On 25 June 2015 the Attorney-General and the Minister for Communications released an exposure draft of a new piece of legislation that aims to strengthen the Government’s ability to manage national security risks affecting telecommunications networks.
The proposed Telecommunications and Other Legislation Amendment Bill 2015 is the latest in a series of national security reforms introduced by the Abbott Government that affect the telecommunications industry. If passed, the Bill would do three main things:
- require carriers and carriage services providers (C/CSPs) to protect their networks from unauthorised access and interference;
- require C/CSPs to notify the Government of any change to their services or networks that is likely to have a material adverse effect on their ability to meet their security obligations; and
- give the Attorney-General enhanced direction and information gathering powers to manage national security risks affecting telecommunications networks.
The exposure draft of the Bill and the accompanying press release and extrinsic materials can be found on the Attorney-General’s website. The period allowed for the public to make submissions on the proposed Bill closes on 31 July 2015.
New security obligations
The proposed Bill would impose a new obligation on C/CSPs to “do their best” to protect their networks and facilities from unauthorised access and interference in order to ensure the confidentiality of communications and the availability and integrity of their networks. This would build upon existing provisions in the Telecommunication Act 1997 (Telco Act) that require C/CSPs to do their best to prevent their networks and facilities being used to commit offences.
The “do their best” standard imposed by the draft Bill, while consistent with other obligations already existing in the Telco Act, is somewhat concerning it may be an onerous standard to meet and could be applied in an inconsistent manner given that one person’s “best” may be different to another person’s best taking into account their relative sophistication and depth of resource. The draft Explanatory Memorandum does provide some further light on what will be required, and acknowledges that it will not be possible to prevent all unauthorised access and interference against ever evolving security threats. However, it indicates that the Bill would effectively impose a positive obligation on C/CSPs to take all reasonable steps to protect against security risks. Broadly speaking, this would mean that C/CSPs would need to demonstrate effective control and competent supervision over their networks. In particular, they would need to ensure they exercised an appropriate degree of technical oversight over their networks and maintained an appropriate level of authority to protect these networks.
This would affect the extent to which C/CSPs could outsource management of their networks, and may require C/CSPs to strengthen the security controls they have built into their supplier contracts, particularly when dealing with offshore providers. The Explanatory Memorandum acknowledges this, indicating that the measures “are largely directed at ensuring C/CSPs build security considerations into their arrangements with suppliers of equipment, services and support arrangements, particularly where data, and/or service delivery operation or support is to be provided from offshore locations.” It would also be important for C/CSPs to consider national security issues as part of their high level network governance, and factor national security risks into relevant business decisions on how to structure and manage networks.
New notification obligations
The introduction of the new security obligations mentioned above would automatically expand the existing notification obligations that exist under section 202B of the Telecommunications (Interception and Access) Act 1979, with the result that C/CSPs would be obliged to notify the Government of any proposed change to their services or systems that may have a material adverse effect on their ability to meet their security obligations.
The notification requirement would only apply in relation to changes, so C/CSPs would not be obliged to notify the Government of any security issues arising from their services and systems as they exist today. However, C/CSPs would need to consider whether any future change might warrant a notification to Government. The Explanatory Memorandum indicates that the aim of this is to “encourage early engagement on proposed changes to networks that could give rise to a national security risk and collaboration on the management of those risks.”
Changes that could potentially be notifiable include the introduction of new services, procurement of new network equipment or entering into new outsourcing arrangements (particularly with offshore providers). It may be difficult for C/CSPs to determine when such a change would materially increase a security risk (though the Explanatory Memorandum indicates that some guidance would be made available in the form of administrative guidelines developed in consultation with C/CSPs and through engaging with relevant national security agencies such as ASIO). For example, the Government has in the past prohibited certain foreign suppliers from providing equipment for projects of strategic national importance, such as the National Broadband Network, due to security concerns. Major global suppliers have been excluded on these grounds. On this basis, it is possible that the Government may view a decision by a C/CSP to procure equipment from one of these suppliers as a potential security risk that should be notified. This could be an onerous requirement for any C/CSP that does business with a range of multinational suppliers.
New powers for the Attorney-General
A key purpose of the proposed notification requirements discussed above is to give Government the opportunity to work collaboratively with C/CSPs to address any security threats. If a collaborative approach is not successful, then the proposed Bill would give the Attorney-General (or their secretary) certain powers to direct C/CSPs to do, or refrain from doing, certain acts that may be prejudicial to national security. Compliance with these directions would be enforceable under a civil penalty regime.
These provisions of the proposed Bill expand on existing powers of the Attorney-General to require C/CSPs to cease using or supplying a carriage service where doing so may be prejudicial to national security. However, the expansion is significant and creates scope for far broader directions that could interfere with the way that C/CSPs operate their business. The draft Explanatory Memorandum indicates that the direction making power would be used as a last resort, where Government agencies have been unable to reach agreement with C/CSPs on how to combat relevant security threats, and notes that existing direction making powers have never been used. However, there is no guarantee that every exercise of the power would be appropriate and, while the Bill includes a requirement for consultation within different parts of Government before the power is exercised, there is no equivalent requirement to consult with affected C/CSPs. In addition, directions would be exempt from administrative review under the Administrative Decisions (Judicial Review) Act 1977.
If enacted, the proposed Bill would also give the Attorney-General new powers to require the production of information by C/CSPs in relation to their security obligations. These powers may be delegated to ASIO. Once received, information gathered under these powers may be shared with any other person for the purposes of national security. This could, for example, allow information to be shared within Government, with foreign intelligence agencies and potentially with industry bodies where doing so may help to combat a relevant security threat.