When it comes to cyber-crime and national security, the Government understandably needs to take a robust approach to dealing with threats. The Telecommunications Sector Security Reforms or the Telecommunications and Other Legislation Amendment Bill 2015 (the Bill) is the latest in a series of new and proposed legislation directed at cyber-crime and national security, including the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth), the Copyright (Online Infringement) Amendment Act 2015 (Cth) and the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015.
What does the Bill propose?
The Bill proposes to amend the Telecommunications Act 1997 (Cth), Telecommunications (Interception and Access) Act 1979(Cth), and other legislation to include:
- new security obligations on carriers and carriage service providers to take ‘all reasonable steps’ to protect their networks and facilities from unauthorised access and interference, including demonstrating ‘competent supervision’ and ‘effective control’;
- new obligations on nominated carriers and carriage service providers to notify the Government of proposed changes to their networks and services that could compromise these security obligations (e.g. new services, off-shoring network equipment and outsourcing arrangements);
- new powers for the Government to request information from carriers and carriage service providers and issue directions to manage security risks; and
- civil enforcement to address carrier and carriage service provider non-compliance, including Federal Court proceedings for pecuniary penalties, injunctions and enforceable undertakings.
Taken in the context of other existing and proposed cyber-crime and national security legislation, the Bill arguably means that, in order to avoid sanctions, carriers and carriage service providers now need to: implement network security measures under multiple legislative instruments and regimes; implement capabilities to record and retain metadata relating to network traffic; implement network emergency and intercept capabilities (extending to the content of communications); provide the Government with network information, access and control under multiple legislative instruments and regimes; notify the Government and the public of serious data breaches; and implement capabilities to identify offenders and disable access to online locations using their networks. All while providing carriage services to the public that remain competitive in terms of technology, performance and price.
How has the Bill been received?
An exposure draft of the Bill was first introduced in June 2015 and then revised in November 2015 following initial industry consultation and feedback. In the context of an already highly regulated industry, it is no surprise that the Bill has been met with strong opposition. The key issues raised by industry stakeholders were that:
- industry already has a collaborative working relationship with Government and there is no evidence to suggest the existing legislative regime is deficient;
- it is unclear how the proposed reforms will deliver the stated aim of identifying and mitigating risks to national cyber-security arising from the build and operation of telecommunications networks;
- outsourcing and off-shoring are integral parts of 21st century business operations and Government restrictions or control over these arrangements will significantly impact costs and innovation;
- Government involvement in technology development and roll out will halt network innovation in Australia and result in Australia being left behind;
- Government acknowledges implementing the reforms will be costly, however, there is no clear cost recovery or funding model; and
- the costs of complying with these reforms will deter investment in new technology and result in increased consumer prices.
What is the rest of the world doing?
The USA, Canada and UK appear to have taken a different and more collaborative approach - working together with industry to combat cyber-crime and national security threats. In the USA the Cybersecurity Enhancement Act 2014 supports the development of voluntary, industry-led cyber-standards and best practices for critical infrastructure and only imposes regulations as a last resort. Similarly, in Canada the Canadian Security Telecommunications Advisory Committee developed the Canadian Telecommunications Service Providers’ (TSP) Security Best Practices, which are voluntary standards for self-evaluating existing network security policies. In the UK, the government committed to the National Cyber Security Strategy in 2011 which again focuses on facilitating information sharing between industry stakeholders to identify and deal with cyber-crime and national security threats. This industry-led approach not only leverages the front-line expertise of carriers and carriage service providers, but is arguably more flexible and adaptive to technological progress and market forces.
The Cyber and Information Security Policy Branch of the Attorney-General’s Department accepted submissions relating to the Bill until 18 January 2016. It remains to be seen whether the final Bill will accommodate industry feedback and follow the more collaborative approach taken by other key jurisdictions. Watch this space.