CSG, which is jointly chaired by industry—TPG Telecom and the Australian Broadcasting Corporation, I believe. That forum has been in operation for a number of years, and it has proved to be a very valuable forum through which information can be shared.
…
The other thing I would observe is that the CSG is made up of not only industry participants but also state and territory officials, and it was really useful to hear from those state and territory officials over 2020. Encouraging them to participate and provide security information would also be of benefit, I think.
3.64
When questioned about membership and utilisation of the TISN, the Communications Alliance outlined:
We are part of the TISN communications group. At one level, yes, it does work well, in terms of sharing threats or information about COVID, or discussing ways to try and improve the coordination of regulation or discussing potential catastrophic weather events and perceived risks across multiple states. It also encompasses discussion around broadcasting. I think it is a very useful group, and the department contributes meaningfully to it, as do emergency services organisations from around the country and telecommunications players. It's some level below the sort of risk-sharing information that those companies subject to the TSSR notification requirements are looking for, in terms of the deep intelligence information about threats that are on the way or perceived to be a growing risk. So I think it's two different levels, but certainly TISN is a useful multilateral forum.
3.65
Emerging from the identification of the all-encompassing nature of some of the threat-sharing enabled by the TISN was an acknowledgement that more regular briefings from security agencies about the threat environment would be advantageous to carriers.
3.66
In response to questioning regarding the identified concerns from industry and the mechanisms currently being used to share threat information, the Department of Home Affairs outlined:
It's true that the one thing we haven't done is publish a detailed framework which sets out exactly what steps the security agencies would go through to assess the risk within a particular notification. In our view, that is because that would ultimately go to revealing exactly how the security agencies do their work and exactly what their concerns would be, which we don't think would be in the nation's interests to do. But we have made sure, in those administrative guidelines and in the annual report, to share as much information as we can about the sorts of threats we're seeing and the sorts of risks that we are concerned about being notified under the framework.
Guidance materials
3.67
Administrative guidance materials are a crucial tool to support industry in complying with the regulatory requirements of the TSSR and the CIC (now the CISC) provides fact sheets and guidance materials for C/CSPs.
3.68
These materials were updated in early 2021, however the observations from industry are that while useful as an indicator, more detail, potentially aligned to international standards would be useful:
we note the recent updated guidelines from the Department of Home Affairs and we'd like to see them expanded into a more structured set of best practice guidance to provide organisations with more certainty on government expectations, which in turn aids internal planning and response processes.
Departmental roles and delineation
3.69
The multiple agencies responsible for regulation of the telecommunications industry was raised by industry with the Committee as a potential source of confusion or replication. When questioned about this, and also regarding the potential impact of the SOCI Bill, DITRDC observed:
I might start by observing that, for the Telecommunications Act and, indeed, parts of the Competition and Consumer Act, the administrative arrangement orders make plain that they fall into the department of infrastructure's role. Likewise, the Telecommunications (Interception and Access) Act falls into the Department of Home Affairs as well as the SOCI Act. I suppose, when I reflect on the roles of the departments, as Ms Brown has indicated, it is a joint role. I would also observe that the Department of Home Affairs has a very special role to play in the administration of the Telecommunications Act, so it is the Communications Access Coordinator that receives notifications and provides advice. The Minister for Home Affairs also has a role in the enforcement of the obligations under the Telecommunications Act, and we work very closely together in terms of policy development and the operation of those provisions.
3.70
When asked for an industry perspective, especially in relation to potential duplication of regulation under the proposed SOCI Bill, the Communications Alliance expressed a desire to continue with DITRDC for telecommunications regulation, rather than multiple regulators. This was reiterated in relation to the historical relationship with a discrete communications agency:
There is some preference, I think, in industry for maintaining a department-of-communications link to the way the industry operates, given the amount of knowledge and experience that that department has in regulating parts of telecommunications operations.
Security of data and storage location
3.71
During the original Bill review enabling the TSSR, and during the Committee’s Review of the Mandatory Data Retention Regime, the issue of the location of stored data and its security status was examined.
3.72
This issue and the issue of access to data by people outside Australia was brought up by the Law Council of Australia and a small number of other submitters. The Law Council was not available for the public hearing for this review, but when other stakeholders were questioned about this issue and the status of the government response to the Committee’s recommendations on metadata retention, the responses were focused on security rather than location.
3.73
The CSCRC highlighted that just because data is stored in Australia does not make it more secure:
It's not, also, a corollary that all data in Australia is inherently more secure, because hacks can happen anywhere and clever adversaries will get into anywhere. It's certain jurisdictions where we can't compel information and we can't compel them to expunge or destroy information, and certain jurisdictions where they have an ability to reach in and read the data or can access the data themselves, that prove problematic. But it would be, perhaps, a mistake to assume that all data in Australia is automatically safe because it's magically stored here. It's not just where it's stored; it's the level of security and the layers put around that storage that's also important. It's got to be a certain data centre with a certain security classification or a certain level of security applied to it. That's the important thing. It could be stored offshore in a perfectly secure environment as well—equally as secure as Australia. The point is where it's stored is important and how it's stored.
…
That's why cybersecurity is critical, because, irrespective of whether it's Australia, you've to know your supply chain in Australia and how many organisations have eyeballs on the data as it goes into an Australia cloud or an Australian storage facility. Knowing cybersecurity and the supply chain is key here, and everything a telco does—just as it is with every piece of critical infrastructure or designated asset as well.
3.74
When questioned about the status of data within Australia and requirements for security or onshore location, both Telstra and Optus indicated that this didn’t pose significant issue for them and that they are ready to work with the government on any such requirements, including outstanding mandatory data retention recommendations.
Impact of Security of Critical Infrastructure reforms
3.75
As outlined earlier in this report, and as acknowledged at the relevant points of this chapter, the proposed SOCI Bill that was introduced to Parliament in December 2020 affected a majority of the evidence to this review.
3.76
The impact of that Bill, and the Committee’s consideration of it, had a significant impact on the Committee’s ability to appropriately give reasoned consideration to the full extent of the operation, effectiveness and implications of the TSSR reforms.
3.77
Commentary regarding this potential impact was made at the relevant points of the Committee’s Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018.
3.78
The SOCI Bill and the resultant modified Act that passed in November 2021 has impacts for the telecommunications industry and C/CSPs. However, the unclear future state of that proposed regime and the legislative framework that may result out of the further work recommended by the Committee for the security of critical infrastructure framework leaves the future state of the TSSR in question.
3.79
As mentioned by the Committee in that report:
…the introduction of the SOCI Bill affected the approach and focus of evidence tendered to the TSSR review, highlighting the potential impact of the SOCI Bill on telecommunications assets, as they are to be included as part of the communications sector covered by the Bill.
While this impact did not prevent submitters and witnesses from providing evidence to the TSSR review, it did alter the focus of evidence, with submissions and witnesses highlighting potential duplication of regulation or the unknown future state of the TSSR.
3.80
The Part 3A government assistance measures enabled by the revised SOCI Bill will apply to telecommunications assets and C/CSPs, however the stated intention is that all the other elements of the proposed framework (yet to be reintroduced) will not be turned on unless the TSSR reforms are considered inadequate:
Similarly, for the telecommunications sector, if part 14 of the TSSR meets the need we foresee for companies to protect themselves from the threats they might face, then the Security Legislation Amendment (Critical Infrastructure) Act 2020 will just say, 'Part 14 of the telco act applies with respect to the positive security obligation.'
3.81
On a later date the Secretary of the Department of Home Affairs provided the following evidence to a public hearing on the SOCI Bill:
The safeguards are set out in the legislation. The decision-makers have to be satisfied—they can't do it on a whim—that the tests have been met, the thresholds have been met, and they include a lack of regulatory duplication. I will give you one counterfactual straight up, because the Department of Home Affairs is the regulator under the Telecommunications Act of the TSSR scheme. In fact it is on my pen, because the act sets out the responsibilities of both the minister and the secretary. I happen to be that officer, and I can tell you, Chair, and the rest of the committee, the TSSR is inadequate for this purpose. I can absolutely assure you, because we are the regulator.
Committee comment
3.82
As outlined above, the evidence provided to the Committee regarding the TSSR reforms has been varied, but mostly reflects a stable and maturing security regulatory framework for an essential part of Australia’s economic and societal stability.
3.83
While industry, experts and stakeholders engaged in the TSSR review process in a constructive, generous and pragmatic manner, and provided valuable insight for the Committee’s consideration, the Committee does wish to note – as it did in its report on the SOCI Bill – concerns indicated by submitters regarding the Department’s consultation process, including in relation to timeframes and overlap with concurrent engagement processes.
3.84
In considering the evidence provided, the Committee formed the view that, in many instances, the onus was on industry to carry the burden of information sharing and communication with Government – in part due to the TSSR regime’s inherent reliance on voluntary engagement. While there are certainly circumstances of these arrangements being adequate, it is the Committee’s view that it is insufficient to rely on voluntary practices, and dialogue, notifications, threat and information sharing between industry and Government should be formalised.
3.85
The Committee notes the next phase of the Government’s cybersecurity response for industry was not complete in time for the statutory review for both TSSR and SOCI, meaning neither could align with or be informed by an updated policy. The Committee recognises that the threat landscape is ever-shifting and that the Government indicates it is pursuing an appropriate regulatory environment in which to work with industry.
3.86
The Committee’s report on the SOCI Bill addressed in the best way possible the concerns with that Bill and the potential impact that framework would have on affected industries. However, the potential for impact for the telecommunications companies already covered by the TSSR is still an unknown factor into the future.
3.87
Noting that the government stated that it would consider the state of the TSSR when considering turning on enhanced cybersecurity obligations under the proposed SOCI Bill, the Committee considers that that will still be the case going forward into the future phases of that legislation.
3.88
Therefore, the Committee will not be recommending sweeping change to the current TSSR regime in Part 14 of the Telco Act.
3.89
Instead, the Committee makes the following comments and recommendations to build some surety into the operation of the TSSR and address some of the major inconsistencies or operational variations that have become evident.
Principles and recommendations to guide potential improvements
3.90
The Committee is conscious that the security principles introduced in the TSSR were a recognition of the potential security risks realised at the time, and as pointed out in Chapter 2, had been considered by the government and this Committee since the early 2010s.
3.91
The TSSR has operated for three years in a robust and cooperative manner and the Committee would like to see that relationship and outcome continue.
3.92
The Committee heard from C/CSPs and industry bodies that the TSSR is working to its intent in the majority of instances, with some exceptions regarding notification thresholds and formats and guidelines.
3.93
The highly regulated environment that telecommunications already operates within in Australia would suggest that its maturity does not require the full height of uplift that is intended from the security of critical infrastructure framework being put forward.
3.94
However, it is worth noting that the Telco Act is an organic piece of legislation, with artifacts from the nearly 25 years that it has been in operation. Much can change in that time, and this Committee has seen the rapidly changing nature of technology and communications and the securing, but also enabling, effect that it can have on security and security threats, even in only the last handful of years.
3.95
The regulatory concept of providers ‘doing their best’ to secure their networks in the national interest has served the Telco Act and the TSSR up until now, but the Committee can not be assured that a reliance on industry alone to counter threats is sustainable, nor that the Telco Act as a whole can continue to uphold the security requirements for the industry.
3.96
The 5G decision shows that the government is willing to step in when a threat is overwhelmingly evident, but the fact that neither the directions or information gathering powers have been used since the TSSR commenced demonstrates that the relationship with industry is stable and cooperative. However, the balance of security and threat can shift dramatically, and that relationship must continue, but with the assurances that threats to the economy, supply chains and society can be countered as they emerge.
3.97
The Committee accepted this risk with the recommendations for government assistance measures to be passed in the first SOCI Bill resulting from that review. These will allow for the government to assist all critical infrastructure assets, telecommunications included, when the threat is direst, and only as a last resort.
3.98
However, the other elements of the evolving security of critical infrastructure framework that may affect telecommunications are yet to be settled, and if the Committee’s recommendations from that review are accepted and given full effect, then most of the rules enlivening those obligations and risk management elements should be designed with industry.
3.99
Therefore the environment that the Committee makes any recommendations into is set to change.
3.100
To this end, the Committee is recommending that the Department of Infrastructure, Transport, Regional Development and Communications do an environmental analysis of the current national and international telecommunications markets and networks, in tandem with the Cyber and Infrastructure Security Centre (CISC) in the Department of Home Affairs, to identify industry best practice risk identification, management and mitigation.
3.101
This analysis can then feed into the development of industry rules and obligations within the expanded SOCI Bill to be introduced in the future, as well as identify better guidelines, support tools, and standards to be applied to project notification, assessment and development of security capability plans.
3.102
The results of the analysis should be included in the explanatory material of the further SOCI Bill to be introduced to Parliament in the future, as well as reported by the CISC on it website and included in the next TSSR Annual Report (2021-2022).
3.103
The Committee recommends that the Department of Infrastructure, Transport, Regional Development and Communications and the Cyber and Infrastructure Security Centre within the Department of Home Affairs, conduct a joint environmental analysis of current national and international telecommunications markets and networks.
This information can then be used to guide future security of critical infrastructure legislative reform related to telecommunications, as well as Telecommunications Sector Security Reform resources.
3.104
The commentary outlined earlier in this chapter regarding the obligations of C/CSPs to ‘do their best’ to ensure that obligations are met has led to some inconsistent applications of the principle to the associated notifications and interactions between industry and government.
3.105
As identified by the major carriers, their interpretation of that obligation encompasses an all-hazards approach to securing their networks, but also the assessment of a material adverse effect on that obligation.
3.106
The quantum of effect for those purposes is not defined in the Telco Act, and the current guidance states:
A material adverse effect includes any change which is likely to have an actual or measurable negative impact on the capacity of the C/NCSP to comply with the security obligation to protect networks and facilities from unauthorised access and interference.
The CAC considers that any changes to core or sensitive systems or services is likely to have a material adverse effect on the capacity of C/NCSPs to comply with their security obligation and will create a notification obligation.
3.107
The interplay of these two elements effectively means that C/CSPs or NCSPs are open to varied application and interpretation of what satisfies an attempt to ‘do their best’ to meet a security obligation, which is affected further by an open interpretation of whether a change that is proposed may have an opaque negative effect on that obligation.
3.108
This has had the effect of the informal vs formal notification process that was highlighted to the Committee, which resulted in a very different outcome regarding final notifications between Telstra and Optus.
3.109
The Committee notes that it did not receive direct evidence from the other C/CSPs, other than through the Communications Alliance, but the presumption is that this variation would exist across providers and carriers.
3.110
In order to address this inconsistency, the Committee is recommending the following measures suggested by stakeholders to help reinforce the focus of the TSSR and associated security requirements.
3.111
The Committee recommends that, in line with suggestions made by DITRDC, that section 3 of the Telco Act be amended to include security as an objective of the Act, to ensure that the security of networks, infrastructure and ICT architecture comprising those networks is underpinned by a commitment to the security from cyber and other security threats of those networks and the other elements of telecommunications covered under the existing section 3.
3.112
The Committee recommends that section 3 of the Telecommunications Act 1997 be amended to add an object of the act ensuring the security of telecommunications networks and their architecture from cyber and other security threats.
3.113
The Committee recommends that the Government give consideration to the formation of a telecommunications security working group to discuss and agree standards that can apply to the security obligation under Part 14. This can then inform more precise and guided advice to carriers through the CISC of what constitutes best practice risk assessment and mitigation, as well as firmer guidance, including agreed examples, as to what a material adverse effect may be. This group could also be made aware of evaluation criteria currently used by the Communications Access Coordinator, to inform better resources. This working group can meet annually to review and revise advice and examples in line with current threats and trends.
3.114
This working group could also be used as a basis for any consultation required under the security of critical infrastructure framework or future legislative consultation.
3.115
The Committee recommends that the Australian Government give consideration to the establishment of a telecommunications security working group comprised of the Department of Infrastructure, Transport, Regional Development, and Communications, the Department of Home Affairs, major telecommunications carriers and carriage service providers, and the Australian Security Intelligence Organisation and the Australian Signals Directorate (when appropriate).
This working group could set agreed standards and best practice principles to inform the work of the Cyber and Infrastructure Security Centre’s advice and resources.
3.116
Related to the above recommendation, the Committee accepts the proposition set forward that a range of mechanisms already exist in the Telco Act that could be used to resolve security issues, or at least bolster the security requirements on carriers and carriage service providers. These could include the creation of carrier licence conditions, service provider rules and codes/standards under the existing provisions of Part 6 of the Telco Act.
3.117
The group to be established as a result of Recommendation 3 could be used to establish and agree to relevant codes and standards that can then be overseen by either ACMA (the current authority for that Part) or the Department of Home Affairs or the Department of Infrastructure, Transport, Regional Development, and Communications, whichever is agreed by industry representatives.
3.118
These agreed codes or standards can then inform the security obligations and notifications requirements of Part 14, and provide further indications for trigger points for the existing powers to be exercised by the Minister for Home Affairs under that Part.
3.119
The Committee recommends that the working group established as a result of Recommendation 3 be tasked with scoping agreed carrier licence conditions, service provider rules, and codes and standards for security of networks and systems. These can then be used to guide the resources to be produced by that group and inform directions or information gathering powers exercisable by the Minister for Home Affairs under the existing provisions of Part 14 of the Telecommunications Act 1997.
3.120
The Committee recognises that the utility of the Trusted Information Sharing Network (TISN) requires bolstering with a renewed focus on telecommunications security and advice from security agencies regarding ongoing and emerging threats. Noting the existence of the Communications Sector Group under the TISN, the Committee recommends that the government give consideration to either supplementing the work of the existing CSG with appropriately classified and secured briefings from ASIO and ASD regarding telecommunications threats, or the establishment of a dedicated group with appropriately cleared staff to ensure that the best available threat information can be shared.
3.121
The Committee recommends that the Australian Government give consideration to establishing a dedicated telecommunications security threat sharing forum, to enable the Australian Security Intelligence Organisation and Australian Signal Directorate to brief telecommunications stakeholders about ongoing and emerging threats to the maximum classified level possible.
This forum could be a new group established under the Trusted Information Sharing Network or could be an adjunct group to the existing Communications Sector Group already established under that network, or the working group created as a result of Recommendation 3 of this report.
Other concerns and final comment
3.122
Throughout the evidence received for this review there were a number of other concerns expressed to the Committee regarding issues such as the definition of national security, concerns regarding the security of data stored offshore, and the sharing of information for oversight purposes.
3.123
While the Committee acknowledges these concerns, given the overall successful operation of the TSSR to date, the general cooperative nature in which the TSSR operates, and that the carriers and telecommunications providers do not substantively share these concerns, the Committee will not be making any recommendations regarding these issues.
3.124
The ongoing work regarding the government’s response to the Committee’s mandatory data retention report, as outlined in the Department of Home Affairs’ supplementary submission, as well as the shifting landscape of security of critical infrastructure legislation lends too much uncertainty to the regulatory environment that carriers have to operate in. The Committee does not want to unduly add to this.
3.125
The Committee accepts that the security of data is more important than its location, and the fact that the carriers agree and stand ready to respond to mandatory data retention changes, as well as potential future SOCI Bill amendments, the Committee is satisfied that these concerns will be addressed or ameliorated with those processes.
Security of critical infrastructure futures
3.126
As outlined throughout this report, the impact of the proposed expansion of security of critical infrastructure frameworks in Australia has created uncertainty across all affected asset industries, not just telecommunications.
3.127
The Committee is acutely conscious of the effects that this agenda and the SOCI Bill had on the process and evidence of this review, and it again thanks submitters and witnesses for doing their best to address the requirements of this statutory review in that environment.
3.128
The Committee has set its proposed path forward in its advisory report on that Bill and hopes that the recommendations set out in this report give some operational improvement to this regime, as the SOCI framework continues to evolve.
3.129
This evolution will be overseen by this Committee and for this reason the Committee does not believe further review of the TSSR in isolation is warranted. When the Committee considers future SOCI Bills it will ensure potential impacts on TSSR are considered as part of those reviews. The Committee is confident that the affected entities will ensure the Committee is aware of any concerns as well.
3.130
As part of the SOCI Bill review, and as expressed by the Communications Alliance and others in this review, the industry concern regarding potential duplication between the security obligations under the TSSR and the SOCI framework are understandable.
3.131
Calls for repeal of the TSSR or deactivation of duplicated obligations are reasonable from those affected, but the Committee does not want to recommend repeal of any mechanisms that are in place and working to secure telecommunications in Australia. The importance of the sector to the nation is too strong to act in such a way without full consideration.
3.132
The Committee trusts the assertions from government that any potential SOCI obligations will only be ‘switched on’ if the existing TSSR obligations are assessed as being unsuitable. However, the Committee believes that this decision should be made in consultation with the potentially affected entities and is recommending that that occur through the working group resulting from Recommendation 3.
3.133
Additionally, the Committee is recommending that once these duplicate obligations are turned on, any existing TSSR obligations, that will effectively be replaced, be repealed or deactivated in the Telco Act as a soon as possible afterwards.
3.134
The Committee recommends that the working group established as a result of Recommendation 3 of this report be consulted to reach an agreed position regarding any duplicated security obligations that may be activated under an amended Security of Critical Infrastructure Act 2018 before they are activated.
If agreed, and once activated, the duplicated obligations or other mechanisms in Part 14 of the Telecommunications Act 1997 should be repealed, or deactivated by relevant mechanisms, so as to avoid regulatory duplication on telecommunications entities.
3.135
The Committee is conscious of the criticality of telecommunications to the nation. The TSSR was an initial step in the direction of ensuring the national interest and national security was assured in the operations of this essential sector. While the future security of critical infrastructure framework continues to develop and mature, the Committee is confident that the recommended changes to the TSSR will enable the sector to work collaboratively with all relevant elements of government, to ensure that the foundational nature of telecommunications can continue to support Australia now and into the future.
Senator James Paterson
Chair
1 February 2022