In July 2015 the Federal Attorney-General's (A-G's) department released draft amendments to theTelecommunications Act 1997 (Telco Act) and Telecommunications (Interception and Access) Act 1979 (TIA Act) designed to improve network and information security in Australia. The changes are known as the Telecommunications Security Sector Reforms (TSSR). On 27 November 2015 a further draft of the TSSR was released for public comment. The new draft amends and moderates the earlier draft.
In this update we summarise the latest version of the proposed TSSR and comment on aspects of the new scheme.
Industry wide security obligation
Section 313 of the Telco Act contains a list of security and law enforcement related obligations that apply to carriers and carriage service providers (CSPs). The TSSR would add two new obligations:
- Carriers and CSPs "in connection with" the operation of networks and facilities or the supply of carriage services will have an obligation to "do the carrier's or carriage service provider's best to protect telecommunications networks and facilities from unauthorised access..." in order to protect the confidentiality of communications and the integrity of networks and facilities. The obligation to do one's best is stated to include an obligation to "maintain competent supervision of, and effective control over, telecommunications networks and facilities".
- Carriage service intermediaries will have the same obligation but without the precondition that it apply in connection with "the operation of networks and facilities or the supply of carriage services". A carriage service intermediary is a type of CSP that is paid to arrange the supply of a "listed carriage service" to a third person for a carrier or CSP but may not own or acquire for resale network capacity.
Each obligation is stated to be for the purpose of security within the meaning in the Australian Security Intelligence Organisation Act 1979. Security is defined in that Act to mean for the protection of Australians from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on Australia's defence system, or acts of foreign interference; the protection of Australia's territorial and border integrity from serious threats; and the carrying out of Australia's responsibilities to any foreign country in relation any of these matters.
New notification obligations including Security Capability plans
The TSSR introduces a notification obligation that applies to carriers and nominated carriage service providers (NCSP). (Currently there are none).
A subject entity must notify the Communications Access Coordinator (CAC), an officer in the A-Gs department, if it becomes aware that the implementation of a change to a service or system "is likely to have a material adverse effect on the capacity of the provider to comply with …" the new security obligations.
The carrier or NCSP may notify by lodging a notice or by lodging a Security Capability Plan (SCP). A SCP sets out "one or more changes… the carrier or provider proposes to implement in the future that are likely to have a material adverse effect on the SCP capacity of the carrier or provider to comply with its obligations under 313(1A) or (2A)". A SCP may also set out "practices, strategies and policies" that are intended to meet security obligations and measures being implemented to mitigate unauthorised access or interference with networks or facilities.
The proposed legislation has parallel mechanisms regarding the process following lodgement of a notice or SCP. The CAC can request further information and, within a time limit, must form a view that either:
- the information provided indicates circumstances that are not prejudicial to security and notify the carrier or NCSP to that effect; or
- form a view that the information provided relates to a matter that may be prejudicial to security.
In the case of (b), the CAC must give a written notice to the notifying party advising of the risk to security, setting out the relevant duties (i.e. the new provisions in section 313) and "setting out the consequences" of not complying with the duty. The CAC may also set out measures that might eliminate or reduce the risk.
Power to give directions
The proposed law adds a new power whereby the A-G can direct the action of carriers and CSPs. If the A-G has received an adverse security assessment in relation to a carrier or CSP and the A-G is satisfied that there is a risk of unauthorised interference with, or access to telecommunications networks or facilities that would be prejudicial to security, the A-G may direct the carrier or CSP to do, or refrain from doing a specified act or thing within the period specified in the direction.
This power may only be exercised if the A-G, has consulted with the Communications Minister, has notified the carrier or CSP of the proposed direction, invited representations from the subject party and considered those representations. The AG must consider certain matters including:
- the adverse security assessment;
- the cost of the proposed direction to the carrier or CSP and industry;
- the consequences on customers; and
- being satisfied that reasonable steps have been taken to negotiate with the carrier or CSP.
The proposed law introduces a broad power for the A-G to require delivery of information (related) to assessing compliance with the duty imposed by the new security provisions. The provision requires the A-G's secretary to issue a notice requiring that such information be provided and removes the privilege against self incrimination as an excuse for non-compliance. The proposed law maintains the right to share information obtained by use of the information gathering power that was in the earlier draft legislation but narrows the extent of disclosure by limiting the sharing right to Commonwealth officers and deeming the information confidential.
The proposed changes are proposed to become law one year from Royal Assent.
Comments and observations
If enacted, the latest draft TSSR will introduce onerous new security obligations on the telecommunications industry in Australia. The reforms impose an onerous duty to maintain security of telecommunications systems, networks and facilities. Carriers and NCSPs will have an obligation to notify the CAC if they become aware that any proposed change is likely to have a material adverse effect on their ability to comply.
The express requirements to "do one's best to protect" and to "maintain competent supervision of, and effective control over..." networks and facilities sets a high and potentially uncertain standard of care to protect against espionage, sabotage and foreign interference that may be difficult to interpret and apply in practice, particularly when implementing systems and services provided or supported offshore.
The latest version of the changes create mechanisms for consultation between industry and the CAC while maintaining the standard of duty and the breadth of the proposed powers.
The rules as drafted would appear to require a substantial review and possible redesign of existing systems. However, the November 2015 draft Telecommunications Security Sector Guidelines says that carriers and CSPs with networks and facilities that are not compliant when the TSSR becomes law will not be penalised: "C/CSPs are not expected to retrofit all systems on commencement of this security obligation, except in very rare cases where significant security vulnerability is found in an existing network that could facilitate acts of espionage, sabotage and foreign interference." (Page 23).
This statement of policy appears inconsistent with the terms of the proposed law.
The new draft TSSR empowers the A-G with a very broad new power to make directions but has been moderated to include requirements to consult and notify the possible subject before the power is exercised.
Making a submission
The A-G is calling for submissions on or before 18 January 2015. A template for making a submission is included on the Website.