The government’s push to introduce a legislative framework to boost the security of Australia’s networks has again been criticised by a group of major industry organisations.
The government in November introduced a bill to implement its Telco Sector Security Reform (TSSR) program. That bill — innocuously titled Telecommunications and Other Legislation Amendment Bill 2016 — is currently subject to an inquiry by the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
The regime outlined by the bill would create a formal requirement for telcos to protect their networks from threats such as espionage, sabotage and foreign interference. Network operators would need to advise the government ahead of time to changes to their infrastructure that may have an impact on security.
Those changes could include plans to provide new services, to procure certain types of equipment or enter outsourcing arrangements. A group of changes may be grouped together as a security capability plan that a telco submits to the government, via the Attorney-General’s Department.
The bill would also empower the government to issue directions to a telco, such as a direction to not use or supply, or to cease using or supplying, a particular carriage service because it is deemed prejudicial to security.
The draft legislation has gone through multiple iterations, with the government seeking to ease concerns among telcos about its impact.
However, a joint submission (PDF) to the PJCIS inquiry by the Australian Industry Group (Ai Group), the Australian Information Industry Association (AIIA), the Australian Mobile Telecommunications Association (AMTA), and Communications Alliance reiterates concerns about the TSSR bill.
The groups repeat their argument that, in their view, the case for the TSSR has not been made.
“In its current form, the legislation is too discretionary and vague and is lacking two-way cooperation and information, thereby imposing substantial costs, uncertainty and regulatory risk onto the entities proposed to be regulated,” the submission states.
“The legislation is an over-reach and an unnecessary imposition of inflexible black-letter law when a more flexible, proactive, informative and collaborative approach (as is being implemented in other jurisdictions) would be more effective in protecting Australia’s telecommunications infrastructure.”
Industry has previously argued that the proposed legislation will stifle innovation and have a deleterious effect on local businesses’ ability to compete with overseas operators — and possibly a net negative impact on security.
In their inquiry submission, the associations argue that the bill will introduce an asymmetry whereby telcos are obliged to notify government of proposed changes to their network, but the government is not obliged to notify them of threats to those same networks.
“This means that C/CSPs may receive an adverse security assessment and, consequently, commit scarce resources to developing risk mitigation strategies based on incomplete or no threat information from Government,” the submission states. “This is an inefficient process and is likely to add to compliance costs which ultimately will be borne by consumers.”
The submission also takes aim at the bill’s “vague” and “open to discretionary interpretation” definitions.
A further concern is that telcos may be forced to retrofit infrastructure, the groups argue, because there is no distinction in the bill between existing or relatively new networks or facilities and aging infrastructure.
“[T]he legislation itself ought to be amended to reflect the intention to not require retrofits except in rare and extremely serious circumstances,” the groups argue.
“Further, the legislation should include a sunset clause on the ability to issue a direction for a network retrofit. The legislation could, for example, state that Government’s right to require a retrofit expires 12 months after the expiry of the implementation period (i.e. two years after the date of Royal Assent). This would provide at least some element of certainty for C/CSPs [carriers/carriage service providers] as to the longevity of existing systems.”
Optus in its submission (PDF) to the inquiry addressed three areas of concern. They include the notification requirements in the bill: A telco may not become aware of the security implications of a change until after it’s made, Optus argues. Furthermore, a security agency might draw a conclusion about the impact of a change using information to which a telco is not privy.