Last week the Government introduced its controversial Telecommunications and Other Legislation Amendment Bill 2016 (the Bill). The Bill is generally similar to the second exposure draft provided to industry late last year, which included a number of changes from the first exposure draft, which we covered in a previous alert. If passed, the Bill will impose new network security obligations on carriers and carriage service providers, and give the Attorney-General greater oversight of those obligations.

The Bill seeks to amend the Telecommunications Act 1997 (Cth) to strengthen the Government’s ability to manage national security risks affecting telecommunications networks. If passed, the Bill would do three main things:

  • require carriers and carriage services providers (C/CSPs) to do their best to protect their networks from unauthorised access and interference;

  • require C/CSPs to notify the Government of any change to their services or networks that is likely to have a material adverse effect on their ability to meet their security obligations; and

  • give the Attorney-General enhanced direction and information gathering powers to manage national security risks affecting telecommunications networks.

The Bill has been drafted following two periods of consultation. An initial exposure draft Bill released on 25 June 2015 was heavily criticised by industry on the basis that the powers given to the Attorney-General under it were too vague and extensive and that the obligations imposed by it would be too burdensome. A second exposure draft was released on 27 November 2015 and addressed a number of these issues. It was better received by industry though reservations remained about the scope of Government powers and the regulatory burdens imposed. The Bill as introduced is the result of the second consultation period.

The key features of the Bill are outlined below.

Carrier and operator obligations to protect against unauthorised interference

The Bill requires carriers and operators to do their best to protect telecommunications networks and facilities against unauthorised interference for the purpose of security. As a result of consultation, the Bill has clarified that this obligation only extends to telecommunications networks and facilities owned, operated or used by the carrier or provider.

The meaning of “security” has also been clarified to include the protection of the Commonwealth, States and their people against espionage, sabotage, attacks on defence and acts of foreign interference. These concepts are also incorporated in relation to carriage service intermediaries.

Attorney-General powers of direction

The Bill proposes to allow the Attorney-General to direct C/CSPs to do or cease doing a specified act or thing for a certain period if the Attorney-General is satisfied there is a risk of unauthorised interference with, or unauthorised access to, telecommunications networks or facilities that would be prejudicial to security. The Attorney-General is only permitted to give such directions after negotiations in good faith, and must have regard to the potential costs to the affected C/CSP and the telecommunications industry.

The Bill has now also clarified that in order for the Attorney-General to make a direction to C/CSPs or intermediaries, he or she must be satisfied that giving such a direction is reasonably necessary for the purposes of reducing the risk of unauthorised access to or interference with telecommunications networks or facilities that would be prejudicial to security. The effect of this is that any directions given by the Attorney-General will need to be proportionate to the risk they are aimed at addressing.

Information gathering powers

The Bill proposes a number of information gathering powers for the Attorney-General. C/CSPs will be required to inform the department about changes to their systems or services that could have a "material adverse impact" on the security of their networks. This may require reporting of offshoring or outsourcing critical services, significant equipment purchases or changes to the way the network is managed, to the extent that this could have an impact on network security. C/CSPs have the option of submitting “security capability plans” aggregating this information, rather than making individual disclosures for each relevant change.

The Bill also allows the Attorney-General’s Secretary to request information or documents relevant to assessing compliance with the duty imposed on C/CSPs to do their best to protect the security of their networks. The Bill has made two further changes from the second exposure draft in relation to these information gathering powers:

  • the Attorney-General’s Secretary may, in addition to their other powers, require carriers, providers or intermediaries to make and deliver copies of documents relating to their compliance with the Act. To the extent a notice exercising this power is issued, the Commonwealth must pay reasonable compensation to the carrier, carriage service provider or carriage service intermediary in respect of the costs incurred in complying with the notice. However, the legislation is unclear as to the scope of the compensation (i.e. whether it extends to all costs in complying with the notice or whether it is restricted to mechanical processes of copying documents); and
  • before using the information gathering powers and providing a notice to a carrier, provider or intermediary, the Attorney-General’s Secretary must have regard to the costs in complying with any notice that would be likely to be incurred by the carrier, provider or intermediary.

Information sharing and confidentiality

The Bill entitles the Attorney-General’s Department to share certain information it receives from C/CSPs with other persons for the purpose of assessing the risk of unauthorised interference with, or unauthorised access to, telecommunications networks or facilities and to assess any such risk to security or for the purposes of security.

Following the second consultation, the power to share information has been expanded to documents procured under the provisions dealing with individual notifications, procurement of additional documents for the purpose of assessing proposed changes in telecommunications systems and security capability plans.

In all cases, the receiving party is obliged to keep the information confidential, and no information identifying the relevant C/CSP can be disclosed to a person who is not an officer of the Commonwealth.

Annual reporting

The Bill imposes a requirement on the Attorney-General’s Secretary to provide an annual report to the Attorney-General on the operation of the Bill. The Attorney-General must table the report before each House of Parliament within 15 sitting days after receiving the report.

Impacts for industry

The Bill addresses many of the concerns raised earlier by industry about the scope of the first exposure draft and the potential compliance costs and regulatory burden it created. However, C/CSPs should be ready to prepare security capability plans and comply with information requests regarding security from the Attorney-General. The best efforts obligations and powers of direction in the Bill could also affect the extent to which C/CSPs outsource management of their networks and may require C/CSPs to strengthen the security controls they have built into their supplier contracts, particularly when dealing with offshore providers. In extreme cases the Attorney-General will also have significant power to direct and control the manner in which a C/CSP conducts its business.

International precedents

The regulatory impacts statement for the initial Bill placed the Bill in the context of a number of international developments in the network security space. In particular, the Government has identified that similar legislation has been implemented in New Zealand and India. In addition, the Government identified cyber-security policies and measures in the UK, US, Taiwan and Singapore as influencing its approach, particularly in the context of restricting procurement of telecommunications equipment from Chinese companies such as Huawei and ZTE. These examples are particularly instructive on the purpose of the Bill as the Australian Government has controversially banned Huawei from participating in the National Broadband Network over cybersecurity and espionage concerns.