3.1
This chapter discusses the obligations in the Bill for carriers, carriage service providers and carriage service intermediaries to protect telecommunications networks and facilities.
3.2
The Bill proposes to insert two new subsections into section 313 of the Telecommunications Act 1997 to establish an obligation for:
Carriers and carriage service providers (C/CSPs) to ‘do their best’ to protect telecommunications networks and facilities they own, operate or use from unauthorised interference or access, and
Carriage service intermediaries (intermediaries) to ‘do their best’ to protect telecommunications networks and facilities used to supply the carriage service from unauthorised interference or access.
In order to ensure:
the confidentiality of communications carried on, and of information contained on, telecommunications networks or facilities, and
the availability and integrity of telecommunications networks and facilities.
3.3
The Explanatory Memorandum explains that the purpose of the obligation is to protect the integrity, availability and confidentiality of networks and facilities from threats such as espionage, sabotage and acts of foreign interference, within the meaning of security as defined in the Australian Security Intelligence Organisation Act 1979.
3.4
The new obligation will apply universally to all C/CSPs and intermediaries, but does not specify how networks and facilities are to be secured. The Explanatory Memorandum notes that the technical solutions used by a C/CSP and intermediary will be highly dependent on the risk factors specific to each network and business delivery model.
3.5
C/CSPs will be expected to demonstrate effective control and competent supervision over the networks and facilities that are owned or operated by the C/CSP. The Explanatory Memorandum states that this is targeted at addressing vulnerabilities that can arise through equipment supply, outsourcing and offshoring arrangements. Intermediaries will not be subject to these specific requirements, and the requirement extends only to telecommunications infrastructure that is owned or operated by the carrier or provider.
3.6
The Explanatory Memorandum explains that, in practical terms, compliance with the security obligation will require C/CSPs and intermediaries to take all reasonable steps to protect networks and facilities from unauthorised interference and access. In this way, the provision acknowledges that it may not always be possible to prevent all unauthorised interference and unauthorised access, and reasonable steps will be determined taking account of the extent to which a service provider can influence security outcomes in a particular situation.
3.7
The draft administrative guidelines contain a range of information and guidance intended to assist C/CSPs and intermediaries comply with the security obligation, including:
information about key national security risks to telecommunications networks,
the key steps C/CSPs and intermediaries can take to protect networks,
information about those parts of networks that are particularly vulnerable to unauthorised interference and access,
an explanation of who the security obligation applies to,
information about what C/CSPs and intermediaries need to do to meet the security obligation,
explanations of key concepts (such as effective control and competent supervision), and
case studies to assist C/CSPs and intermediaries to assess risk and apply the framework based on scenarios to inform decision-making.
3.8
The Attorney-General’s Department and ASIO noted in their submissions that the 12 month implementation period will be used to further develop the administrative guidelines, in consultation with industry, and to ensure guidance material is appropriate.
3.9
The Committee considers the 12 month implementation period will be critical to ensuring industry has appropriate guidance in order to effectively implement the Bill. This chapter focuses on the redevelopment of the administrative guidelines and where industry considers more comprehensive guidance would be of benefit.
3.10
During the inquiry, industry raised a number of issues concerning the Bill’s application to:
networks and facilities ‘used’ by C/CSPs (but not necessarily owned or operated by them),
telecommunications infrastructure located in a foreign country,
cloud computing and cloud storage services, and
broadcasting and content service providers.
3.11
These issues are discussed in the sections following.
Application to over-the-top providers
3.12
Industry Associations raised concerns that the Bill applies only to a ‘subset of the Australian telecommunications sector’, noting that it applies to C/CSPs and intermediaries, but not to over‑the-top services. Industry suggested that, in doing so, the Bill ‘fails to adequately recognise the evolution that is occurring in the supply of services over the internet’.
3.13
Industry expressed concern that an Australia‑based C/CSP ‘simply reselling over‑the-top services faces substantial regulatory uncertainty and regulatory risk under the framework’. This concern was explained during the public hearing:
If you are providing an over-the-top service and you are reselling it as an Australian carriage service provider, you would be bound by TSSR obligations. If, as a consumer, you were to buy the same service from a non‑Australian over-the-top provider—exactly the same service just rebranded with a different Australian brand—then the obligations would not apply. So effectively and essentially it is exactly the same service that you are buying and that is being provided. It carries the same risk or no risk or whatever level of risk it carries to the Australian public. One is bound by the obligations; the other one is not. That, as such, is not a desirable outcome for competition, because it does mean the Australian providers that offer these over-the-top services are disadvantaged over other non-Australian providers.
3.14
Industry suggested that this possible regulatory imbalance could be addressed through an ‘additional risk solution’. This would make Australian carriage service providers liable on a more limited basis in respect of their use of over-the-top services and would:
… cover the additional risk that arises from reselling it as opposed to try to cover the risk that is inherent in the over-the-top service.
3.15
Industry Associations suggested amendments to section 314A concerning proposed notification requirements in the Bill (discussed in Chapter 4). Amendments could:
make explicit that a C/CSP would be required to make a notification in cases only where there is an additional risk that arises from reselling an over-the-top service, as opposed to the risk that is inherent in the over‑the‑top service itself, or
include a ‘class exemption’ to make explicit that the notification requirement would apply to the resale of over-the-top services only if the resale created additional risks to those already inherent in the over‑the-top service.
3.16
In raising these concerns, Industry Associations also acknowledged the challenge of jurisdiction with respect to regulating overseas over-the-top services.
3.17
In response to the issue raised by industry, the Attorney-General’s Department outlined that the regime as proposed is already well targeted to risk:
… we think the way the obligation is currently crafted is quite tailored at where there is risk. So there would be aspects of over-the-top services that it just does not apply to and would not create any further obligations. But where there is an aspect of the way those services operate that does create security risk to networks and facilities then there would be an obligation.
Application to networks and facilities ‘used by’ C/CSPs
3.18
Industry Associations raised concerns with a particular aspect of the security obligation. The Bill requires C/CSPs to ‘do their best’ to protect networks and facilities owned, operated and used by the C/CSP from unauthorised interference and access. The Associations sought clarity as to what the term ‘use’ may entail and what would be required of C/CSPs to protect networks they are ‘merely using’:
By way of example, what would be required of CSP A, on whose network a call is being originated (i.e. one of its customers make a phone call) and this call being terminated on CSP B’s network? Obviously, CSP A is ‘using’ CSP B’s network but has no means to protect that network from interference or access.
3.19
In response to this concern, the Attorney-General’s Department advised:
The security obligation is framed in terms of the C/CSP doing ‘its best’ to protect networks and facilities it uses in connection with its operation of telecommunications networks or facilities or its supply of carriage services. This does not impose an absolute obligation, rather it requires C/CSPs to take all reasonable steps to prevent unauthorised access and interference. The obligation to protect networks and facilities ‘used’ by a C/CSP reflects the interconnected nature of telecommunications networks and services. A C/CSP using the facilities or networks of another provider to deliver its service may give that provider access to sensitive information, such as customer billing information, or core parts of that C/CSP’s network, and the C/CSP’s staff may have access to the networks and facilities of the other provider.
C/CSPs would be expected to be capable of demonstrating that, as far as is reasonable, they have processes and arrangements in place to manage who can access systems, networks and facilities. This could include the C/CSP maintaining reasonable supervision and oversight of any access by its employees to networks or facilities it is using, or seeking assurances from another provider whose network or facilities it is using about the security applied by that other provider.
3.20
The Attorney-General’s Department expanded on the rationale for extending the security obligation to the use of a network:
The obligation for a provider to protect networks or facilities it is using is designed to reflect the interdependencies that exist within the telecommunications industry. It is characterised by quite complex service delivery models where providers typically rely on access to other providers’ infrastructure to deliver their services. That security obligation goes to those points of interconnection and access between providers.
3.21
The Attorney‑General’s Department provided the following example to illustrate the interconnectedness of the telecommunications industry and why it considers it important that the security obligation applies to networks and facilities used by C/CSPs:
An additional example we thought of to illustrate that was where an internet service provider supplies an ADSL service over Telstra's copper landline. That ISP must access Telstra’s exchange to install its own equipment to Telstra's point of interconnect for that customer. The ISP owns and operates the equipment it has installed, but it uses Telstra's exchange, point of interconnect and copper line. In that example, the ISP’s obligations extend only so far as it has access to Telstra's networks, facilities and the ability to implement controls.
3.22
The Attorney-General’s Department further noted:
The Bill already differentiates between ownership and operation of networks and facilities on the one hand, and use on the other. Subsection 313(1B) clarifies that the obligation to maintain competent supervision of, and effective control over, telecommunications networks and facilities applies to networks and facilities owned or operated by the C/CSP.
3.23
The Explanatory Memorandum notes that not all carriage service intermediaries will be able to demonstrate competent supervision and effective control. In these circumstances, it states that intermediaries would be expected to have appropriate procedural, governance and contractual arrangements in place to secure information, taking into account the extent to which an intermediary can influence security outcomes.
3.24
In a supplementary submission, Industry Associations questioned whether contracts would be a viable way for a C/CSP to meet the security obligation in relation to networks they use:
Is the Bill envisaging that C/CSPs contractually require owners of all networks that a communication may use to, in turn, do their best to protect those networks? It is important to understand that such networks may be used dynamically, on an automated basis and without prior knowledge of the C/CSP on whose network the communications originated and/or without the knowledge of the C/CSPs whose networks are being used. Consequently, Industry notes that an assumption that contractual arrangements could be used to ensure protection of networks that are being used ignores commercial and technical realities. CSPs in other jurisdictions may also not allow their national C/CSP to enter into such arrangements.
3.25
The Attorney-General’s Department noted:
The department will engage with industry to assist them to identify risks and mitigation measures. This process will provide clarity for industry on specific risks as they are identified.
3.26
Industry Associations requested clarity as to what alternative means would allow Australian C/CSPs to demonstrate compliance with the security obligation, and contested that the Bill
should only apply to networks and facilities owned or operated under an Australian carrier licence as the ability to protect networks and facilities resides with the owner operator of that network.
Application in foreign jurisdictions
3.27
The Attorney-General’s Department noted that the regulatory framework proposed in the Bill applies to all C/CSPs within the meaning of the Telecommunications Act 1997. This includes C/CSPs that have networks and facilities based in Australia, or those based overseas that are used to provide services and carry and/or store information from Australian customers.
3.28
Industry Associations raised a concern that if a company has infrastructure located in a foreign country, it may be difficult for them to demonstrate that they are meeting the security obligation if a foreign government or agency in that country is able to make access requests in accordance with the domestic laws of that country:
It is unclear how C/CSPs captured under the legislation would be able to comply with their duty to do their best to protect their infrastructure from espionage, sabotage and acts of foreign interference while simultaneously still fulfilling relevant obligations that offshore legislation may impose onto them.
3.29
Through its submission, Industry Associations asked whether having ‘additional security and access controls’ and ‘an ability to log, within Australia, any lawful access requests made to Australian systems offshore’ would be sufficient to fulfil their obligations to protect networks and facilities set out in the Bill.
3.30
In response, the Attorney-General’s Department noted:
While it may be desirable for industry to log lawful access requests made to Australian systems … imposing a statutory requirement for C/CSPs to provide Australian Government officials with details about foreign lawful telecommunications access requests may create a conflict of laws issue for the relevant industry member. Accordingly, the Bill does not require C/CSPs to retain logs of lawful access requests made to Australian systems located offshore.
3.31
Industry Associations also requested a clear description of measures that are deemed acceptable to demonstrate compliance with the security obligation, either in the legislation itself, or in the Explanatory Memorandum.
3.32
The Attorney-General’s Department noted that the appropriate mechanism for industry to gain clarity about meeting their obligation is to engage early with government in situations where C/CSPs are considering offshoring parts of their networks or facilities:
This will enable risks and potential mitigation strategies to be identified, including what mechanisms industry can put in place to demonstrate compliance.
3.33
The Attorney-General’s Department also suggested that, to provide further clarity, the administrative guidelines could also be updated with examples to illustrate how C/CSPs can demonstrate compliance with the obligation. The Attorney-General’s Department advised that
the Guidelines are more appropriate than the Explanatory Memorandum as they are a living document that can be updated from time to time as examples of how compliance can be demonstrated evolve.
Application to ‘cloud computing’
3.34
As noted above, the security obligations in the Bill require C/CSPs and intermediaries to ‘do their best’ to protect telecommunications networks and facilities they own, operate or use from unauthorised interference and unauthorised access.
3.35
The Telecommunications Act 1997 provides the following definition of the term ‘telecommunications network’:
means a system, or series of systems, that carries, or is capable of carrying, communications by means of guided and/or unguided electromagnetic energy.
3.36
The Telecommunications Act 1997 also provides the following definition of the term ‘facility’:
any part of the infrastructure of a telecommunications network, or
any line, equipment, apparatus, tower, mast, antenna, tunnel, duct, hole, pit, pole or other structure or thing used, or for use, in or in connection with a telecommunications network.
3.37
Industry Associations sought explanation as to whether the existing definition of the term ‘facility’ is intended to include cloud computing and cloud storage solutions. Industry noted that an absence of clarity could cause confusion and leave the application of the Bill open to interpretation:
… it is conceivable that the term ‘facility’ could be interpreted to encompass cloud computing and cloud storage solutions implemented by C/CSPs as any supporting equipment would appear to meet the above definition.
3.38
Industry Associations noted that application of the Bill to cloud computing and cloud storage solutions could result in a competitive disadvantage when C/CSPs are compared to suppliers of equivalent services who are not subject to the obligations set out in Bill:
… this has the potential to significantly broaden the regulatory burden that C/CSPs face under the regime and will leave them at a competitive disadvantage compared with suppliers of equivalent services that are not C/CSPs.
3.39
In response, the Attorney-General’s Department noted:
Cloud computing is a concept used to describe the ability to access information or services (stored remotely) via the internet. Cloud computing is reliant on telecommunications networks, infrastructure and facilities (terms already defined in legislation) for its operation.
C/CSPs that use or offer cloud computing services or infrastructure are required to take all reasonable steps to prevent unauthorised access and interference for the purpose of protecting the confidentiality of information stored ‘in the cloud’ and the availability and integrity of networks and services. The Administrative Guidelines reference the Australian Signals Directorate’s Information Security Advice, Cloud Computing Security Considerations, as a helpful guide for businesses wanting to know more about how to perform risk assessments of cloud computing services, and use these services securely.
Given the dynamic natures of both the telecommunications and national security environments, the Department considers the administrative guidelines to be the most appropriate place to detail examples specific to cloud computing. This can be further developed, in consultation with industry, prior to commencement.
Application to broadcasting and content service providers
3.40
Foxtel raised a concern that the scope of the Bill is broad and unclear in relation to its application to infrastructure and facilities used to supply broadcasting and content services.
3.41
Foxtel suggested that, to address this, the Explanatory Memorandum and administrative guidelines should be amended to clarify that, where infrastructure and facilities are used ‘solely or principally for the supply of broadcasting services’, they are not intended to be subject to the framework:
… Foxtel requests the Committee recommend there be further clarification in the Bill’s Explanatory Memorandum and the administrative guidelines being developed by the Attorney-General’s Department about the purpose and application of the proposed protection obligation in section 313(1A) and notification requirements in section 314(1A), in particular, to clarify that infrastructure and facilities used solely or principally for broadcasting or content services are not intended to be subject to this additional regulation.
3.42
In response, the Attorney-General’s Department noted:
The Telecommunications Act 1997 exempts a broadcaster from being treated as a CSP where the sole or principal use of its carriage service is to supply (a) broadcasting services to the public, or (b) secondary carriage service by means of the main carrier signal of a broadcaster. In these circumstances, the broadcaster is not subject to the reforms set out in the Bill.
The Department understands that Foxtel owns and operates telecommunications infrastructure that supplies communication services other than broadcasting. Where a broadcaster owns, operates or uses telecommunications networks and facilities and is not exempted, the broadcaster is required to meet the security obligation set out in the Bill. This is appropriate as the aim of the reforms is to protect telecommunications networks and facilities. The Department notes that only C/NCSPs are subject to the notification requirements.
Committee comment
3.43
The Committee notes that the proposed security obligation is targeted at protecting telecommunications infrastructure, rather than the services that run over them. The Committee also notes that the security obligation is intended to capture the interdependencies that exist within the telecommunications industry, ensuring that the points of interconnection and access between providers are adequately covered by the security obligation.
3.44
In addition, the Committee notes that the security obligation is framed in such a way as to avoid imposing an absolute obligation on industry. Instead C/CSPs would be required to ‘do their best’ to protect telecommunications infrastructure from unauthorised interference and unauthorised access.
3.45
While it is useful for the security obligation to be framed in this way, the Committee agrees that this approach created some uncertainty for industry.
3.46
Throughout this chapter, the Committee has identified a range of areas where industry requires further clarity. The Committee notes that the administrative guidelines are intended to assist industry to comply with the provisions of the Bill. However, a number of issues and circumstances are not adequately detailed in the current version of the guidelines.
3.47
Specifically, the Committee recommends that the administrative guidelines be revised to provide clarity to industry on how it can demonstrate compliance with the security obligation with respect to:
circumstances where a company is providing or reselling an over‑the‑top service:
the Committee does not consider the proposed security obligation to be unnecessarily onerous in relation to over-the-top services, particularly given the strong existing commercial interest in protecting networks and facilities. However, the Committee recommends more detail be set out in the guidelines to identify additional measures that C/CSPs who provide over‑the‑top services may be expected to put in place, similarly in relation to a C/CSP’s decision to provide or resell an over‑the‑top service.
circumstances where networks are used (but not necessarily owned or operated) by a C/CSP:
the Committee notes that the Bill already distinguishes, in subsection 313(1B), between the ownership and operation of networks and facilities, and their use.
the Committee recommends that the guidelines identify what mechanisms can be put in place to demonstrate compliance in circumstances where networks are used by a C/CSP, and how these might differ to the mechanisms likely to be put in place to protect infrastructure that is owned or operated by a C/CSP. Similarly, guidance should be provided for situations in which an Australian C/CSP is using networks and facilities in another country.
protecting networks and facilities when part of a C/CSP’s infrastructure is located in a foreign country:
the Committee recommends that the guidelines provide information to clarify how appropriate supervision and control can be achieved by C/CSPs to protect networks and facilities located offshore, including examples when possible.
circumstances where a C/CSP provides cloud computing and cloud storage solutions:
the Committee recommends that the guidelines provide more detailed examples of how C/CSPs can demonstrate compliance with the security obligation with respect to cloud computing and cloud storage solutions.
3.48
The Committee does not consider that the security obligation is likely to place C/CSPs that provide cloud services or over‑the‑top services at a competitive disadvantage. However, the Committee considers that possible regulatory imbalance or impacts on competition should be examined as part of a review of the reforms. The Committee considers this further in Chapter 6.
3.49
The Committee recommends that the administrative guidelines to the Telecommunications and Other Legislation Amendment Bill 2016 be revised to provide comprehensive information, clarity and certainty to industry in a greater range of circumstances. In particular, the revised administrative guidelines should provide further clarity regarding a company’s security obligation in circumstances where:
a company is providing or reselling an over‑the‑top service,
telecommunications infrastructure is used (but not necessarily owned or operated) by the company,
a company’s infrastructure is located in a foreign country, and used to provide services and carry and/or store information from Australian customers, and
a company provides cloud computing and cloud storage solutions.
The Committee considers that inclusion of this additional information should be finalised prior to the conclusion of the 12 month implementation period.
3.50
The Committee notes that there is some uncertainty within industry about whether it is intended that the reforms apply to broadcasting and content services.
3.51
The Committee notes the Attorney-General’s Department’s advice that, in accordance with the Telecommunications Act 1997, a broadcaster is exempt from being treated as a carriage service provider where the sole or principal use of its carriage service is to supply broadcasting services.
3.52
The Committee considers that the Bill should be amended to make it clear that it does not apply to any broadcaster who is exempt from being treated as a carriage service provider under the Telecommunications Act 1997.
3.53
The Committee recommends the Telecommunications and Other Legislation Amendment Bill 2016 be amended to clarify that, in circumstances where a broadcaster is exempt from being treated as a carriage service provider under the Telecommunications Act 1997, they are also not intended to be subject to the obligations set out in the Bill.