Draft bill creates additional obligations to protect networks and facilities, and ASIO is intended to have a "key role" in implementing security
On 26 June 2015, the Attorney-General and Minister for Communication released the government's proposal for security reforms in the telecommunications sector in the form of a draft of the Telecommunications and other Legislation Amendment Bill 2015, explanatory memorandum and regulatory impact statement.
Submissions on the proposal can be made to the Cyber and Identity Security Policy Branch until 31 July 2015 (see further here).
As we expand on below, the draft bill imposes a duty on carriers, CSPs and carriage serviceintermediaries to protect telecommunications networks and facilities from security risks and provide information related to the protection duty. The draft bill also contains powers for the government to give certain directions to a carrier, CSP or carriage service intermediary, including to not use a carriage service.
The draft bill is intended to give the government "levers" to require engagement and information sharing between industry members and security agencies, and to deal with "the potential for misalignment of commercial interests [of carriers, CSPs and carriage service intermediaries] with national interest where national security is threatened and industry sometimes does not act on the advice of Government."
The draft bill:
- Creates a general obligation for carriers, CSPs and carriage service intermediaries to "do their best" to "protect telecommunications networks and facilities from unauthorised interference or unauthorised access" (the "protection duty"). The protection duty applies to the extent necessary to ensure the confidentiality of communications and information carried and contained on telecommunications networks, and the availability and integrity of telecommunications networks and facilities.
- Establishes a process for the Attorney-General's Secretary (or his/ her delegate) ("Secretary") to obtain from carriers, CSPs and carriage service intermediaries information that is "relevant to" the protection duty. Consistent with ACMA's information-gathering powers under Part 27 of the Telco Act, there is no exception for information which may be self-incriminating, although where provided by an individual there are limitations on how the information can be used against them. Once collected, this information can be disclosed for assessment of the risk to the protection duty, or for the purposes of security. The Secretary may delegate this information-gathering power to an ASIO employee or an Australian Public Service employee who is classified as a "Senior Executive Service" employee.
- Permits the Secretary to direct a carrier, CSP or carriage service intermediary to do, or refrain from doing any specified act or thing for a period determined by the Secretary, if he/she is satisfied that there is a risk of unauthorised interference with, or access to, a telecommunications network or facilities and a risk to "security" relating to the operation of a network or supply of a carriage service. The Secretary must consult with the Director-General of Security (appointed under the ASIO Act) and the Communications Secretary in relation to such a direction.
- Permits the Attorney-General ("AG") to direct a carrier or CSP not to itself use a carriage service or supply that carriage service (and to cease using and/or supplying that carriage service) if the AG considers its use or supply to be "prejudicial" to security. The direction must relate to the carriage service itself, and not the supply of that carriage service to an individual or class of persons. The AG must consult with the PM and the Minister for Communications in relation to such a direction. This replaces an equivalent power in section 581(3), which is being deleted.
- The Secretary is granted rights of enforcement under Part 30 of the Telco Act if a carrier or CSP fails to comply with a direction given by the Secretary.
Notably, the proposals do not set a security standard for the telecommunications industry and do not impose any industry levy to deal with the implementation of the security reforms as some had anticipated.
The protection duty
The Explanatory Memorandum ("EM") states that a carrier, CSP or carriage service intermediary must "do its best" to manage the risk of unauthorised access and interference in their networks by "engaging early with security agencies on procurements and material network changes". The terms "unauthorised access" and "unauthorised interference" are not defined and so have their ordinary meaning.
The examples given in the EM of information which the Secretary may require from carriers, CSPs and intermediaries are procurement plans, changes to networks, network or service design plans, tender documentation, contracts and other documents specifying business and service delivery models and network layouts. Once the Secretary has obtained this information it could, for example, give a direction requiring that a procurement be altered if it has been assessed as giving rise to a "risk to security".
The existing arrangements of a carrier, CSP or intermediary will be considered when assessing compliance with the protection duty at the point the draft bill comes into effect, but the EM notes that most security issues in existing networks and facilities will be able to be addressed as systems and networks are replaced or refreshed.
The introduction of the protection duty into clause 313 of the Telco Act also brings it into the scope of section 202B of the Telecommunications (Interception and Access) Act 1979 ("TIAA") which requires carriers and CSPs nominated under the TIAA to notify the Communications Access Co-ordinator of any change that is likely to have a material adverse effect on its capacity to comply with the protection duty.
"Doing its best"
The standard of compliance required of a carrier, CSP or intermediary is to "do its best" to protect telecommunications networks and facilities from unauthorised interference or unauthorised access. This is the same standard of compliance as is already required under section 313 to prevent networks and facilities being used in the commission of offences.
The EM clarifies this obligation as being less than an absolute requirement but nonetheless requiring carriers, CSPs and intermediaries to take "all reasonable steps". There is no reference to other factors which a carrier, CSP or intermediary may wish to take into account in determining its approach to compliance, such as operational or commercial factors.
As part of "doing its best" a carrier, CSP or intermediary is "expected to demonstrate effective control and competent supervision of its network and systems", including its telecommunications supply chain. The EM goes on to explain that:
- "competent supervision" means the ability of a carrier, CSP or intermediary to maintain "technically proficient oversight" of its telecommunications networks and facilities; and
- "effective control" means the ability of a carrier, CSP or intermediary to maintain direct authority and/ or contractual arrangements which ensure that its network and facilities, infrastructure and information stored or transmitted within, is protected from unauthorised interference.
The EM contains further examples of items that would demonstrate competent supervision and effective control, including "corporate awareness" of security risks and vulnerabilities, and embedding security considerations in business decision making and business delivery models. However, it is important to note that these terms are used only in the EM and are not included in the draft bill or the terms of the Telco Act.
The draft bill extends the existing "good faith" provisions of section 313(5) of the Telco Act, meaning that a carrier or CSP will not be liable to an action or other proceeding for damages for or in relation to actions taken in compliance with a direction given by the AG or Secretary in relation to the protection duty.
In the draft bill, a "risk to security" or "prejudice to security" arising in connection with the protection duty is the trigger for the exercise of information-gathering powers, or the power to give directions by the AG or the Secretary.
Consistent with the existing terms of the Telco Act, the meaning of "security" remains that given to the term under the Australian Security Intelligence Organisation Act 1979 ("ASIO Act"), being:
(a) the protection of, and of the people of, the Commonwealth and the several States and Territories from:
(iii) politically motivated violence;
(iv) promotion of communal violence;
(v) attacks on Australia’s defence system; or
(vi) acts of foreign interference;
whether directed from, or committed within, Australia or not; and
(aa) the protection of Australia’s territorial and border integrity from serious threats; and
(b) the carrying out of Australia’s responsibilities to any foreign country in relation to a matter mentioned in any of the subparagraphs of paragraph (a) or the matter mentioned in paragraph (aa).
Role of ASIO
The EM envisages that ASIO will provide security assessments in relation to the power of the AG and Secretary to issue directions, will provide carriers, CSPs and intermediaries with general and targeted threat assessments, mitigation advice and administrative guidelines highlighting the parts of networks that are particularly vulnerable.
The EM also anticipates that ASIO will "provide a key role" in implementation of the security reform measures through industry engagement, education about general and specific national security risks and how to manage and mitigate those risks.
ASIO is not, however, given any formal powers by the draft bill, although the Secretary can delegate his/ her information-gathering powers to an ASIO employee of an appropriate rank. Given the extensive role that the EM envisages for ASIO, it seems very likely that such a delegation would be made.
The EM indicates that the Secretary will generally be requested by ASIO to exercise its direction power if an organisation has failed to implement advice provided by ASIO. The notice itself must specify the consequences of non-compliance with a direction, and the Secretary has power to seek injunctions and enforceable undertakings for non-compliance with a direction.
Under section 38A of the ASIO Act, the AG must provide the carrier, CSP or intermediary with a copy of any adverse or qualified security assessment and details of how it can seek a merits review of the assessment before the Administrative Appeals Tribunal under Part IV of the ASIO Act.
The draft bill implements formal processes for gathering information from, and giving directions to, carriers, CSPs and intermediaries on matters related to the protection duty. However, the EM indicates that the "regulatory objective" is industry co-operation with ASIO and the Attorney-General's department on "national security outcomes", rather than reliance on the formal procedures.