The Parliamentary Joint Committee on Intelligence and Security (Committee) is currently conducting an Inquiry into potential reforms to National Security Legislation. As part of that Inquiry, the Government has asked the Committee to consider proposals for telecommunications sector security reform.
The Government is concerned that the telecommunications industry is not fully informed about national security risks and is therefore not equipped to respond adequately to them. Sighting the critical juncture of telecommunications infrastructure development in Australia (driven by the NBN construction), the Government argues for the need to make carriers and carriage service providers (or C/CSPs) aware of managing national security risks. Failure to do so could complicate long term management decisions made on the design and procurement of major telecommunications infrastructure, with potential negative impacts on national security.
Against that background, the Inquiry has been asked to provide advice on appropriate assurance mechanisms to ensure the telecommunications industry has taken reasonable steps to address security risks to telecommunications infrastructure. In requesting that advice, the Government has proposed compliance assessments and audits, based on a risk assessment informed by factors such as market share, customer base and service offerings.
However, there are more proactive methods for compliance assurance – particularly if the regulatory model adopted is to meet the intended outcome: to identify security risks relating to telecommunications infrastructure early, resolve security concerns quickly and provide confidence to government, industry and the broader public of secure outcomes in the use of the infrastructure.
The Government has expressed a desire for a productive partnership with industry in managing national security risks to Australia’s telecommunications infrastructure. That is a desire industry shares. However, industry has concerns with the proposed approach. Telstra’s submission to the Inquiry, for example, outlines that the current proposals would create ambiguity and uncertainty as to what is expected of C/CSPs. Regulatory hurdles must be minimised and incentives provided for C/CSPs to act in partnership with Government. Without such an approach, Telstra notes that there is a risk that C/CSPs will not be able to finalise investment decisions or complete due diligence activities whilst waiting on Government decisions about network design and technology choices.
For true collaboration between Government and industry to occur, there needs to be ownership and accountability on both sides. One method that could meet the Government’s objective and allay industry concerns is a critical infrastructure licensing regime.
That is, industry could apply to have Government license its critical infrastructure as meeting the security requirements set by Government. C/CSPs could, for example, submit a risk assessment and control plan to Government outlining the control measures that the C/CSP will put in place to manage the security risks associated with the infrastructure it is planning to introduce. Government would be required to review and approve that risk assessment and control plan in a proactive fashion at the design and procurement stage. Such an approach would achieve the aim of identifying security risks early. Further, it would foster the formal engagement Government seeks, but with a greater balance of collaboration and partnership with industry – removing the uncertainty that Telstra identifies.
Industry incentives could be built into the regime by allowing C/CSPs to be exempted from the enforcement and penalties provisions on the condition that they comply with their own control plan as approved by the regulator – providing C/CSPs the certainty of outcome that is missing from the current proposals. This approach to approval of the plans could be subject to a legislated timetable to ensure the regime does not cause undue delay for industry procurement and design activities.
Industry submissions to the Inquiry also identified that the proposed tiered approach to monitoring compliance with the security obligations runs the risk of creating an uneven playing field, with the compliance burden resting disproportionately with larger C/CSPs. The effectiveness of the overall regime would be undermined because terrorists could avoid interception arrangements simply by acquiring services from smaller C/CSPs rather than larger ones.
Introducing a licensing regime could also address these challenges if the licensing regime adopts an ‘opt-in’ approach. Smaller C/CSPs could choose not to opt-in (avoiding a licence fee) but would still be subject to the security obligations and would be subject to greater compliance monitoring activities and financial penalties if they fail to comply. The advantages and disadvantages would then be balanced as follows:
Click here to see table.
Such a critical infrastructure licensing regime would put an emphasis on proactive assurance rather than reactive enforcement. This would be in keeping with better practice regulatory approaches. The approach has the capacity to adapt to changing environments, provide clarity to industry, provide incentives for compliance and be a competitively neutral solution. It would also provide an appropriate balance in the partnership between Government and industry on national security. Most importantly, it would be the most likely approach to further the aims of early identification of security risks in the design and procurement of the infrastructure – which is the very objective the security reforms are striving to achieve.
This opinion piece previously appeared in The Canberra Times' Public Sector Informant on 2 November 2012