Rationale for the Bill
2.1
The stated objective of the Bill is to introduce a regulatory framework to manage national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities.
2.2
The Regulation Impact Statement (RIS) argues that ‘Australia’s national security, economic stability, prosperity and social wellbeing are increasingly dependent on telecommunications networks and infrastructure that connect us to the internet’. In its submission, the Attorney‑General’s Department noted that:
Underpinning our use of the internet and telephony services is our telecommunications infrastructure, which carries and stores significant amounts of government, business and individual’s information and communications. Much of the information held on and carried over telecommunications networks and facilities can be sensitive. This includes not only the content of communications but also customer billing and management systems and lawful interception systems which, if unlawfully accessed, can reveal the location of persons or sensitive law enforcement operations.
2.3
As stated in the Explanatory Memorandum, telecommunications networks, systems and facilities are critical infrastructure and vital to the delivery and support of other critical infrastructure and services such as power, water and health. The telecommunications sector also forms the backbone to other critical infrastructure sectors such as energy, banking and finance. A serious compromise of the telecommunications sector ‘would have a cascading effect on other critical infrastructure sectors and significantly impact the Australian economy’.
2.4
In its submission to the inquiry, the Attorney-General’s Department explained that:
The information contained within the networks and the connection to other critical infrastructure sectors make telecommunications networks and facilities a key target for espionage, sabotage and foreign interference activity. Advances in technology and communications have increased vulnerabilities, including the ability to disrupt, destroy or alter telecommunications networks and associated critical infrastructure, as well as the information held on these networks. Risks to the availability, confidentiality and integrity of our national telecommunications infrastructure can come from hardware vulnerabilities, misconfiguration, hacking and trusted insiders.
The threat of cyber intrusions into critical telecommunications is increasing. Foreign states, as well as malicious individuals or groups, are able to use computer networks to view or siphon sensitive, private or classified information for the purpose of political, diplomatic or commercial advantage.
2.5
A key source of vulnerability for telecommunications networks and systems lies in the supply of equipment, services and support arrangements. Business models ‘now commonly rely on outsourcing and offshoring’, with global suppliers of equipment and managed services located in and operating from foreign countries. While such practices are ‘essential for business to remain competitive’, they mean that access to information and systems is granted to organisations and individuals beyond a business’s control.
2.6
Similarly, the Explanatory Memorandum notes that Australian telecommunications networks
rely on global suppliers of equipment and managed services which are often located in, and operate from, foreign countries. This can create challenges implementing controls to mitigate personnel, physical and information and communications technology (ICT) security risks in some locations and therefore make networks and facilities more vulnerable to unauthorised access and interference.
2.7
In its submission, the Australian Security Intelligence Organisation (ASIO) outlined the need for an effective regime to manage threats to national security within the telecommunications sector, arguing that
the critical vulnerabilities created within the telecommunications sector brought about by foreign involvement in outsourcing, offshoring, and supply chain can be better managed by establishing a formal and comprehensive program, amending the Telecommunications Act 1997 and related legislation, and establishing administrative arrangements to assist telecommunications providers to identify and mitigate potential security risks.
2.8
ASIO stated that it considered a risk-based principles approach, rather than a prescriptive approach, is needed to ‘accommodate the ever evolving threat environment, accelerated pace of technology change, and the reality that every provider’s network and business model is different’.
2.9
The proposed regulatory framework is intended to formalise and strengthen the existing industry-government engagement and information sharing practices. The Attorney‑General’s Department noted that the existing framework for addressing national security risks ‘relies on voluntary cooperation and the goodwill of C/CSPs’. However, this arrangement
is not sufficient in an environment where there are large numbers of carriers and service providers who are able to interact globally and whose commercial interests are not always aligned with Australia’s national security needs.
2.10
The Explanatory Memorandum states that currently security agencies do not have adequate ‘levers’, except in the most extreme circumstances, to engage with those companies who do not engage on a voluntary basis. Where security risks are identified and agreement cannot be reached, the only legislative option presently available to the Government is the power to cease a service under subsection 581(3) of the Telecommunications Act 1997. However,
[c]easing a service under this provision is a tool of last resort, given the detrimental effect ceasing a service would have on both a C/CSP and on the community. The power has never been used.
2.11
The limitations of subsection 581(3) are addressed in the RIS:
To date, national security risks to telecommunications networks and facilities have been managed through cooperative relationships with the highest risk C/CSPs, relying on their goodwill to implement security advice. Security agencies rely on the power in section 581(3) as a basis for engagement and encouraging cooperation. This approach is risky for numerous reasons and involves often lengthy and costly engagement (for both Government and industry) on a case by case basis. While section 581(3) provides an ultimate mechanism to address national security risks, there would be wide reaching and significant impacts on market and the community. This calls into question whether it could be used. Security agencies’ concern that the current framework is ineffective and inefficient to manage the national security threat to telecommunications infrastructure necessitates consideration of improvements to the current framework.
2.12
The Explanatory Memorandum states that, ‘while a more formal relationship between Government and industry is considered necessary to ensure appropriate management of national security risks, the regulatory objective of the Bill is to achieve national security outcomes on a cooperative basis rather than through the formal exercise of regulatory powers’. For this reason, a risk informed approach is proposed that requires all C/CSPs to take into account a broader range of security risk factors when making investment decisions. It is suggested that this approach will ensure that responsibility for managing these risks is more equitably managed across the industry, as what is required of a C/CSP to comply with the security obligation will be highly dependent on the risk profile of the provider. The Attorney‑General’s Department also noted that ‘not all data, parts of networks or business operating models necessarily give rise to national security concerns’.
2.13
Further, the framework is intended to ‘provide industry with greater certainty about what is expected of them to protect national security interests and encourage greater consistency, transparency and accountability’.
2.14
The Attorney-General’s Department stated that the information-gathering powers and notification requirements in the Bill will provide the Government with increased visibility of how data (including retained telecommunications data) is being protected by telecommunications service providers. This includes, for example, whether data is being stored onshore or offshore. ASIO described mandatory notification of certain high-risk outsourcing, offshoring and supply chain activities as ‘a fundamental element of the proposed solution’ and argued that without mandatory notification
Government has no visibility of the risks that may be created by certain investment or business decisions that extend well beyond the company itself.
2.15
Representatives of the Attorney-General’s Department told the Committee that the Bill will address this issue, as
early engagement will enable agencies to assess risks, share information with industry about risks and cooperate on appropriate mitigation strategies.
2.16
The Explanatory Memorandum notes that the reforms are intended to complement the data retention regime by improving the security of networks as a whole, thereby providing an additional layer of protection for retained data, as well as other information.
2.17
This relationship between the telecommunications sector security reforms outlined in the Bill, and the mandatory data retention regime, was explained in a previous submission from the Attorney-General’s Department to the (then) Committee’s inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014:
TSSR is designed to ensure the security and integrity of Australia’s telecommunication infrastructure by encouraging ongoing awareness and responsibility for network security by telecommunications industry, and will extend to provide better protection of information held by industry in accordance with data retention obligations.
Industry views on the objectives and design of the Bill
2.18
While industry bodies and associations expressed support for the stated objectives of the Bill, concerns remained about specific aspects of the proposed telecommunications sector security reforms. These specific concerns are addressed in more detail in the following chapters. More generally, Mr John Stanton, Chief Executive Officer of the Communications Alliance told the Committee:
… there is absolutely no difference of view between industry, the Attorney‑General’s Department and agencies about the desirability of achieving the stated objectives of this legislation. The industry does recognise that the infrastructure they operate is critical and that there is an ever-present risk of cyberattacks, sabotage, espionage and other activities that need to be guarded against … we remain concerned that the legislation, while the objectives are sound, is disproportionate and represents overreach.
2.19
Similarly, David Epstein from Optus stated that:
… we have formed the view that it is desirable to move to a more structured scheme to ensure that the benefits and responsibilities are proportionately shared across the industry for competitive and equity reasons, and also clearly for national security and law enforcement reasons … I want to emphasise that our caution arises more from the challenge of correctly calibrating the practical design of a TSSR framework and the downside risks of incorrectly calibrated arrangements rather than any fundamental concern with the principle or intent behind what is proposed.
2.20
With respect to existing security arrangements, industry representatives noted that they take seriously security risks to their networks and facilities. Mr John Stanton of the Communications Alliance told the Committee that:
… industry has an extremely strong incentive to guard against those risks. The notion of having a network that is in any way compromised, or even perceived to be compromised, is a sure path to commercial demise, and that is why industry makes such major investments in trying to protect against those risks and cooperates so comprehensively with the Government and agencies.
2.21
In terms of the proposed regime, a joint submission from four industry associations—Australian Industry Group, Australian Information Industry Association, Australian Mobile Telecommunications Association and Communications Alliance—argued that the Bill:
is onerous in terms of regulatory overhead and compliance risk,
does not assist the responsiveness of C/CSPs and the wider ICT industry to emergent cyber threats,
is excessive in its focus on service and equipment introductory risks, noting that in practice, cyber threats may only emerge, or become known, after introduction/deployment, and
establishes a set of obligations for industry without placing an equivalent obligation on the Attorney-General’s Department to work collaboratively and proactively with industry to identify, communicate and respond to threats.
2.22
The Industry Associations considered that the fundamental question ‘of what specific failing and/or weaknesses the Government is seeking to address’ remains unanswered and submitted that further adjustment of the proposed reforms is required.
2.23
Similarly, Macquarie Telecom Group, while commending amendments to the exposure drafts of the Bill, stated that it considered:
… the draft legislation still provides for unjustifiably intrusive powers for Government to intervene in telecommunications infrastructure without adequate consultation or protections for industry.
2.24
Macquarie Telecom Group summarised its concerns that:
the purpose of the reforms remains unclear,
the compliance requirements are onerous and will hamper the ability to respond to cyber threats,
there is no protocol for briefing carriers about specific threats identified by the Government,
there are significant areas of vague drafting leading to uncertainty,
the legislation does not exclude or limit the requirement for carriers or carriage service providers to retrofit or remove existing facilities exposing industry to the risk that networks might need to be rebuilt at significant cost,
any information provided to government must itself be adequately protected within government for both commercial-in-confidence business and security purposes, and
the data should be retained in Australia to ensure that it is adequately protected and accessible and subject to the Government’s jurisdiction.
2.25
Optus also identified issues it considered could be ‘better addressed in the Bill’, including:
greater certainty about notification requirements,
inclusion of a formal, ongoing consultative mechanism for information sharing between government and industry, and
greater clarity around accountability mechanisms, including the regulatory role of the Attorney-General’s Department and Communications Access Co-ordinator (CAC).
2.26
The Attorney-General’s Department stated that it does not consider the telecommunications sector security reforms to be a significant departure from the way government and industry currently work together and that many of the issues raised by industry can be addressed through ongoing collaboration and communication with industry.
The regulatory approach
2.27
When the Committee considered the issue of telecommunications security in its 2012–13 inquiry into potential reforms of Australia’s national security legislation, witnesses provided a wide range of views about how best to manage national security concerns in the telecommunications sector.
2.28
This included a proposal that industry‑led self‑regulation would be a more proportionate alternative to regulatory intervention. A similar proposal was put forward by the Industry Associations during this inquiry on the basis that
… traditional ‘command-and-control’ regulatory frameworks will not be agile enough to meet this 21st century challenge … industry-developed frameworks are likely to be significantly more flexible with regards to the frequent adaptations required to keep up with technological progress and market changes.
2.29
In 2013, the Committee’s rationale for recommending the introduction of an industry-wide obligation to protect telecommunications included recognition of the potential for misalignment of commercial interests with the national interest. The Committee considered that, in certain circumstances, it may be necessary to encourage service providers to engage with government and even to accept or act on particular advice. The Committee also noted that there ‘cannot be an effective and equitable security regime without enforcement mechanisms’.
2.30
The RIS notes the need for telecommunications sector security reform, and options for implementing that reform. It sets out that the objectives were to develop a framework which had regard for industry preferences and would:
provide a level playing field for all industry players and not disproportionately burden some companies over their competitors,
provide certainty, clarity and flexibility to assist with commercial decision-making, including to meet broader operational and commercial requirements in the context of global links,
allow greater sharing of security information between government and industry, and
give consideration to the regulatory impacts on both C/CSPs operations and customers.
2.31
The RIS details four options which were considered:
Option 1 – Retaining the status-quo,
Option 2 – Industry Code (Quasi/Co-regulation),
Option 3 – Amending existing legislation to introduce a security framework, and
Option 4 – Amending existing legislation to introduce a security framework and require annual investment plans.
2.32
The RIS outlines a number of arguments why government intervention is considered necessary to enhance the current framework for managing telecommunications national security risks. These arguments include national security grounds, and inefficiencies and ineffectiveness with the existing regulation.
2.33
The RIS concludes that Option 3, amending existing legislation to introduce a security framework, is the preferred option:
Of the four options considered, Option 3 is considered to meet the Government’s policy objective of a more efficient and effective mechanism for the management of national security risks to the telecommunications sector through collaboration between Government and industry.
2.34
In arriving at this conclusion the RIS examines a range of risks associated with each option.
2.35
The RIS identifies that while Option 1, maintaining the status quo, would not increase any regulatory burden on industry, it is ‘inherently risky’ to rely on cooperation and goodwill to achieve national security outcomes. Further, there would be potentially larger overall costs to industry to manage national security risks and these would be likely to be borne by the top tier carriers. Also, security agencies would continue to have low visibility of risks across the sector. Finally, negotiations to achieve national security outcomes would continue to be protracted, costly and time consuming for industry and government, and C/CSPs would not have a clear mandate to assist their Boards to balance national security risks against competitive and commercial interests.
2.36
The RIS considers that while Option 2, developing an Industry Code, would provide greater clarity around government’s national security management expectations, the benefits would not be sufficient when balanced with the effort required by industry to develop and register the Code, and the risks that enforcement mechanisms would not be effective. The RIS identifies that:
A Code is likely to take at least two years to develop, requiring investment of resources, time and money from Government and industry and may not satisfy registration requirements and remain unenforceable.
A Code may not be able to provide enforceable rules to achieve national security outcomes, (assuming the existing restrictions in section 115 were engaged).
The enforcement mechanisms do not provide for a quick and targeted resolution of non‑compliance. In particular the direction power is linked to compliance with particular Code provisions which may not adequately target action to address the particular security risk.
Codes are usually appropriate for the protection of community safeguards where these can be appropriately balanced against C/CSPs business objectives and autonomy. National security objectives may require C/CSPs to put security interests above commercial interests—this would not meet the stated intention of the industry Code framework under Part 6.
2.37
Option 4 includes the security framework of Option 3, together with a requirement to produce annual Investment Plans. The RIS notes the potential duplication with existing legislative obligations under the Telecommunications (Interception and Access) Act 1979 and concludes that ‘[t]here are little additional benefits to be gained from a national security management perspective when balanced with the regulatory burden placed on industry to produce these plans’.
International approaches
2.38
The Attorney-General’s Department noted that other countries are increasingly taking action to manage the security risks associated with telecommunications infrastructure and supply chains, to secure networks and facilities, and to enhance information sharing between government and industry. While approaches differ, they include:
broad security obligations to protect the security and resilience of networks (sometimes coupled with a requirement for independent verification that systems meet requirements),
data breach notification regimes,
information‑gathering powers,
enforcement mechanisms, and
restricting certain suppliers from the market, or limiting certain suppliers to providing limited services (outside of core or sensitive parts of networks).
2.39
The Attorney‑General’s Department advised that the ‘United States, United Kingdom, Canada, New Zealand and the European Parliament have enacted legislative frameworks to address cyber security in the telecommunications sector and encourage information sharing’.
2.40
The RIS makes comparisons with action taken by the governments of the United States, United Kingdom, New Zealand, India, Taiwan and Singapore to manage national security risks to telecommunications infrastructure.
United States: The Cybersecurity Information Sharing Act 2015 provides a framework for the sharing of cyber threat information between private industry and government. The Act requires the Director of National Intelligence and the Departments of Homeland Security, Defence and Justice to develop procedures to share cybersecurity threat information with private entities. In addition, as an outcome of Executive Order 13636 Improving Critical Infrastructure Cybersecurity, the US National Institute of Standard and Technology (NIST) Cybersecurity Framework was released in 2014. The Framework is ‘a risk-based voluntary approach leveraging existing industry standards and complementing existing cybersecurity practices’, supported by the Cybersecurity Enhancement Act 2014. The US was one of the first countries to restrict particular telecommunications companies from its telecommunications sector due to national security concerns.
United Kingdom: Measures to address cyber security are included in the UK Government’s Cyber Security Strategy. The UK has, with industry, developed a set of voluntary cyber security standards that underpin the Government’s Cyber Essentials scheme—a cybersecurity assurance certification program for small and large businesses. All suppliers tendering for certain contracts handling personal and sensitive information must be Cyber Essentials certified. The UK has also established Cyber Security Information Sharing Partnership, which facilitates the exchange of information between industry and the UK Government on cyber threats.
New Zealand: The Telecommunications (Interception Capability and Security) Act 2013 established a network security compliance regime that places specific obligations on network providers to engage with the NZ Government on network security, including:
requiring network providers to engage in good faith and notify the NZ Government Communications Security Bureau (GCSB) of proposed decisions, actions or changes made in areas of specified security interest (any procurement, or change to architecture or ownership/control of network operations centres, equipment and information), and
requiring network operators to create a proposal to prevent or sufficiently mitigate a security risk identified by GCSB and, following GCSB assessment, implement it.
A pecuniary penalty up to $500 000 exists for ‘serious’ non‑compliance with a duty. The High Court may impose a further penalty of $50 000 each day or part of a day if the contravention continues.
India: Measures to protect national security are stipulated in licensing agreements with service providers that focus on ‘end-to-end security standards’ and trade restrictions that, for example, require certain items to be sourced from a list of ‘domestic manufacturer’ status companies.
Taiwan: Prohibitions exist on procuring telecom equipment from particular companies.
Singapore: 2013 amendments to the Computer Misuse Act strengthen Singapore’s ability to protect critical information infrastructure. A ministerial direction can require ‘any specified person or organisation to take measures or comply with requirements necessary to prevent, detect or counter any threats to ICT’.
2.42
In their joint submission, Industry Associations advocated for the more collaborative approaches taken in the United States, United Kingdom and Canada, arguing that in comparison to other relevant jurisdictions, the proposed legislation ‘is out of step and overreaching’.
2.43
The Attorney‑General’s Department stated in response:
International voluntary compliance frameworks, such as those outlined in the joint submission of the Australian Industry Group, Australian Information Industry Association, Australian Mobile Telecommunications Association and Communications Alliance, are often cyber security focused and outline voluntary procedures for sharing cyber threat information. ... Australia has voluntary information sharing forums in place which focus on cyber security generally. The proposed framework extends beyond general cyber security to enable the protection of Australia’s critical infrastructure from specific national security risks. Formalising the existing and emerging relationships with the telecommunications industry will enable government to identify where security risks are and enable engagement at the earliest possible time.
Committee comment
2.44
As indicated in Chapter 1, the Bill responds to Committee recommendations made during previous Parliamentary inquiries. There has been extensive consultation with industry during the development of the Bill.
2.45
The Committee considers that protecting telecommunications infrastructure is an important component in ensuring Australia’s broader national security, and so supports the rationale for the Bill. The Committee notes that the Bill aims to improve the security of Australia’s telecommunications infrastructure by:
providing a proportionate and escalating framework for addressing national security risks,
strengthening existing arrangements, including information sharing between government and industry,
providing increased visibility to government of national security risks, and
providing greater certainty for industry about government expectations with respect to protecting networks and facilities from unauthorised interference and unauthorised access.
2.46
The Committee notes that industry supports the general intent of the Bill, although industry has expressed concerns about some aspects of the Bill and the manner in which these will be implemented (discussed in other chapters of this report).
2.47
In developing the framework proposed, international regimes were considered. The Bill incorporates elements from some of these regimes, such as notification requirements that will allow government greater visibility of the risks that may be created by certain investment or business decisions. The Committee supports the RIS conclusion that the more onerous approach of requiring industry to submit annual Investment Plans (such as those required under the New Zealand legislation) would be of little additional benefit to national security.
2.48
The Committee notes that, while consideration was given to maintaining the status quo or to developing an Industry Code, a legislative framework was considered the most effective approach.
2.49
The Committee supports a legislative framework approach which establishes the security of Australia’s telecommunications infrastructure as a joint responsibility between government and industry. The framework proposed provides a sound structure for government and industry to work collaboratively and share critical information. It continues to allow industry to make its own commercial decisions within the risk assessment framework and with access to security advice. Where necessary, there exists the option for enforcement in order to ensure the protection of telecommunications infrastructure.
2.50
The Committee is satisfied that the legislative framework approach proposed in the Bill is the most appropriate mechanism to ensure the security of Australia’s telecommunications infrastructure. The following chapters will address in more detail the specific provisions of the Bill and particular issues raised.