Senate

Revised Explanatory Memorandum

(Circulated by authority of the Attorney-General, Senator the Honourable George Brandis QC)

GENERAL OUTLINE

1. The Telecommunications and Other Legislation Amendment Bill 2017 (the Bill) will amend the Telecommunications Act 1997 (the Telecommunications Act) and related legislation, including the Telecommunications (Interception and Access) Act 1979 (the TIA Act ), the Administrative Decisions (Judicial Review) Act 1977 (the ADJR Act) and the Australian Security Intelligence Organisation Act 1979 (the ASIO Act), to introduce a regulatory framework to better manage national security risks of espionage, sabotage and foreign interference to Australia's telecommunications networks and facilities.

2. The security and resilience of telecommunications infrastructure significantly affects the social and economic well-being of the nation. Government and business are increasingly storing and communicating large amounts of information on and across telecommunications networks and facilities. By their nature, telecommunications networks and facilities hold sensitive information. For example, lawful interception systems and customer billing and management systems which, if unlawfully accessed, can reveal sensitive law enforcement operations or the location of persons. This information presents a rich intelligence target for those who wish to harm Australian interests. Telecommunications networks, systems and facilities are also critical infrastructure and vital to the delivery and support of other critical infrastructure and services such as power, water and health.

3. For these reasons, the telecommunications networks and facilities of carriers, carriage service providers and carriage service intermediaries (C/CSPs) are attractive targets for espionage, sabotage and foreign interference activity by state and non-state actors. National security risks relate to possible:

•

compromise or degradation of telecommunications networks

•

compromise of valuable data or information of a sensitive nature, such as aggregate stores of personal data or commercial or other sensitive data

•

impairment of the availability or integrity of telecommunications networks; or

•

the potential impact on other critical infrastructure or government services (such as banking/finance, health or transport services).

4. A key source of vulnerability for espionage, sabotage and interference activity is in the supply of equipment, services and support arrangements. Australian telecommunications networks rely on global suppliers of equipment and managed services which are often located in, and operate from, other countries. This can create further challenges in implementing controls to mitigate personnel, physical and information and communications technology (ICT) security risks in some locations and therefore make networks and facilities more vulnerable to unauthorised access and interference.

5. Advances in technology and communications have introduced significant vulnerabilities, including the ability to disrupt, destroy or alter telecommunications networks and associated critical infrastructure as well as the information held on these networks. Vulnerabilities in telecommunications equipment and managed service providers can allow state and non-state actors to obtain clandestine and unauthorised access to networks. Such access could be used to extract information and disrupt or potentially disable networks.

6. While it is in the interest of all C/CSPs to secure their networks and facilities in order to comply with existing legislative obligations (for example to protect personal information under the Privacy Act 1988 (the Privacy Act)) and to protect business continuity and reputation, these may be different to the requirements to protect national security interests. For example, some business delivery models may expose a telecommunications network, facility or service to high risks of espionage, sabotage and unauthorised interference and access, but may not otherwise affect the business continuity or general security of the network or facility. The reforms are intended to require C/CSPs to take into account a broader range of security risk factors when making investment decisions, to protect broader national security interests.

7. Currently national security risks to the telecommunications sector are largely managed through informal cooperative arrangements with industry. Security agencies have well established cooperative relationships with select carriers, and work collaboratively with these carriers to manage vulnerabilities on these networks. However, there are significant limitations to this approach. A voluntary or cooperative approach is only workable where companies are willing to give due consideration to national security and the public interest. . The industry is also dynamic and competitive and there are a number of market entrants and companies rapidly growing their market share that do not have established relationships with government. The rollout of the NBN magnifies the changes within the market.

8. There is an existing power in subsection 581(3) of the Telecommunications Act which authorises the Attorney-General to direct a C/CSP to cease operating its service where the proposed or continued operation of that service is, or would be, prejudicial to security. The power is an extreme measure and only appropriate for managing the most extreme national security risks given the potentially significant flow on consequences for the affected company's business, their customers, and possibly the broader Australian economy. For these reasons the power has not been exercised to date.

9. The absence of a comprehensive and proportionate security framework means security agencies do not have adequate levers (except in the most extreme circumstances) to engage those companies who choose not to engage on a voluntary basis with security agencies. Not only does this limit security agencies' visibility of potential vulnerabilities which could be exploited by malicious actors across a large part of the sector, it compromises existing cooperative relationships with carriers who seek a level playing field.

10. The security framework will formalise the relationship between Australian Government agencies and C/CSPs to achieve more effective collaboration on the management of national security risks. The aim is to encourage early engagement on proposed changes to networks and services that could give rise to a national security risk and collaboration on the management of those risks. While a more formal relationship is necessary to ensure appropriate management of national security risks, the regulatory objective is to achieve national security outcomes on a cooperative basis rather than through the formal exercise of regulatory powers. The Attorney-General's Department (AGD) and Australian Security Intelligence Organisation (ASIO) will work with C/CSPs to achieve more secure networks and facilitate the early identification of potential national security risks.

11. The Bill amends the Telecommunications Act to establish a comprehensive regulatory framework to better manage national security risks of espionage, sabotage and foreign interference, and better protect networks and the confidentiality of information stored on and carried across them from unauthorised interference and access. The amendments will supplement existing provisions including:

•

the national interest obligations in section 313 of the Telecommunications Act, which require C/CSPs to do their best to protect networks and facilities from being used to commit offences;

•

notification requirements in section 202B of the TIA Act concerning proposed changes to networks and services; and

•

the existing directions power in subsection 581(3) to cease a service.

12. The Bill also implements the recommendations of two separate Parliamentary Joint Committees on Intelligence and Security (PJCIS). In 2013, the PJCIS recommended that the government progress measures to enhance the security and stability of Australia's telecommunications infrastructure. The recommended measures included the establishment of a security framework by way of amendments to Australia's telecommunications legislation (recommendation 19).

13. In its advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the PJCIS further recommended that the government enact the proposed telecommunications sector security reforms. This security framework would complement the data retention regime by improving the security of networks as a whole, thereby providing an additional layer of protection for retained data, as well as other information.

14. The Bill delivers on telecommunications sector security reform work recognised in the 2016 Australian Cyber Security Strategy.

15. The Bill provides that the operation of the reforms will be reviewed by the PJCIS within three years of the Bill receiving Royal Assent, and for the PJCIS to give the Attorney-General a written report of the review.

Overview of legislative amendments

16. The Bill supports and gives meaning to existing provisions by:

•

imposing a security obligation on C/CSPs requiring them to do their best to manage the risk of unauthorised access and interference to networks and facilities they own, operate or use to ensure the availability and integrity of networks and facilities and to protect the confidentiality of information stored on and carried across them

•

imposing a notification requirement on carriers and some carriage service providers to notify of planned changes to systems and services that are likely to make the network or facility vulnerable to unauthorised access and interference, and providing for exemptions or partial exemptions from the requirement and the option to submit a Security Capability Plan to meet notification requirements

•

providing the Secretary of AGD with an information gathering power to facilitate compliance monitoring and compliance investigation activity in relation to compliance with the security obligation

•

providing the Attorney-General with a further directions power to direct a C/CSP to do or not do a specified thing (for example, alter a procurement assessed as giving rise to security risks), and

•

providing enforcement mechanisms by extending the civil remedies regime provided for in Part 30 (injunctions), Part 31 (civil penalties), and Part 31A (enforceable undertakings) to address non-compliance with the security obligation, a direction, or notice to produce information or a document. The Attorney-General would be authorised to commence proceedings to seek these remedies.

17. The Bill also repeals and reinserts subsection 581(3) as new section 315A to place the national security related provisions within the same part of the Act. There are no substantive changes to the existing direction power, with the exception of clarifying that the power can only be exercised on the basis of an ASIO adverse security assessment, and to remove the current exemption from review under the ADJR Act.

18. The regulatory framework is intended to promote a risk informed approach to managing national security risks of espionage, sabotage and foreign interference across telecommunications providers. For this reason, the national security obligation will apply to all C/CSPs. This will ensure that responsibility for managing national security risks to telecommunications infrastructure is more equitably managed across the industry. The approach is risk managed by requiring C/CSPs to "do their best" to manage the risk of unauthorised interference and access, which intends to impose a reasonableness test having regard to the particular circumstances of a C/CSP. In other words, what is required of a C/CSP to comply with the security obligation will be highly dependent on the risk profile of the provider.

19. On this basis, the notification requirement only applies to carriers and nominated carriage service providers (C/NCSPs) - NCSPs are companies that have been nominated under the TIA Act. The new notification requirement in section 314A of the Telecommunications Act is modelled on the existing notification provision in section 202B of the TIA Act. Section 314A will require C/NCSPs to notify the Communications Access Coordinator (CAC) within the AGD (as established under the TIA Act) of planned changes to telecommunications services or systems which are likely to have a material adverse effect on a C/CSP's ability to meet its duties under new sections 313(1A) and 313(2A) of the Telecommunications Act.

20. The Bill amends section 202B of the TIA Act to expressly exclude the application of section 202B to new sections 313(1A) and (2A) of the Telecommunications Act. Creation of a standalone notification provision within Part 14 of the Telecommunications Act will improve transparency of the new security framework. The new notification provision also clarifies the process for dealing with a notification once it is received by the CAC, and authorises the CAC to exempt a C/NCSP from compliance with the notification obligation either completely or in part.

21. New section 314A of the Telecommunications Act outlines the types of changes in arrangements that should be notified to the CAC, which include but are not limited to: outsourcing or offshoring arrangements affecting sensitive parts of a network and/or, procuring new equipment or services for sensitive parts of a network, and changes to the management of services. To streamline the notification requirement, C/CSPs will also have the option of submitting an annual Security Capability Plan which will facilitate bulk notification reporting.

22. The regulatory framework is intended to formalise and strengthen existing industry-government engagement and information sharing practices. The aim is that the new security obligation will operate to encourage engagement with government agencies on managing national security risks of espionage, sabotage and foreign interference. It will also provide industry with greater certainty about what is expected of them to protect national security interests and encourage greater consistency, transparency and proper accountability. The notification requirement is intended to trigger the consideration of national security when planning network or service delivery changes, particularly where services or network support is to be outsourced. A key area of interest for the government is changes to networks and systems that introduce risks to their security and the appropriate mitigations that would address these.

23. The security framework is not intended to prevent the use of particular equipment vendors or service suppliers. Additionally, it is a commercial reality that most C/CSPs will already have some component of outsourcing and offshoring in their business service delivery and support models. The framework only applies to C/CSPs within the meaning of the Telecommunications Act. This includes companies which have networks and facilities based in Australia, or networks or facilities located or managed offshore that are used to provide services and carry and/or store information from Australian customers. For global companies based in Australia, this means that to the extent networks, facilities and services are operated and managed in other countries, and do not have an Australian link, they are not required to ensure those networks and facilities comply with requirements under the framework.

24. The notification requirement is also not intended to replace existing direct engagement with security agencies. Rather it will provide greater clarity about the types of changes to network operations and service delivery that are likely to give rise to national security considerations and encourage targeted collaboration between C/NCSPs that have a high risk profile and security agencies to ensure these risks are adequately managed. While enforcement mechanisms and the regulatory powers will provide mechanisms for addressing non-compliance they are intended to operate as a last resort to address non-cooperative conduct rather than to penalise action and decisions taken in good faith. In considering whether C/CSPs are meeting their obligation (to do their best to manage the risk of unauthorised access and interference to networks and facilities that they own, use or operate), regard will be had to existing arrangements that C/CSPs already have in place when the provisions come into effect. Consideration will be given to existing arrangements when assessing compliance; however, this does not prevent the exercise of the directions powers to address an existing security risk. For example, if ASIO assessed that existing arrangements posed an immediate and unacceptable security risk to the confidentiality of information or the availability and integrity of networks and systems, ASIO may recommend implementing measures to mitigate the risk.

25. Importantly, the framework will be implemented and enforced on a good faith basis with the core objective to encourage industry and government collaboration and partnership to harden networks and facilities against unauthorised access and interference. However, there may be circumstances when a C/CSP wants the protections against civil and criminal liability which would be afforded through the exercise of the direction or information gathering powers. In some circumstances it may be in the interests of a company to request a direction to provide a clearer mandate for its board in making investment decisions.

26. Implementation of the legislative frameworks will be facilitated through non-binding administrative guidelines and the provision of threat information to assist C/CSPs to understand which parts of networks and facilities are particularly vulnerable to unauthorised access and interference, what is required of them to meet their legislative requirements and possible control measures and mitigations.

FINANCIAL IMPACT

27. The ongoing costs of resourcing and administering the scheme by ASIO and AGD are estimated to be $1.6m annually. These additional costs will be due to increased engagement with C/CSPs and to review notifications of proposed changes to telecommunications systems and services.

REGULATION IMPACT STATEMENT

28. The regulation impact statement appears at the end of this explanatory memorandum.