Senate

Revised Explanatory Memorandum

(Circulated by authority of the Attorney-General, Senator the Honourable George Brandis QC)

ATTACHMENT C

International Comparison

Similar to Australia, other countries are taking steps to manage security risks associated with telecommunication infrastructure and supply chains. These countries recognise that the threat of cyber intrusions into critical telecommunications networks is increasing, and also that the globalisation of the supply chain is increasing the level of security risk in the telecommunication sector. Key concerns shared by these countries include:

•

suppliers of concern are currently increasing the services they provide and growing their market share, particularly when these suppliers acquire business in the sensitive parts of networks

•

the global trend is for supplier of telecommunications equipment and software to move their management and support functions offshore to a few global centres, creating vulnerabilities for telecommunication networks, and

•

there is a global trend for the increasing provision of end-to-end services involving the supply and management of a whole layer of a network.

Furthermore, the benefits to companies of increasing efficiency and reducing overheads can lead them to make decisions that adversely affect the security of their networks and this can have correlating national security implications.

All these factors increase pressure on governments around the world to introduce and continuously build upon strategies to manage the risk posed by those who wish to compromise their national interests and security.

Like-minded countries recognise that managing national security risks to telecommunications infrastructure is a joint responsibility between government and industry and that it can only be achieved through a collaborative approach. These approaches range from weaker to stronger measures [redacted text], with an increasing trend to legislate cyber security requirements and enhance information sharing between government and industry.

[redacted text]

United States of America

Much like the TSSR the US is moving towards legislating regulatory requirements to facilitate risk management of the telecommunication sector and other critical infrastructure sectors. In response to the recent high profile hacking of Sony, President Obama (January 2015) set out for action an updated cybersecurity legislative proposal for Congress, which among other things would enable cybersecurity information sharing between the private sector with the Department of Homeland Security's National Cybersecurity and Communications Integration Centre (NCCIC). This would then be shared with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs), by providing targeted liability protection for companies that share information. The proposal also covers national data breach reporting requirements which aim to standardise an existing patchwork of 46 state laws (plus District of Columbia and several territories) to streamline data breach reporting requirements into one federal statute. More recently President Obama signed an Executive Order (13 February 2015) to support these measures and provide a framework for these to occur while cybersecurity information sharing legislation is being considered by the Congress.

These measures build upon existing arrangements and initiatives. A number of legislative measures have been previously pursued (e.g. Cyber Intelligence Sharing Protection Act 2013) to improve cybersecurity arrangements and promote information sharing between the private sector and government. However, privacy issues and sensitivities surrounding the Snowden disclosures have delayed consideration and passage through Congress of any bills promoting information sharing. An Executive Order (EO) 13696 Improving Critical Infrastructure Cybersecurity, was signed by President Obama in February 2013 as an interim measure.

A deliverable of the EO is the US National Institute of Standards and Technology (NIST) Cybersecurity Framework which was released in February 2014. The Framework is a risk-based voluntary approach leveraging existing industry standards and complementing existing cybersecurity practices. Its ongoing development is supported by legislation passed recently (18 December 2014) under the Cybersecurity Enhancement Act 2014. Key cybersecurity legislation which supports information sharing on cyber threats is still pending, but expected to be passed soon following approval by relevant Senate and House committees in late March 2015.

In addition, the US is one of the first countries to restrict specific telecommunication companies from its telecommunication sector due to national security concerns based on the findings of the US House of Representatives Intelligence Committee's report (October 2012). The Report recommended US carriers view certain telecommunication companies with suspicion, citing data and espionage concerns.

New Zealand

In November 2013, the New Zealand Parliament passed the Telecommunications (Interception Capability and Security) Bill 2013 which, among other things, establishes a network security compliance regime obliging network operators to engage with the NZ Government on network security, where it might affect NZ's national security interests. It specifically places:

•

obligations on network operators to engage in good faith and notify the NZ Government Communications Security Bureau (GCSB) of proposed decisions, actions or changes made in areas of specified security interest (any procurement, or change to architecture or ownership/control of network operations centres, equipment and information);

•

a requirement on network operators to create a proposal to prevent or sufficiently mitigate a security risk identified by GCSB. GCSB will then assess the proposal , and require the network operator to implement it; and

•

a pecuniary penalty up to $500 000 for 'serious' non-compliance with a duty. The High Court may impose a further penalty of $50 000 each day or part of a day the contravention continues.

The NZ legislation is comparatively more onerous then obligations under this proposed TSSR framework, noting the additional administrative requirement on C/CSPs to submit annual plans to the NZ Government.

[redacted text]

United Kingdom

The UK Parliament's Intelligence and Security Committee released a report in June 2013 investigating the British telecommunications sector. The report recognised a number of concerns affecting national security interests and recommended that there must be:

•

an effective process by which the UK Government is alerted to potential foreign investment in the critical national infrastructure;

•

an established procedure for assessing the risks;

•

a process for developing a strategy to manage these risks throughout the lifetime of the contract and beyond;

•

clarity as to what powers the UK Government has or needs to have; and

•

clear lines of responsibility and accountability.

Aspects of these recommendations are reflected in the proposed approach under TSSR.

On 18 July 2013, former UK Prime Minister David Cameron tabled in Parliament the UK Government's response to the Committee report. It accepted that national security was not sufficiently considered as part of the BT 21CN contract and committed to a review of the Cell by the National Security Adviser, Kim Darroch. The review was finalised in December 2013. In a written statement to the Parliament, PM Cameron concluded that the UK Government would enhance oversight of the Cell and that the GCHQ should take a leading role in future senior appointments.

The UK Government has also implemented a number of measures to address cyber security as part of its national Cyber Security Strategy. Like the US and the TSSR, the UK has developed with industry a set of voluntary cyber security standards. These now underpin the UK Government's recently released Cyber Essentials scheme - a cybersecurity assurance certification program that caters for both small and large businesses. The scheme is an award to industry that allows them to show customers they have measures in place (based on these cyber security standards) to help protect them from cyber threats. The UK Government requires all suppliers tendering for certain contracts handling personal and sensitive information to be Cyber Essential certified. In addition, the UK has an established Cyber Security Information Sharing Partnership which facilitates the exchange of information on cyber threats between industry and the UK Government in a trusted environment.

India

The Indian Government has taken a stringent approach to address national security concerns presented through the telecommunications supply chain. These measures are stipulated in licensing agreements with telecommunications service providers and focus on the compliance of end-to-end-security standards and the imposition of various trade restrictions. For example, "sensitive" government ICT projects must source from a list of "domestic manufacturer" status companies approved by the Telecom Equipment Manufacturers Association of India.

In addition, India has stringent security review and clearance conditions in place for Chinese investment in sectors such as telecommunications. This includes visa restrictions placed on Chinese business executives. However, recently there has been pressure placed on the Indian Government to relax some of these measures to support foreign investment in the country.

We note that the Indian approach may be as much about supporting local industry development as addressing security concerns.

Taiwan

Taiwanese Government agencies have prohibited telecom operators in Taiwan from procuring telecom equipment from particular companies. In 2011, Taiwanese national security agencies encouraged telecom operators to quickly replace their existing Chinese-made core network equipment.

Singapore

The Singapore Government amended its Computer Misuse Act in January 2013 with a number of offence provisions relating to the misuse of computer networks or information. The Act includes provisions to strengthen Singapore's ability to protect critical information infrastructure (cyber security measures and requirements), through a ministerial direction which requires any specified person or organisation to take measures or comply with requirements necessary to prevent, detect or counter any threats to ICT.