Proposed legislation to implement the government’s Telecommunications Sector Security Reforms (TSSR) has received bipartisan support.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) today released its report on the Telecommunications and Other Legislation Amendment Bill 2016, which will create a formal obligation for carriers/carriage service providers (C/CSPs) to protect their networks from threats such as espionage, sabotage and foreign interference.
The TSSR regime would also require telcos to notify the government of key changes to their services or systems that could affect security — and give the attorney-general the power to direct them to do or refrain from doing a specified thing that may impact network security.
For example a telco may need to advise the government of plans to provide new services or enter outsourcing arrangements.
The PJCIS report recommends the bill be passed, subject to a number of other recommendations being implemented including that the committee review the impact of the legislation within three years of it the TSSR regime becoming law.
The committee recommended a number of changes to the TSSR guidelines (PDF) produced by the Attorney-General’s Department, to clarify, for example, the obligations imposed on companies providing over-the-top (OTT) services or cloud services leveraging telecommunications infrastructure.
The guidelines should also provide details on the kinds of changes to network infrastructure that would not require notifying the government, the report said. In addition, an annual report on the operation of the legislation should be presented to parliament.
“We always prefer to have amendments captured in the legislation itself, rather than in guidelines, but the PJCIS has done an excellent job of highlighting to government the remaining weaknesses in the legislation, and government should accept the recommendations,” said Communications Alliance CEO John Stanton.
The proposed legislation has met with a less-than-enthusiastic reception within the telecommunications sector, which in recent years has already had to deal with the regulatory burden of the data retention regime.
The bill went through multiple iterations of the bill before it was introduced in the Senate in November.
In a submission to the inquiry, the Australian Industry Group (Ai Group), the Australian Information Industry Association (AIIA), the Australian Mobile Telecommunications Association (AMTA), and Communications Alliance argued that the legislation was “too discretionary and vague and is lacking two-way cooperation and information, thereby imposing substantial costs, uncertainty and regulatory risk onto the entities proposed to be regulated”.
“The legislation is an over-reach and an unnecessary imposition of inflexible black-letter law when a more flexible, proactive, informative and collaborative approach (as is being implemented in other jurisdictions) would be more effective in protecting Australia’s telecommunications infrastructure,” the organisations said.
One specific criticism was that telcos could be forced to undertake expensive retrofitting of aging infrastructure — because the bill draws no distinction between existing or relatively new networks or facilities and older infrastructure.
The PJCIS acknowledged the concern that “the powers in the Bill could be potentially used to compel companies to retrofit existing systems at a significant cost to those companies.”
However, the committee rejected the industry’s idea of a sunset clause on the power for the government to issue a direction for network retrofit.