4.1
This chapter discusses the Bill’s requirement for companies to give notification of any changes that are proposed to a telecommunications service or telecommunications system that are likely to impact their ability to comply with the security obligation discussed in Chapter 3 of this report.
4.2
The Bill provides an option for companies to provide either individual notifications or an annual security capability plan, depending on the method that better suits their business model and approach to security management.
Individual notifications
4.3
Proposed section 314A of the Telecommunications Act 1997 will oblige carriers and nominated carriage service providers (C/NCSPs) to notify the Communications Access Co-ordinator (CAC) of planned changes to telecommunications services or systems which the C/NCSP has become aware are likely to have a ‘material adverse effect’ on its capacity to meet its security obligation under the proposed new subsections 313(1A) and (2A)—to protect telecommunications networks and facilities from unauthorised access and interference.
4.4
Proposed section 314A is modelled on the existing notification requirement in section 202B of the Telecommunications (Interception and Access) Act 1979, which requires C/NCSPs to notify the CAC of planned changes to telecommunications systems and services which are likely to have a material adverse effect on the ability of the C/NCSP to meet its obligations under the Telecommunications (Interception and Access) Act 1979, or section 313 of the Telecommunications Act 1997.
4.5
The Explanatory Memorandum states that the notification requirement is one method of formalising information sharing between C/NCSPs and the Government, and it will be triggered at the time of planning proposed changes to networks and services, rather than following implementation.
4.6
The Explanatory Memorandum also notes that it is ‘in the C/NCSP’s best interests to notify of a proposed change as early as possible in the design and planning stage [of a procurement or project] and prior to finalising arrangements to implement the change’. This is because
early engagement with Government during the planning and design stage of changes to networks may help the C/NCSPs to mitigate security risks in the most cost-effective manner. Further, notification early in the procurement process can avoid unnecessary delay in the progress of procurements and minimise costs associated if procurement plans need to be modified to address security concerns.
4.7
Proposed section 314B will require the CAC to either request further information or respond to the individual notification within 30 days of being notified. If, upon considering a change that is proposed in a notification, the CAC is satisfied that there is a risk of unauthorised interference with, or unauthorised access to, telecommunications networks or facilities that would be prejudicial to security, the CAC must give written notice to the C/NCSP:
advising the carrier or provider of that risk, and
setting out the duty imposed by proposed subsections 313(1A) or (2A) (the security obligation), and
setting out the consequences for the carrier or provider for not complying with that duty.
4.8
The CAC’s response may also set out the measures the CAC considers the carrier or provider could adopt to eliminate or reduce the identified risk.
Security capability plans
4.9
The submission of a security capability plan, as provided for in proposed section 314C, would be in lieu of individual notifications and provides a mechanism for a C/NCSP to notify all or multiple proposed changes to systems and services within a defined period. Inclusion in the Bill of the option to provide a security capability plan was the result of a suggestion from industry during earlier stages of consultation on the draft Bill.
4.10
The Explanatory Memorandum notes the following benefits of submitting a security capability plan:
The benefits of submitting a security capability plan include facilitating more holistic engagement with security agencies on investment planning and decision-making, and assisting security agencies to understand more comprehensively the C/NCSPs arrangements with suppliers and its service delivery model for operating and managing key components of its network and service. For this reason, a security capability plan may also outline the C/NCSPs general approach to managing risks of espionage, sabotage, disruption and interference and what measures or mitigation it proposes to apply to each proposed change …
4.11
Similarly to individual notifications, proposed section 314D would require the CAC to respond to the C/NCSP with either a request for more information; advice about security-related risks that are considered to be associated with the change/s proposed in the plan; or a notification that there is not considered to be a security-related risk. If a risk is identified, the CAC must advise the C/NCSP of their duty with respect to protecting networks and facilities under proposed subsections 313(1A) or (2A) of the Bill, and also advise them of the consequence for not complying with that duty. The timeframe for the CAC to respond to a security capability plan is 60 days from the plan being provided.
Exemptions
4.12
The Bill contains a provision enabling the CAC to exempt a C/NCSP from the operation of the notification requirement. The Explanatory Memorandum notes that:
there is no application process for C/NCSPs – instead, the CAC will decide if and when to grant any exemption and write to the affected C/NCSP advising of the decision to grant the exemption.
4.13
The Explanatory Memorandum notes that the exemption could be a ‘complete exemption’ from the notification requirement, or a ‘partial exemption’. For example, a partial exemption could be provided in relation to certain categories of changes, or in respect of particular parts of the C/NCSP’s business.
4.14
The Explanatory Memorandum further notes that the CAC’s decision to grant a full or partial exemption will be based on advice from ASIO that is developed taking into account the security risk profile of a company; and that the risk profile of a company will be determined based on a range of factors, such as:
percentage of market share,
sensitivity of customer base, and
criticality of the network.
Access of industry to threat information
4.15
Industry Associations raised concerns that
there is no obligation established in the legislation for the Attorney‑General’s Department to work cooperatively and proactively with industry in identifying and communicating and responding to threats and attacks …
4.16
Macquarie Telecom Group also noted that ‘there is no protocol for briefing carriers about specific threats identified by the Government’.
4.17
Optus similarly noted that there would be challenges with the proposed decision-making threshold for notifications, as industry may not be aware of specific threat and risk information. In its supplementary submission, Optus suggested
that the Attorney-General’s Department should establish regular briefings for industry which have the designated purpose of providing a forum for the exchange of information which has been tailored to be specifically relevant to the administration and decision-making required by both carriers and the Department under the TSSR scheme.
4.18
In its supplementary submission, Optus further outlined the extent of its investment program over the past 10 years, and the need for certainty and early access to reliable decision-making information:
It should also be noted that Optus has run an annual investment program in its networks and business operations of well over $1 billion for each of the last ten years. With investments of this magnitude, great weight is given to business certainty and early access to reliable decision-making information.
4.19
Optus also provided a number of examples of the sorts of information telecommunications providers would benefit from having access to, noting that this sort of information is usually only available from government and security intelligence sources:
For example, whether a specific piece of network equipment has a design flaw or a backdoor which allows unauthorised access, whether a particular vendor or applications maintenance support provider has flawed security record, whether certain unlegislated activities by agencies in foreign jurisdictions create an unacceptable risk for certain functions to be undertaken in that geographic location.
4.20
The Attorney-General’s Department noted in its submission that it
agrees with the submissions of the Australian Industry Association and Optus in that effective communication between Government and industry will be critical to the success of these reforms.
4.21
The Attorney-General’s Department also outlined how it intends to work with industry during the 12 month implementation period:
The newly established multi-agency Critical Infrastructure Centre, housed in the Attorney-General’s Department (Department), will work with industry on implementation of the reforms. The Centre was established in response to the complex and evolving national security risks to critical infrastructure, and recognises that appropriate risk mitigation strategies are best developed in partnership with businesses. The Centre brings together expertise and capability from across the Australian Government, including the Australian Security Intelligence Organisation (ASIO) and the Department of Communications and the Arts, into a single location to enable more active engagement with industry to better manage the national security risks to Australia’s critical infrastructure.
The Centre will work with industry during the 12 month implementation period to ensure guidance material, including the administrative guidelines, provides industry with the information it needs to implement the reforms. The Centre intends to use existing fora, such as the Communications Sector Group of the Trusted Information Sharing Network for Critical Infrastructure Resilience and other fora, to reach out to industry for this purpose. This group engagement will take place in parallel with bilateral engagement with carriers and carriage service providers (C/CSPs), which will continue throughout the implementation period.
4.22
At a public hearing, the Attorney-General’s Department noted that, under present arrangements, the Department engages with security-cleared personnel from within industry (particularly with bigger companies). In situations where this is not possible, the Department noted that they find alternative ways to adapt and share information with industry about security risks. The Department noted this could be achieved, for example, by providing information that is at a lower security classification level, or by gaining permission to be able to relay more information to industry:
We will put out as much information more broadly across industry as possible. In some instances where we are aware of a specific foreign involvement risk or a company, we would then engage more on a bilateral, confidential basis.
4.23
The Department indicated that there are between 20 to 50 individuals within industry that currently have appropriate security clearances.
4.24
In relation to ensuring government understands the complexity of regulation in industry, the Committee asked whether the Attorney-General’s Department seconds people to industry. The Department noted that it was hoping to undertake more secondments and that this is likely to form part of the agenda for an upcoming strategic dialogue with the telecommunications sector. At this dialogue, the Department advised that it would be discussing with industry opportunities to join the Critical Infrastructure Centre, and it is ‘very open to’ also placing Departmental staff in telecommunications companies.
4.25
The Attorney-General’s Department added that the mechanism for engagement will depend on the nature of the threat, and that there would be ‘risks in the workability’ should an engagement obligation be enshrined in the Bill itself.
Committee comment
4.26
The Committee agrees with inquiry participants that the success of the proposed telecommunications sector security reforms will be dependent on:
the regular flow of practical and timely threat advice from government to industry, and
early engagement by industry with government through notification.
4.27
The Committee notes evidence from the Attorney‑General’s Department that, during the 12 month implementation period, industry will be consulted through the newly established Critical Infrastructure Centre.
4.28
The Committee recommends that the Attorney-General’s Department work collaboratively with industry during this time to ensure effective and regular information-sharing, in particular sharing threat information with industry.
4.29
While the Committee does not wish to pre-empt the exact form these information exchange arrangements should take, the Committee strongly supports the request from industry that the arrangements provide timely, tailored and relevant information to meet both the Attorney‑General’s Department and C/CSP’s requirements under the framework. To the extent possible, threat advice should be delivered to industry with a degree of specificity that enables companies to make business decisions that are in line with the security objectives of the Bill.
4.30
The Committee notes that there are existing mechanisms for the Government to share both classified and unclassified information with industry. There are a number of existing forums that could be used for ongoing engagement between government and industry, including the Communications Sector Group of the Trusted Information Sharing Network for Critical Infrastructure Resilience, in addition to bilateral engagements.
4.31
The Committee also notes the willingness of the Attorney-General’s Department to second staff to industry and its discussions about opportunities for industry to participate in the Critical Infrastructure Centre. The Committee encourages the Department to continue to identify areas for cross‑collaboration and opportunities to assist government staff to gain insight into the complexity of regulation from the perspective of industry.
4.32
The Committee considers it critical that these information-sharing mechanisms and processes are finalised prior to the conclusion of the 12 month implementation period.
4.33
The Committee recommends that the Attorney-General’s Department works collaboratively with industry to ensure effective and regular information‑sharing, in particular sharing threat information with industry, leveraging existing mechanisms where possible.
These information-sharing mechanisms should ensure industry receives timely and tailored threat information to aid industry compliance.
The Committee considers that these processes should be finalised prior to the conclusion of the 12 month implementation period.
Kinds of changes that require notification
4.34
Industry raised concerns about the existing non-exhaustive list of notifiable items outlined in the Bill in subsection 314A(2). Industry argued that the existing terminology in the Bill implies that ‘just about anything’ in the course of normal network and system management must be notified. Industry indicated that this is problematic because it is unclear what measures might be regarded as sufficient protections to meet the notification requirements set out in the Bill. Industry suggested that an ‘exhaustive list’ of notifiable equipment be incorporated into the Bill.
4.35
In response, the Attorney-General’s Department indicated it would not be prudent to set out in legislation technical descriptions, as they could soon become out-dated:
Given the dynamic nature of both the telecommunications and national security environments, the Department considers it is not prudent to set out in legislation technical descriptions that are specific to a particular point in time. This could render the reforms set out in the legislation redundant in the near future.
4.36
In its submission, ASIO also supported the implementation of flexible definitions:
Given the changing nature of the threat, technology, and the fact that every network is managed differently, it is not possible to provide prescriptive definitions of what constitutes a sensitive part of a network. ASIO therefore supports the implementation of flexible definitions.
4.37
However, the Attorney-General’s Department acknowledged that industry needs more clarity regarding changes that are not required to be notified to the CAC. The Attorney-General’s Department provided the following list of changes it envisages industry will not be required to notify about, either because they do not meet the notification threshold, or due to them being exempted from the requirement:
day to day changes, such as routing changes or software updates, which do not materially change the C/NCSP’s effective control or competent supervision arrangements.
emergency changes, such as when a C/NCSP needs to make an urgent change to maintain the availability of the network, one that cannot be delayed to allow for the notification process.
testing or trials for C/NCSP testing that is not connected to the Australian telecommunications network, where protections are applied to customer data.
specific business changes that do not impact a C/NCSP’s ownership, effective control or competent supervision. This may include replacing existing equipment with equipment of the same make and same (or similar) model.
4.38
The Attorney-General’s Department noted that ‘further examples of changes that may be exempted from the notification requirement will be canvassed with industry during the implementation phase’; and ‘C/CSPs wishing to discuss whether a change requires notification will also have the option of contacting the Department’ to seek further guidance.
4.39
The Attorney-General’s Department expanded on this during a public hearing, arguing that it considered the most appropriate approach to address this issue would be to include examples of the kinds of changes that must be notified in the administrative guidelines. The Department considered there to be risks if these examples were included in regulation:
it will be incumbent on us to ensure industry has the information it requires to be aware of those relevant risks. We think the most appropriate way to do this is to detail examples and information in the administrative guidelines. It would be possible to include more detail in regulations. However, this approach would not be as flexible and there is some risk that it would require the introduction of potentially broader-than-necessary indications of notification requirements to ensure all risks are captured, because it would not have quite that level of detail and ability to adjust. Security risks are unique to each provider’s individual circumstances and the detail of their proposed arrangements. For that reason, the critical infrastructure centre would also be providing very direct and tailored advice to providers on risks.
Committee comment
4.40
The Committee notes that the approach used to describe the kinds of notifiable items in proposed subsection 314 A(2) is intended to ensure the provisions of the Bill do not become rapidly out‑dated or redundant, and also to ensure that the proposed legislation can keep pace with rapidly changing advances in technology and the changing nature of the threat environment.
4.41
However, the Committee recognises that this approach creates some uncertainty for industry.
4.42
Although it would be possible to include more detail in regulations, the Committee notes that the Attorney-General’s Department has argued that this would not provide the flexibility required to adjust details of notification requirements over time as new examples evolve and more tailored information is required. The Committee also notes that, to ensure all risks are captured, using regulations to detail the notifiable items could result in a broader list of items being articulated in regulations than would otherwise be the case.
4.43
The Committee concludes that the administrative guidelines are the appropriate place to detail information and examples of notifiable items.
4.44
The Committee recommends that the administrative guidelines provide more detail about the notifiable items, including examples of the sorts of changes that are not envisaged to require notification to the CAC, (as identified by the Attorney‑General’s Department in their supplementary submission). The inclusion of this additional information should be completed prior to the conclusion of the implementation period.
4.45
The Committee recommends that the administrative guidelines to the Telecommunications and Other Legislation Amendment Bill 2016 be expanded to provide greater detail about the existing list of notifiable items.
This could be achieved, for example, by listing the sorts of changes that are envisaged to not require notification to the Communications Access Co‑ordinator (CAC), as well as providing more detailed information about the sorts of changes that do require notification to the CAC.
The Committee considers that inclusion of this additional information should be finalised prior to the conclusion of the 12 month implementation period.
Adverse security assessments for responses to notifications
4.46
Industry Associations suggested that an adverse security assessment should not only be a requirement for the Attorney-General’s directions-making power (discussed in Chapter 5), but also for the notification and consultation processes that precede that direction. The Industry Associations argued that the lack of an adverse security assessment prerequisite ‘allows the Attorney‑General to apply pressure onto C/CSPs without a formal basis for doing so’.
4.47
In response, the Attorney-General’s Department stated:
Requiring an adverse security assessment as a precondition for the notification requirement would significantly undermine the effectiveness of the reforms. It would require ASIO to provide an adverse security assessment on a proposed change without being notified or informed of that change in order to trigger the notification requirement. It is not possible for ASIO to provide an adverse security assessment relevant to a provider, without knowledge of that provider’s networks, facilities, services and any proposed changes. The purpose of the reforms is to ensure early engagement between industry and Government to identify, and appropriately mitigate, risks to telecommunications networks and facilities.
Committee comment
4.48
All individual notifications and security capability plans provided by a C/NCSP under proposed sections 314A and 314C (respectively) will require a response from the CAC. This response may consist of requesting further information from the provider about the proposed change; advising the provider of security-related risks, duties and consequences associated with the proposed change; or informing the provider that there was not considered to be a security-related risk in the proposed change.
4.49
The Committee notes industry’s concern that, unlike the direction-making powers of the Bill (discussed in Chapter 5), an adverse security assessment is not required from ASIO before the CAC can provide advice about any security-related risks associated with the proposed change.
4.50
However, noting that the ‘regulatory objective of the Bill is to achieve national security outcomes on a cooperative basis rather than through the formal exercise of regulatory powers’, the Committee considers that requiring an adverse security assessment for each response to a notification would be an unnecessarily rigid approach. Such an approach would risk delaying response times and could undermine the intent of the Bill to formalise existing collaborative relationships with industry and facilitate early engagement on the management of national security risks.
4.51
Should the proposed cooperative approach not result in satisfactory security outcomes, the Attorney-General would then have the option of issuing a direction to the C/CSP (see Chapter 5). An adverse security assessment would be a prerequisite for such a direction to be issued.
4.52
The Committee does not consider any change is required to the Bill in this respect.
Exemptions processes
4.53
Foxtel suggested the Bill be amended to provide a legislative framework around the exemptions process, including criteria for exemptions and timeframes. Foxtel noted that page 28 of the administrative guidelines contains the sorts of things that would be taken into account when making a decision about whether or not to provide an exemption:
While there is provision for the CAC to grant exemptions from the notification requirements in section 314(1A), Foxtel notes there is no detailed legislative framework around this process, for example, there are no criteria that may be considered in exercising this power or timeframe specified in which an exemption decision must be made.
4.54
In explaining why the Bill does not detail the application process for exemptions, the Attorney‑General’s Department stated:
The reforms set out in the Bill focus on building effective partnerships between industry and Government to identify, and appropriately mitigate, risks to telecommunications networks and facilities. They differ from other obligations set out in the Telecommunications (Interception and Access) Act 1979 in that they are not focussed on the existence of a service-level capability. Accordingly, a framework requiring the Communications Access Co-ordinator to “approve” or “not approve” a C/NCSP’s application is not appropriate.
It is envisaged that exemptions granted under the reforms will mostly focus on exempting a C/NCSP from notifying the Communications Access Co‑ordinator of certain types of changes or changes involving a particular business unit, rather than a blanket exemption applicable to that C/NCSP’s entire operations … Given the focus of the reforms is to ensure national security considerations are taken into account early in a C/CSP’s planning phase, it makes sense to keep the communication lines between industry and Government open.
However, noting industry’s concerns, the Department is open to amending the Bill to include an exemption application process.
Committee comment
4.55
The Committee notes that there is a range of information about exemptions processes set out in the Explanatory Memorandum, including that:
the CAC could provide either a ‘complete’ or ‘partial’ exemption,
the decision of the CAC will be based on advice from ASIO, and
the advice from ASIO will be based on a range of factors relevant to the security risk profile of the C/NCSP (such as market share, sensitivity of the customer base and criticality of the network).
4.56
The Committee also notes that the Attorney‑General’s Department is ‘open’ to amending the Bill to include an exemption application process.
4.57
To provide greater certainty for industry, the Committee considers that the Bill should be amended to provide detail about the process surrounding exemptions to the Bill’s notification requirements.
4.58
The Committee recommends that the Telecommunications and Other Legislation Amendment Bill 2016 be amended to outline the application process for exemptions from notification requirements. The Bill should clarify that:
carriers and nominated carriage service providers may request the Communications Access Co-ordinator (CAC) to provide either a partial or complete exemption from the notification requirement in relation to certain types of changes, and
the CAC may vary or revoke exemptions.
Framework and criteria for declaring a CSP an NCSP
4.59
Foxtel noted there is no detailed legislative framework or criteria for the Minister to declare a carriage service provider a ‘nominated carriage service provider’ (NCSP) under subsection 197(4) of the Telecommunications (Interception and Access) Act 1979, which triggers the notification requirement in proposed section 314A.
4.60
Foxtel noted that this does not provide sufficient certainty regarding the future application of the proposed reforms, and suggested there should be a legislative framework or criteria to declare a CSP an NCSP under the Act.
4.61
In response, the Attorney-General’s Department noted that the ability for the Attorney-General to nominate a CSP already exists in the Telecommunications (Interception and Access) Act 1979, and outlined the processes and considerations taken into account:
Nominations are made following consultation with law enforcement and intelligence agencies and based on maintaining the ability of those agencies to undertake national security operations or law enforcement investigations into serious offences. The CSP would be consulted on any proposed recommendation for nomination and the Department would consider the broader impact on the CSP (including increased regulatory burden). A CSP would not be nominated without its knowledge.
Committee comment
4.62
The Committee notes that the existing process of the Attorney-General nominating a CSP to become an NCSP under the Telecommunications (Interception and Access) Act 1979 would already involve consultation with law enforcement and intelligence agencies, as well as the affected CSP.
4.63
The Committee further notes that any proposed recommendation for nomination would consider the broader impact on the CSP, and a CSP would not be nominated without its knowledge.
4.64
The Committee does not consider any change is required to the Bill in this respect.