Legislation introduced to Federal Parliament in November 2016 intended to help protect Australian communications networks and businesses from cyber attack and sabotage, has been criticised by a coalition of industry representatives.
The group includes the Australian Industry Group (Ai Group), the Australian Information Industry Association (AIIA), the Australian Mobile Telecommunications Association (AMTA) and Communications Alliance.
The group of industry bodies said the legislation in its current form may, in fact, make local companies and communications networks more vulnerable to cyber attack and sabotage.
After introducing the legislation to parliament, the Attorney General's department said, “the Bill formalises and enhances existing information sharing and relationships between government and telecommunications carriers and carriage service providers (C/CSPs) to ensure greater consistency, transparency and accountability for managing national security risks across all parts of the telecommunications sector.”
The goals of the proposed changes to current law include establishing a security obligation applicable to all C/CSPs, requiring them to do their best to protect their networks from unauthorised access and interference.
It will also require carriers and some carriage service providers to notify security agencies of planned key changes to networks and services that could compromise their ability to comply with the security obligation.
Under the proposed new laws the secretary of the Attorney-General's Department would be empowered to request information from C/CSPs to monitor compliance with the security obligation. It would also provide the Attorney-General with a power to issue a carrier or service provider a direction requiring them to do or refrain from doing a specified thing to manage security risks.
The proposed legislation would also expand the operation of existing civil enforcement mechanisms in the Telecommunications Act of 1997 to address non-compliance with the security obligation, notification requirement, information requests and directions.
Industry strikes back
In a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), the industry group pointed to “serious problems” such as vague drafting, regulatory overreach, the ongoing risk that telecoms service providers could be forced by Government to dismantle or retro-fit existing communications networks, and the risk to hamper innovation and to place Australian businesses at a competitive disadvantage.
The submission also praised the Government for making a number of “useful amendments to earlier drafts of the legislation”, after receiving advice from industry stakeholders.
It also acknowledged that Australia’s critical infrastructure, including telecommunications services and networks, remains at risk from espionage, sabotage and foreign interference, and pointed out that industry players are commercially motivated to invest in hardening and protecting their networks.
However, the associations warned that the "onerous, one-way nature" of the notification requirements will act to hamper the responsiveness of service providers to cyber threats.
The group called on Government to consider more collaborative, effective approaches, as are being adopted or contemplated in other countries including the US, UK and Canada.
The submission stated that the proposed TSSR regime, “may in fact divert scarce resources away from investing directly in addressing cyber security threats, to compliance overhead arising from the regime. It may reduce the ability for the ICT industry and its clients to proactively monitor and quickly respond to threats and breaches".
While the proposed legislation establishes a set of obligations for Industry, the associations pointed to the absence in the legislation of an equivalent requirement for Government to brief Industry on emerging threats.
A further potential impractical provision, according to the group, was a requirement to attempt to protect networks that are ‘used’ by a service provider, even when these networks are not owned or controlled by that provider, and might not even be located in Australia or subject to Australian law.