The Telecommunications and Other Legislation Amendment Act 2017 (Act), setting out the Government’s telecommunications sector security reforms, has now passed both Houses of Parliament and will be implemented over a 12 month period. Telecommunications companies need to work quickly to ensure they are ready for the new rules.
History of the legislation
The purpose of the new legislation is to enhance the security of critical telecommunications infrastructure, by requiring telecommunications companies to take into account a range of security risk factors when making investment decisions to protect broader national security interests (that is, espionage, sabotage and foreign interference).
It has taken a long time to implement these telecommunications sector security reforms, with the legislation first contemplated in mid-2013. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) most recently considered the draft legislation over the period from November 2016 to June 2017. The PJCIS issued a report on 30 June 2017 supporting the legislation but recommending some amendments and a substantial role for the Administrative Guidelines to be put in place under the Act. The Government accepted all of the recommendations of the PJCIS, allowing the Act to be passed with bipartisan support.
As summarised in our briefing on the 30 June 2017 report of the PJCIS (see here) the key provisions of the Act are:
- For the purposes of security, telecommunications carriers, as well as carriage service providers and intermediaries (collectively, C/CSPs), will be obliged to do their best to protect telecommunications networks and facilities they own, operate or use from unauthorised interference or access to ensure the availability and integrity of networks and facilities and to protect the confidentiality of information stored on and carried on them.
- Carriers and those carriage service providers nominated under section 197(4) of the Telecommunications (Interception and Access) Act 1979 (Cth), will be obliged to notify the Government of planned changes to systems and services that are likely to have a material adverse effect on a C/CSP’s ability to meet the obligations outlined in the paragraph immediately above. Although it is difficult to imagine that a C/CSP would contemplate a change to a service or system that would adversely impact its ability to comply with its primary obligation under the Act, examples of changes that may be required to be notified are also set out in the Act. These include procuring new equipment or services for sensitive parts of a network or outsourcing management of telecommunications services. Full or partial exemptions will be available and it will be possible for a Security Capability Plan to be submitted in satisfaction of these requirements (ie, essentially, allowing for a bulk notification).
- Direction powers are granted to the Attorney-General. For example, a direction could be provided to a carrier to change a procurement if the Attorney-General determined that procurement gave rise to unacceptable security risks. There are a number of preconditions that must be met before this directions power may be used.
- Information gathering powers are granted to the head of the Attorney-General’s Department. Information may be sought to facilitate both monitoring of compliance and investigation of possible breaches.
Who is impacted?
Telecommunications carriers, carriage service providers and intermediaries are all subject (to a greater or lesser extent) to the Act. The Act relies on well understood definitions of these entities, as contained in the Telecommunications Act 1997 (Cth). The category of regulated entities is broad, given the inclusion of carriage service intermediaries. A carriage service intermediary is an entity that arranges for a third party carriage service provider to provide carriage services to a customer of the intermediary. As with any typical intermediary service, the carriage service intermediary does not itself provide the carriage service.
Broadcasters who are exempt from being treated as a carriage service providers are not subject to the Act.
What do you need to do?
The Critical Infrastructure Centre (CIC), within the Attorney-General’s Department, will work with the telecommunications sector to implement the reforms over the 12 month implementation period.
The Act itself does not set out all of the detail of the rules that telecommunications companies will need to comply with when the Act commences. The Administrative Guidelines, which will be finalised in the 12 month implementation period, will provide further clarity on these rules.
In particular, as recommended by the PJCIS:
- The Guidelines will set out a company’s security obligations where it:
- provides or resells over-the-top-services;
- uses, but does not own or operate, telecommunications infrastructure;
- uses offshore infrastructure to provide services in Australia and to carry and/or store information from Australian customers; or
- provides cloud computing and storage solutions.
- The Guidelines will also set out greater detail of the proposed changes that would, and would not, need to be notified to the Government’s Communications Access Co-ordinator (CAC). The Guidelines will also clarify when regulated entities would be able to apply to the CAC for partial or complete exemptions from these notification requirements and how long an exemption, when granted, may be expected to continue.
Although there is a lack of clarity regarding the details of the obligations imposed by the Act, this does not mean that impacted companies should not take action now.
As has been pointed out by industry, commercial imperatives mean it is very unlikely that network or service delivery changes would be planned or undertaken by telecommunications companies if these would create national security risks. Nonetheless, impacted entities will need to put in place the appropriate compliance arrangements to ensure that they will not breach the Act or the Administrative Guidelines. The fact that it may take some time of the Guidelines to be finalised will mean that telecommunications companies will need to work closely with the CIC in its development of those Guidelines and may need to act quickly to ensure they will be fully compliant by the start date of the new regime.