The powerful parliamentary national security committee has launched an inquiry into the federal laws to manage security risks and the cybersecurity of telecommunications companies, amid concerns the new powers have not been used in the two years since they were introduced.
It is believed that while the laws have been in place for two years now, the government is yet to use the information gathering or directions powers granted to it in the legislation. This is despite regularly raising concerns about a growing cybersecurity risk to the nation’s critical infrastructure.
The new review also comes as the Home Affairs department runs separate consultations on government plans to introduce new laws that would give it further powers to take over the operation of critical infrastructure, and also grant legal impunity to operators when met with a significant cyberattack.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has launched an inquiry into the operation of Part 14 of the Telecommunications Act 1997, which relates to the government’s Telecommunications Sector Security Reforms of 2018.
These reforms established a “regulatory framework to manage the national security risks of espionage, sabotage and foreign interference of telecommunications networks and facilities”.
The laws imposed new obligations on the operators of telecommunications networks, including to do their best to protect from unauthorised access and interference and to notify the government of planned changes to their systems and services that could compromise their capacity to comply with the security obligation.
The legislation also gave the government new information gathering powers to obtain information and documents from telcos, as well as new power to direct telcos to do or not do something to protect their network.
In its annual report on the laws for 2018-19, the Department of Home Affairs revealed that neither the information gathering, or directions powers had been used at all up to the end of June 2019. It’s unclear whether these powers have been used in the most financial year, but there has been no indication from the government that they have been.
The 2018-19 report said the government had received 34 notifications of changes from telcos and participated in more than 50 engagements to ensure the industry understood the new laws.
Despite the lack of evidence around the use of these powers, the government announced further regulations for critical infrastructure operators as part of its recent 2020 Cyber Security Strategy, which would give it the power to take control of a company if it were subject to a significant cyberattack.
Shadow assistant minister for cybersecurity Tim Watts at the time questioned why the 2018 powers had not been used in the two years they have been in place.
“The 2018 critical infrastructure reforms were announced with great fanfare just as these new critical infrastructure reforms are being done so today,” Mr Watts said.
“But it was all over-promising and under-delivering – why are these new reforms going to be any different with Dutton at the helm.”
Submissions to the PJCIS inquiry are open until 27 November, while the submission window for the Home Affairs consultations on the new critical infrastructure laws closes next week.