Govt strengthens telecom security
Tougher Security: New legislation tightens up protection of telecommunications networks
Protecting critical telecommunications infrastructure is a key national priority and to secure this vital asset the government has introduced new telecommunications security legislation into parliament.
Cyber-attacks by hackers, criminals and unfriendly nations are now ever present, so it is timely that the government has taken the initiative.
Attorney-General George Brandis and Communications minister Mitch Fifield have introduced the revised Telecommunications and Other Legislation Amendment Bill 2016, after minor changes were made to an exposure draft released for comment last year.
In a joint media release last week, Senator Brandis and Senator Fifield said the legislation “strengthens ties with the telecommunications industry, enabling authorities to better identify and respond to national security threats.”
“Australia's national security, economic prosperity and social well-being increasingly depend on the security and resilience of telecommunications services.”
The legislative framework would provide greater certainty for the industry and better protects telecommunications networks from national security threats.
The joint submission on the 2015 draft of the legislation made by the Australian Industry Group, the Australian Information Industry Association, the Australian Mobile Telecommunications Association and Communications Alliance, welcomed earlier amendments but did not offer support for telecommunications security reforms.
The Bill will now be referred to the bipartisan Parliamentary Joint Committee on Intelligence and Security for public comment prior to being finalised.
Having voiced concern about the legislation on several occasions over the past couple of years, it will be up to the various industry groups to either accept the broad thrust of the legislation, or to once again repeat the claims that:
- the purpose of the proposed reform remains unclear
- the onerous nature of the compliance requirements will act to hamper the responsiveness of carriers and carriage service providers (C/CSPs) to cyber threats
- there remain several areas of vague drafting in the exposure draft, including uncertainty as to the status of resale of overseas services and as to the ability of intermediaries to comply with the legislation
- the guideline information concerning the potential requirement for C/CSPs to retrofit or remove existing facilities is internally inconsistent, leaving open the risk that industry could face very high costs to rebuild existing networks
The government has estimated that the annual cost of compliance will be $184,000 for each of the larger telcos.
To offset the complaint by industry of an “onerous nature of the compliance requirements”, it is offering these companies the opportunity to submit a “security capability plan” annually to meet the notification requirements for changes to systems and services that are likely to make the network or facility vulnerable.
Possibly, now that the legislation has entered parliament, the industry groups should provide specific detail on areas of concern, rather than making vague statements that question the intent of the legislation.
Whilst the telcos may claim that knowledge of their networks and systems may be commercially sensitive, it is in the nation’s interest that the Attorney General’s Department (AGD) and the Australian Security and Intelligence Organisation (ASIO) are provided with sufficient information to make determinations that are in the national interest.
This does not mean that the government will rush to ban major telecommunications vendors from supplying equipment to local telcos.
But it is possible that the government may block the use of equipment from some vendors until such time as a thorough security review can be carried out.
In 2012, ASIO, acting on information provided by the US National Security Agency (NSA), gave the AGD a negative security assessment of the Chinese vendor Huawei, prompting the government to ban Huawei from supplying equipment to NBN Co.
Without the appropriate legislation, the government was not able to ban Huawei entirely and consequently local business, industry and telcos have been widely utilising Huawei’s competitively priced products.
Under the new legislation the government would be able to ban a company that supplies telecom-related products or services from entering the Australian market on security grounds. The legislation will also allow government to ban telcos from using offshore facilities, such as data centres.
If there is a complaint to be made about the draft legislation, it is that there does not appear to be recourse to an adverse security assessment.
In 2012, Huawei offered to emulate in Australia the approach adopted in the UK, where it worked with the UK Government’s intelligence agency, GCHQ, to setup a facility called the Cyber Security Evaluation Centre (CSEC) to vet equipment and software.
The focus of the legislation to impose a security obligation on C/CSPs is long overdue.
They will be required to “do their best to manage the risk of unauthorised access and interference to networks and facilities they own, operate or use to ensure the availability and integrity of networks and facilities and to protect the confidentiality of information stored on and carried across them.”
For the telcos, the statement “own, operate or use” means they will need to be able to justify the use of networks, facilities and systems that they do not own or operate. Telcos will need to talk responsibility for the suppliers and service providers that they engage.
They will need to do due diligence on any company that they utilise offshore to, for example, store customer or other personal information in a data centre.
Taking responsibility for telecommunications security will be a big pill for the local industry to swallow, but it must do this in the national interest.
It is time for the industry groups to advise their members that they need to work with government to improve the legislation, prior to it being put up for a vote. This does not mean the industry groups should continue with a myopic view, but one that first and foremost considers national security and consumer interests.