Senate

Telecommunications and Other Legislation Amendment Bill 2017

Revised Explanatory Memorandum

(Circulated by authority of the Attorney-General, Senator the Honourable George Brandis QC)
This memorandum takes account of amendments made by the Senate to the bill as introduced and supersedes the Explanatory Memorandum tabled in the Senate on 9 November 2016

REGULATION IMPACT STATEMENT

TABLE OF CONTENTS

REVISED EXPLANATORY MEMORANDUM 1
TELECOMMUNICATIONS AND OTHER LEGISLATION AMENDMENT BILL 2017 2
GENERAL OUTLINE 2
FINANCIAL IMPACT 7
REGULATION IMPACT STATEMENT 7
STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS 8
NOTES ON CLAUSES 21
1.1 Clause 1 - Short title 21
1.2 Clause 2 - Commencement 21
1.3 Clause 3 - Schedules 21
SCHEDULE 1 - AMENDMENTS 21
PART 1 - MAIN AMENDMENTS 21
1.4 Overview of measures 21
1.5 Item 1 - Section 5 22
1.6 Item 2 - Section 7 22
1.7 Item 3 - After subsection 105(5A) 23
1.8 Item 4 - Before section 311 23
1.9 Items 5 and 6 - Section 311 and at the end of section 311 23
1.10 Item 7 - Before section 312 23
1.11 Item 8 - After subsection 313(1) 23
1.12 Item 9 - After subsection 313(2) 28
1.13 Items 10 and 11 - Paragraph 313(5)(a) and at the end of subsection 313(5) 28
1.14 Item 12 - After section 314 29
1.15 Item 13 - After section 315 37
1.16 Item 14 - Before section 316 50
1.17 Item 15- Subsections 564(1) and (2) 51
1.18 Item 16 - After subsection 564(3) 51
1.19 Item 17 - Before subsection 564(4) 51
1.20 Item 18 - Subsection 571(1) 52
1.21 Item 19 - Before subsection 571(3) 52
1.22 Item 20 - At the end of section 571 52
1.23 Item 21 - Section 572A 52
1.24 Item 22 - Subsections 572B(1), (3) and (4) 52
1.25 Item 23 - At the end of subsection 572B(5) 52
1.26 Item 24 - After subsection 572B(5) 53
1.27 Item 25 - Subsection 572C(1) 53
1.28 Item 26 - At the end of section 572C 53
1.29 Item 27 - Subsections 581(3) and (3A) 53
1.30 Item 28 - Subsection 581(4) 53
1.31 Item 29 - Subsection 581(5) 53
PART 2 - OTHER AMENDMENTS 54
1.32 Item 30 and 31 - Subparagraph 202A(a)(ii) and at the end of paragraph 202B(1)(b) 54
1.33 Item 32 - Paragraph (daa) of Schedule 1 54
1.34 Item 33 - Subsection 35(1) (subparagraph (d)(ii) of the definition of prescribed administrative action) 54
1.35 Item 34 - Paragraph 38A(1)(b) 54
PART 3 - TRANSITIONAL AND SAVING PROVISIONS 54
1.36 Item 35 - Transitional and saving provisions 54
REGULATION IMPACT STATEMENT 56
Purpose 59
Introduction 59
1 What is the policy problem? 61
1.37 1.1 The Security Problem 61
1.38 1.2 The Australian Market 62
1.39 1.3 Current Regulatory Framework 63
2 Why is government action needed? 65
1.40 2.1 National security 65
1.41 2.3 Inefficiency and ineffectiveness of existing regulation 66
1.42 2.4 Broader flow on impacts of secure telecommunications infrastructure 67
3 Objective 68
4 What policy options have been considered? 68
1.43 4.1 Option 1 - Retaining the status quo 69
1.44 4.2 Option 2 - Industry Code (Quasi/Co-regulation) 70
1.45 4.3 Option 3 - Amending existing legislation to introduce a security framework 71
1.46 4.4 Option 4 - Amend existing legislation to introduce security framework and require annual investment plans 73
5 What is the likely net benefit of each option? 73
1.47 5.1 Option 1 - retaining existing regulation under the status quo 75
1.48 5.2 Option 2 - Co-regulation 78
1.49 5.3 Option 3 - Security Framework: Amending Legislation 85
1.50 5.4 Option 4 Investment Plans - Amending Legislation 93
6 Who will you consult and how will you consult them? 95
1.51 6.1 Early 2014 consultations 97
1.52 6.2 February-March 2015 Targeted Consultation 98
7 What is the best option from those you have considered? 99
8 How will you implement and evaluate your chosen option? 102
1.53 8.1 Agency Responsible for Regulatory Functions under a security framework 102
ATTACHMENT A 104
ATTACHMENT B 105
ATTACHMENT C 106

Purpose

This Regulatory Impact Statement (RIS) considers four options for addressing the ongoing management of national security concerns in the Australian telecommunications sector. Specifically, it relates to the need for Carriers, Carriage Service Providers and Carriage Service Intermediaries (together referred to as C/CSPs) to protect their networks and facilities from unauthorised access and interference. The need for reform and options for reform are considered having regard to industry's preference for a framework that:

provides a level playing field for protection of networks and facilities for all industry players and does not disproportionally burden some companies over their competitors;
provides industry with clarity, certainty and flexibility to assist with their commercial decision-making, including to meet their broader operational and commercial requirements in the context of global links;
allows greater access to, and sharing of, security information between government and industry; and
gives careful consideration to the regulatory impacts on both C/CSP operations and customers, including removing onerous and/or duplicated processes and obligations on industry.

This document has been prepared by the Attorney-General's Department (AGD) in consultation with Australian Government security agencies; and the Department of Communications. Much of the classified information in the RIS has been provided by security agencies. The RIS has also been developed in consultation with the Office of Best Practice Regulation (OBPR) and the Department of the Prime Minister and Cabinet (PM & C) in accordance with the government's requirements for assessing regulatory impacts of proposed reforms.

The net benefit analysis is largely qualitative rather than quantitative due to limited industry data and case studies to highlight and compare the costs associated with mitigating national security risks. For example, it has not been possible to quantify cost implications of a failure to mitigate a national security risk or the cost of taking remedial or mitigating action. There is not an equivalent industry proxy to substitute the lack of industry data. For this reason, the RIS focusses on transaction costs to industry and not costs associated with potential implications of reduced competition in the supply market or costs of mitigation where legacy systems are replaced or upgraded.

Introduction

In 2004, the Telecommunications Act 1997 was amended to provide a power for the Attorney-General, in consultation with the Prime Minister and Minister for Communications, to direct a person to prevent or cease the supply of a telecommunications service on national security grounds. Since its enactment, the power has not been exercised. It is an extreme power, and while there have been incidents that have necessitated the power being considered to address potential national security risks posed by the actions of individual C/CSPs, no Attorney-General has yet issued a direction under section 581(3).

To date, national security risks to telecommunications networks and facilities have been managed through cooperative relationships with the highest risk C/CSPs, relying on their goodwill to implement security advice. Security agencies rely on the power in section 581(3) as a basis for engagement and encouraging cooperation. This approach is risky for numerous reasons (detailed below) and involves often lengthy and costly engagement (for both government and industry) on a case-by-case basis. While section 581(3) provides an ultimate mechanism to address national security risks, there would be wide reaching and significant impacts on market and the community. This calls into question whether it could be used. Security agencies' concern that the current framework is ineffective and inefficient to manage the national security threat to telecommunications infrastructure necessitates consideration of improvements to the current framework.

In late 2011 the AGD considered, in consultation with other agencies, a range of risk management measures to mitigate national security risks to Australia's telecommunications infrastructure. The government agreed to explore a risk-based regulatory framework as a means to improve the way national security risks are managed in the telecommunications sector. As part of this exploratory process, AGD undertook targeted consultation with C/CSPs to inform its assessment of resource implications and the impacts on industry. Industry provided limited information and data which has made analysis and quantification of those impacts challenging.

In 2013, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) undertook a review of three national security reforms and published its report 'Inquiry into Potential Reforms of Australia's National Security Legislation' in June 2013. Following a broad public consultation process, the PJCIS recommended that government amend the Telecommunications Act by establishing a security framework to mitigate security risks to Australia's telecommunications infrastructure (recommendation 19) to provide:

a telecommunications industry-wide obligation to protect infrastructure and information held on it or passing across it from unauthorised interference;
a requirement for industry to provide the government with information to assist in the assessment of national security risks to telecommunications infrastructure; and
powers of direction and a penalty regime to encourage compliance.

The PJCIS further recommended that in developing such a framework government should have regard to the regulatory impacts, particularly on competition, and matters such as how such a framework would interact with existing corporations' law and protections (such as an indemnity against civil action) for service providers who have acted in good faith.

The PJCIS also noted 'warm, if cautious, support of most industry submitters' and supported the introduction of a security framework in their public inquiry. The rationale for recommendation 19 provided by the PJCIS was the potential for misalignment of commercial interests with national interest where national security is threatened and industry sometimes does not act on the advice of government. [3]

The current proposal for reform was developed taking into account the findings of the report, the feedback the PJCIS received during its consultation processes, and further feedback received from industry through additional consultation on the proposal undertaken as part of the RIS process in 2014. Consultation processes and the industry feedback received are detailed at pages 43 to 46.

This RIS and the proposed reforms aim to respond to the PJCIS inquiry and consider different options for how the existing regulatory framework may be improved.

1 What is the policy problem?

1.1 The Security Problem

Australia's national security, economic stability, prosperity and social wellbeing are increasingly dependent on telecommunications networks and infrastructure that connect us to the Internet. Government and business have increasing amounts of information and records of communications that are stored electronically in telecommunications networks and facilities. At the same time, these systems are becoming more connected to, and dependent on, the Internet to move information nationally and internationally. The telecommunications systems and the information networks to which they are connected are essential parts of our national infrastructure. [redacted text]

Australian citizens, businesses and public entities rely on C/CSPs to handle their communications and electronically stored information securely. The C/CSP networks and infrastructure that hold and transmit communications data have become vital to our national interest. However, at the same time, these networks and infrastructure have become attractive targets for those who wish to harm Australian interests. [redacted text] The recent hacking of telephone voicemail systems in the UK illustrates the broader implications of an unsecure network - in that case, hacking did not require the expertise and well-resourced capability of a hostile foreign intelligence agency.

[redacted text]

The threats come from a variety of sources: other national states acting in their own national interest; criminal syndicates (in particular well-resourced organised crime networks); business corporations seeking commercial advantage over competitors; political or other issue-specific groups; cyber-vandals and 'hacktivists'.

A key source of vulnerability for telecommunications networks and systems is in the supply of equipment, services and support arrangements. Australian telecommunications networks rely on global suppliers of equipment and managed services which are often located in and operate from foreign countries. This can create further challenges in implementing controls to mitigate personnel, physical and information and communications technology (ICT) security risks in some locations and therefore make networks and facilities more vulnerable to unauthorised interference. [redacted text]

[redacted text]

1.2 The Australian Market

Size and composition of the Telecommunications Industry

The telecommunications sector is an important part of the Australian economy, providing employment to over 54 000 Australians and generating revenue of approximately $43.7b (2013-14). [4] In 2010, investment figures for the telecommunications industry totalled approximately $10b with a projected growth to $15b in 2014. [5] Australia's telecommunications sector comprises of approximately 200 licensed carriers (organisations that own networks or facilities used to provide telephony or internet services to the public), and approximately 1360 CSPs (entities that use, but do not own, infrastructure used to provide telephony or internet services to the public). The majority of the telecommunications market in Australia is represented by a small number of larger carriers. The three largest carriers (Telstra, Optus and VHA) account for over 90 per cent of revenue in the telecommunications market and the remaining 10 per cent is dominated by around five C/CSPs. [redacted text]

The telecommunications sector forms the backbone to other critical infrastructure sectors in Australia (such as energy, banking and finance). These sectors are increasingly dependent on the telecommunications sector. A serious compromise of the telecommunications sector would have a cascading effect on other critical infrastructure sectors and significantly impact the Australian economy. [redacted text]

Developments in the telecommunication market

C/CSPs have benefitted from advances in digital technology, the structural separation of Telstra, the national rollout of 4G networks by various service providers, greater reliance on outsourcing and cloud computing. [6]

Increasingly vendors are offering C/CSPs services which provide all elements for a C/CSP to perform a particular function, such as operations support and business systems, and is sold as a complete bundle. This is often referred to as a 'turnkey solution' and can be a source of vulnerability to unauthorised access and interference making it difficult for C/CSPs to implement controls to mitigate security concerns. [redacted text]

Convergence of technology is boosting competition and changes in the market, driving investment in infrastructure and expansion of operating network environments. The NBN rollout will further transform the Australian telecommunications sector, with changes to the telecommunications market's structure and functionality creating new opportunities for C/CSPs to access the Australian market.

[redacted text] Potentially the greatest threats to the security of the telecommunications sector are focused on [redacted text] high priority C/CSPs. [redacted text] However, the dynamic and fluid nature of the market is driving dynamic change across all levels of the industry. [redacted text]

Investment trends suggest most C/CSPs operate on a three to five year business cycle. To keep pace with rapid technological developments, C/CSPs will replace more sensitive parts of their networks and facilities in their entirety at least once during this cycle. [redacted text]

There is growing reliance by the telecommunications industry on customer data management programs which use data analytic techniques to increase profit. Industry has been investing heavily in operation support systems and business support systems to develop an understanding of customer requirements and preferences. [redacted text]

While C/CSPs have a general commercial incentive to provide customers with a secure environment, this incentive is usually limited to providing business continuity rather than extending to protect against national security threats. Threats to national security may not manifest as a risk to business continuity and most customers, with the exception of government and large corporate accounts, may not have an awareness of these risks to seek assurance. [redacted text]

As well as technical and market changes, intense cost pressure is being applied to C/CSPs in the Australian market. In the past ten years significant changes in technology have altered the shape of the telecommunications market. [redacted text] With C/CSPs under greater pressure to minimise costs, there is a commercial motivation to accept higher risk propositions for the supply of equipment and services. Fiduciary duties on company boards and directors can operate as a disincentive to consider national security risks when making procurement decisions.

1.3 Current Regulatory Framework

The regulatory framework for managing national security risks in the telecommunications sector places responsibility for managing those risks on C/CSPs and not suppliers or other parts of the sector. The current telecommunications legislative framework relies on three key provisions.

Section 313 of the Telecommunications Act requires carriers and nominated CSPs to do their best to prevent networks and facilities from being used in the commission of an offence under Commonwealth, State or Territory laws. Carriers and nominated CSPs must provide help as is reasonably necessary to government to help safeguard national security through the operation of networks or facilities or supply of carriage services.
Section 202B of the Telecommunications (Interception and Access) Act 1979 (TIA Act) requires carriers and nominated CSPs to notify government (through the Communications Access Coordinator) of material changes to their networks and facilities that could affect their ability to assist safeguarding national security under section 313 of the Telecommunications Act.
Section 581(3) of the Telecommunications Act provides the Attorney-General with the power to issue a direction to cease a service that is prejudicial to security.

Under the Telecommunications Act, C/CSPs are also regulated by licence conditions and service provider rules respectively. There are however, no levers to require C/CSP engagement and information sharing. While section 202B of the TIA Act provides a formal mechanism for notification of material changes to networks and facilities, it does not currently operate to support early engagement and notification around potential changes to networks and procurement plans. The TIA Act does not specifically address supply chain risks, hardware and software vulnerabilities or security risks to the confidentiality, integrity and availability of telecommunications infrastructure.

Security agencies rely on section 313 to require C/CSPs to engage where security agencies become aware of a potential security threat posed to a network or facility. However, this provision only allows for limited information to be proactively shared and relies heavily on a cooperative relationship and the goodwill of C/CSPs.

There is a large legislative gap between the obligations on C/CSPs in section 313 of the Telecommunications Act and 202B of the TIA Act and the ultimate use of the power to cease a service under section 581(3) of the Telecommunications Act. The power in section 581(3) was designed for extreme circumstances, reflected by the fact that the Attorney must first consult the Prime Minister and Minister for Communications before exercising such a power. The majority of the Australian market is serviced by a small number of carriers, Telstra, Optus and VHA - if a part or whole of a service was directed to cease, it would have a significant impact on the market. There have been circumstances in which the government has considered exercising the power, however, the broad and, potentially, significant implications of issuing such a direction means that it has never been exercised to date.

Currently, there is an absence of effective levers to encourage industry to engage with security agencies about potential national security risks arising through procurements, or to incorporate security considerations into business and investment decisions at an early stage. Management of security risk relies heavily on [redacted text] corporate goodwill and the threat of the potential use of section 581(3) to encourage engagement, information sharing and cooperation. [redacted text]

Growth and rapid changes to the telecommunications sector mean it is increasingly unsustainable to risk manage national security outcomes in this way for both the market and government. Some large carriers acknowledged this during the PJCIS inquiry, expressing warm, if cautious support for a regulatory framework to better guide security risk management in the telecommunications sector. Consultation processes and the industry feedback received are detailed at pages 34 to 37.

[redacted text]

2 Why is government action needed?

[redacted text]

There are compelling reasons why government intervention is necessary to enhance the current framework for managing telecommunications national security risks.

2.1 National security

[redacted text] The pace of technological change presents serious challenges to the security of telecommunications data - risks can arise from hardware vulnerabilities, accidental misconfiguration, external hacking and trusted insiders. The implications of these threats and risks are significant.

Australian Government agencies have been the victim of cyber intrusions - in one case the loss of sensitive intellectual property was significant. Globally, data breaches of major commercial entities (such as Target in the United States) reduce business confidence and that of the community in online transactions. The cyber security breach into Target (US) in 2013 shows the extensive costs to business of unsecure networks - that breach is estimated to have cost Target $148m. [7] There were flow on costs to customers who had their credit card details stolen, and other businesses such as banks which had to reissue credit cards.

In Australia, security agencies are seeing an increasing number of attempts to gain unauthorised access to government systems. In 2013, the Australian Signals Directorate's Cyber Security Operations Centre recorded 2168 serious cyber incidents, up 21 per cent on 2012 when there were 1790 reported incidents and 1259 in 2011. These were reported incidents: there are likely to be thousands of additional incidents that go unreported. As highlighted in the Target example, remediation costs associated with a serious cyber event can be very costly for businesses.

Australian businesses, individuals and government rely on the ability of C/CSPs to store and transmit their data safely and securely and protect it from potential national security threats. Although telecommunications infrastructure is privately owned and managed, the broad scale implications of any compromise to the security of those networks means that government must ensure that those networks are appropriately managed and protected.

2.3 Inefficiency and ineffectiveness of existing regulation

The current regulatory framework is ineffective and inefficient to manage the increasing threat posed to telecommunications infrastructure.

While section 581(3) of the Telecommunications Act provides government with a mechanism to intervene to shut down a service where the operation of that service presents national security risks, it is such an extreme measure that it has never been used. The 'blunt instrument' nature of section 581(3) is not a reasonable or proportionate response to manage all but the most severe security risks. The consequence of a complete shut-down of a service, say a 4G network, would be dire for customers. Consequently, there is growing uncertainty for industry and security agencies as to if and when the power will ever be used, and the threshold that would need to be met to warrant the exercise of the power.

The current approach to managing national security relies on the goodwill of industry to cooperate with security agencies. While cooperative partnerships between industry and government are critical to effective management of security risks in the telecommunications industry, relying on good will and cooperation alone means that processes for managing risks are uncertain, protracted and inefficient. In the absence of a clear statement of government expectations, there are no effective levers for security agencies to manage national security risks.

Security agencies need timely access to industry information to assess potential national security risks and threats and provide advice to C/CSPs on the management of those risks. [redacted text]

Currently, C/CSPs are not required to provide information to security agencies. The absence of clear obligations results in ad hoc, reactive and delayed approaches to address any potential concerns. [redacted text] Rapid changes in market dynamics and technologies increases opacity - C/CSPs initially considered to present low risk can suddenly present a high risk due to factors such as rapid expansion in market share or expansion of services. [redacted text]

In addition to ad hoc and ineffective information sharing mechanisms, addressing any security concerns relies on effective cooperative relationships. [redacted text]

The existence of fiduciary duties obligating company directors and boards to act in the financial interest of the C/CSP presents a real challenge to having national security advice taken into account when designing and procuring networks and capabilities. No matter how good the partnership between government and industry, if implementing security advice presents a cost or the loss of a business opportunity, directors and board members may choose to ignore it and prioritise the commercial interests of the company.

[redacted text] Continued reliance on the goodwill of a subset of industry is unsustainable due to the commercial pressure from shareholders to compete in a relatively small market. [redacted text] It is risky to rely on C/CSPs to act altruistically in the absence of clear legal obligations to actively protect networks from national security risks.

The lack of certainty around government security expectations means that efforts to manage national security risks that do arise are delayed, complex, inefficient and costly to both parties. [redacted text] Clearly, as the threat increases and greater cooperation is required to address national security risks, it is unmanageable to rely on Ministers and CEO's to become involved in long and protracted negotiations to manage national security risks.

[redacted text]

In some cases, contracts might be finalised and steps taken to implement changes to networks and facilities which cannot be undone or risks effectively mitigated in the future. [redacted text]

In summary, government action is needed because:

current mechanisms rely on goodwill and cooperation which is not an appropriate mechanism for managing national security risks;
there is lack of clarity for government agencies and industry on how national security risks are to be managed and enforcement action to be taken;
industry does not have access to the threat picture to enable decisions to be informed by national security risks;
industry is not currently required to take responsibility for protecting their networks and facilities from national security threats presented by suppliers of equipment and managed services; and
the current patchwork of legislative provisions do not provide a comprehensive regime for the ongoing management of national security risks to telecommunications infrastructure.

2.4 Broader flow on impacts of secure telecommunications infrastructure

In addition to ensuring effective management of national security risks, protecting networks and facilities from unauthorised access and interference will help reduce the level of cyber-attacks. Ensuring C/CSPs are not using compromised equipment will make it harder for hostile actors to mount cyber-attacks against networks and facilities, reducing the level and severity of attacks. Reducing cyber-attacks has flow on cost benefits to the telecommunications sector and potentially other critical infrastructure sectors.

Likewise, protection of telecommunications infrastructure will enhance protection of equipment and managed services from data breaches that can occur as a result of less secure and reliable networks. Targeted consultation with industry in early 2012 highlighted that industry itself appreciated the importance of protecting the confidentiality, integrity and availability of their networks.

3 Objective

The objective of the proposed reform is to provide a more effective and efficient framework for managing national security risks to telecommunications networks and facilities posed by suppliers of equipment and managed services.

An efficient security framework would be achieved by:

timely information sharing by industry on material changes to networks or facilities to enable the assessment of national security risks;
timely provision of threat information to industry by security agencies;
effective and timely mitigation of security risks; and
reduced burden, cost and effort on industry through early engagement and clarity about government's expectations.

In achieving this objective the framework should:

build on the collaborative and cooperative relationships in place between industry and government to achieve national security outcomes;
engage C/CSPs in actively managing national security risks - C/CSPs are considered best placed to manage the risk as part of their commercial decision-making and ultimately responsible for ensuring their infrastructure does not pose national security risks;
provide flexibility for how a C/CSP protects its infrastructure from unauthorised interference and; and
focus on managing security risks in high value C/CSPs and in the core and sensitive parts of their networks and facilities.

4 What policy options have been considered?

As noted above, in 2013 the PJCIS considered the issue of reform of the current regulatory regime to manage national security risks to telecommunications networks. Following a process of broad consultation, it considered further government regulation was the best option for managing these risks. In particular, amending the Telecommunications Act to create an enhanced framework comprised of three key components: an industry-wide obligation to protect telecommunications infrastructure from unauthorised interference, an obligation on industry to provide information to government; and direction powers and a penalty regime to encourage compliance. A regulatory option consistent with the PJCIS recommendation is considered at Option 3.

To meet best practice regulatory requirements, three other options are also considered. Option 1 considers retaining the status quo. As outlined above, the current framework comprises of a mix of regulation and self-regulation.

Option 2 considers the development and registration of an industry code (a Code) under Part 6 of the Telecommunications Act. There are two approaches to developing a Code - a self-regulatory model or a quasi/co-regulatory model. Only a quasi/co-regulatory approach is considered in this RIS.

During consultation processes, the development of a voluntary Code was suggested by some C/CSPs as an alternative to further regulatory reform. However, to date industry has not elected to pursue this option nor seems likely to proactively do so.

In addition to the direct regulatory approach considered in Option 3, a more comprehensive direct regulatory option is explored in Option 4. Option 4 adds an extra layer of regulation to Option 3, imposing an industry-wide obligation to produce annual investment plans. This approach is modelled on the more comprehensive regulatory approach adopted by New Zealand to manage security risks in the telecommunications sector.

The option of de-regulation by removing the existing national security provision is not considered viable and is not explored. While the existing regulation is reactive and best suited to extreme levels of national security risk, AGD and the PJCIS engagement with industry reflected broad acceptance of the importance of the management of national security risks to Australia's telecommunications infrastructure.

4.1 Option 1 - Retaining the status quo

As detailed in section 1.3 Current Regulatory Framework, the existing regulatory framework for managing national security risks in the telecommunications industry relies on three key provisions and cooperative engagement with security agencies.

Broad objectives of the Telecommunications Act include that telecommunications be regulated in a manner that 'promotes the greatest use of industry self-regulation'. [8] Maintaining the status quo would allow industry to continue to self-manage national security risks until they reach a point where the risk posed to national security engages regulatory action under section 581(3).

As noted above, it has been ten years since the enactment of section 581(3), which has provided sufficient opportunity to examine the effectiveness of the current regime. While to date the current framework has met the objective of addressing perceived security risks to the sensitive and core parts of telecommunications infrastructure, the process by which this is achieved is not considered to be effective. As detailed above, under the existing arrangements there are no relevant levers to require industry to provide information. [redacted text]

For both industry and government there is a lack of transparency, clarity and accountability. [redacted text]

Under the status quo, while ultimately the government can address security risks by exercising the power to cease a service in s 581(3) of the Telecommunications Act, there is no certainty as to the threshold at which the government would exercise this power. As such, there is a lack of clarity about the responsibility C/CSPs are expected to exercise in operating and managing their infrastructure to protect it from national security risks and how proactive government expects industry to be. Without clear rules and graduated enforcement measures, the process of engagement can be unpredictable and costly. The competitive state of the market is resulting in significant cost pressure and the status quo is not always effectively influencing behaviour, particularly where national security risks are not clearly visible to members of industry.

4.2 Option 2 - Industry Code (Quasi/Co-regulation)

An industry Code could be developed and registered under Part 6 of the Telecommunications Act. Part 6 provides a mechanism for the development of Codes by industry and a process for registration and enforcement.

If ACMA is satisfied that an Industry Code is necessary or convenient to regulate C/CSPs performance to achieve national security outcomes, it can issue a written notice to an industry representative body such as the Communications Alliance to develop an Industry Code and present it for registration (section 118 of the Telecommunications Act). Industry, through the representative body, would then be responsible for developing and drafting a Code with appropriate rules and provisions that sought to clarify government's expectations in relation to national security.

Subject to subsection 115(1) of the Telecommunications Act, Code provisions could be drafted to impose industry-wide obligations to protect telecommunications infrastructure from interference and require industry to provide information to government. [9] A Code, developed with significant technical expertise of security agencies, could clarify government's expectations about national security management, draw on existing recognised principles in security management and set out when and how C/CSPs should engage with security agencies. For example, a Code could specify when and how a C/CSP needs to provide information about potential procurements.

If the Code satisfied the objective of providing a mechanism for the efficient management of security risks, and additional requirements under sections 112 and 117 of the Telecommunications Act, [10] the ACMA could register it under section 136 of the Telecommunications Act. [11] Registration is regarded as a critical step to the effectiveness of an industry Code under Option 2. It provides legislative support for the enforcement of a Code and attracts ACMA's enforcement powers to issue a Direction to Comply (section 121) and give Formal Warnings (section 122). Failure to comply with an ACMA direction may attract civil penalty provisions.

If ACMA became aware that a C/CSP was operating in breach of a Code provision it could investigate the matter, gather evidence and then determine whether or not to take enforcement action. Security agencies are more likely to be aware of any non-compliance with the Code than ACMA and trigger the investigation process. However, as ACMA is an independent authority it will not instigate an investigation unless it is satisfied that the matter requires investigation. The usual timeframe for investigations into complaints of non-compliance with Code provisions can take approximately six months.

The ACMA and Communications Alliance have indicated the period of development for a complex Code can take around two years. Before presenting a Code for registration, the draft Code must undergo a period of industry and public consultation. ACMA cannot register a Code unless it is satisfied that there has been adequate consultation and that consideration has been given to the feedback received. Consultation processes can take several months. The registration process itself usually takes approximately two months (this includes mandatory consultation with the Information Commissioner).

In the event that industry does not provide a Code for registration or the Code does not meet regulatory objectives and/or the requirements of registration, ACMA can develop an Industry Standard. Without registration, there are no legislative enforcement mechanisms and compliance remains voluntary. Compliance with a registered Industry Standard is compulsory - it would operate much like the proposed regulatory option set out in Option 3 and for this reason an Industry Standard has not been separately considered.

4.3 Option 3 - Amending existing legislation to introduce a security framework

A risk-based security framework could be established for all C/CSPs by strengthening the existing national security provisions in the Telecommunications Act.

The framework would consist of several high-level key obligations on industry with details contained in supporting guidelines. Such a framework would codify informal relationships to provide industry with clarity about government's expectations of the management of risks to national security. In particular a framework would go beyond the current obligation to provide assistance to safeguard national security and focus on the ability of a C/CSP to manage the security of its infrastructure and the information held on it. The aim of such a regulatory framework would be to promote risk informed management of security in the telecommunications sector.

This could be achieved by amending the Telecommunications Act to:

require all C/CSPs to their protect networks and facilities from unauthorised access or interference - this would be achieved by demonstrating 'competent supervision' and 'effective control' over a C/CSP's networks (defined below);
empower government to require C/CSPs to provide information to facilitate security agencies developing threat assessments;
facilitate provision of threat information from security agencies to industry; and
ensure industry's cooperation in managing national security risks by imposing proportionate and graduated compliance and an enforcement regime consisting of powers of direction and civil (financial) penalties.
Competent supervision - would require a C/CSP to maintain technically proficient oversight (either in-house or through a trusted third party) of: the operations of their network; location of data; and parties with access to network infrastructure. It also involves a C/CSP maintaining a reasonable ability to detect security breaches or compromises.
Effective control - would require a C/CSP to maintain direct authority and/or contractual arrangements which ensure that its infrastructure and the information held on it are protected from unauthorised interference. This could include arrangements to: cease contracts where there has been a security breach; undertake mitigation or remedial actions; monitor, document and remedy security breaches; and reclaim customer data and network systems where unauthorised interference to a network has occurred.

Government would provide guidance, through administrative guidelines and provision of advice from security agencies, to assist industry to understand and meet its obligation and to inform C/CSPs how they can maintain competent supervision and effective control over their networks. Guidance would be tailored to C/CSP service types (for example internet service providers (ISP), backhaul service providers, and mobile virtual network operators) and distributed to C/CSPs prior to commencement of a security framework.

The framework would provide government a graduated suite of enforcement measures (including the power of direction) to provide industry with greater incentive to engage cooperatively with government. For example, first government would provide advice and guidance to encourage risk informed management of security concerns. Second, where potential issues of concern are identified, the preferred approach would be to engage with the relevant C/CSPs to establish whether national security concerns can be cooperatively addressed. Third, in cases where engagement with C/CSPs proves to be ineffective, or there is a disregard of security information that jeopardises the government's confidence in the security and integrity of Australia's telecommunications infrastructure, powers of direction could provide a proportionate means to achieve compliance. There may be instances in which a C/CSP seeks a direction to provide its board with a clear mandate to guide commercial decision making.

Directions could involve targeted mitigation or remediation of security risks, including modifications to infrastructure, audit, and ongoing monitoring, with costs to be borne by the relevant C/CSP. Grounds for directing mitigation or alternative actions would ultimately be determined by security agencies, based on an assessment of risk following their engagement with a C/CSP. The powers of direction would serve as a means to support the existing powers in the Telecommunications Act relating to national interest matters. Based on the frequency of major changes to core and sensitive parts of networks that are likely to give rise to national security risks, it is anticipated that directions will be issued infrequently.

4.4 Option 4 - Amend existing legislation to introduce security framework and require annual investment plans

This option builds on the security framework outlined at Option 3 with the additional requirement for C/CSPs to provide government with an annual investment plan. Investment Plans would provide a multi-year outlook of C/CSP's planned procurements.

The requirement to provide an investment plan would be modelled on the provisions in the TIA Act to provide annual interception capability plans (ICPs) to the Communications Access Coordinator by carriers and nominated CSPs although it would be broadened to cover all material business decisions and procurements. Around 200 carriers and nominated CSPs already provide ICPs to the Communications Access Coordinator each year and have dedicated teams to manage this process.

Additional investment plans could be managed in a similar way, although the scope would potentially increase substantially to include the additional 1360 CSPs, if applied universally. This would place a significant additional burden on the vast majority of low priority CSPs as well as low priority carriers.

Annual investment plans would provide security agencies with detailed information, in advance, of upcoming procurements and other changes to networks that might not already be captured in annual interception plans. This would adopt a regulatory approach similar to New Zealand which is considered to be one of the most comprehensive. It would enhance security agency capability to develop detailed threat assessments and better target engagement.

5 What is the likely net benefit of each option?

The net benefits of each option are assessed below in how they meet the reform objectives and outcomes outlined above in section 2.1.

The regulatory impact and costs associated with each proposed option for reform have been calculated using data and estimates provided by industry during the various consultation processes. The PJCIS noted the lack of detailed information in response to the question of the costs of regulatory impact on industry. Consequently, costs associated with implementation of a particular option have, to a large degree, been calculated having regard to the types of impacts and costs currently associated with engaging with government to manage security risks and concerns. Difficulties quantifying benefits of options means that the net benefit analysis necessarily focuses on risks associated with options and the significance of those risks to the overall effectiveness options and the achievement of national security outcomes.

A further complexity with calculating costs associated with compliance is that such costs are subject to the risk profile of a C/CSP and the level of risk presented by a particular procurement or operational decision affecting infrastructure and the action required to mitigate risk, at any given time. Each scenario is likely to be highly variable making any attempt to quantify the potential cost implications at an industry-wide level at each point in this process difficult, if not impossible.

A key assumption is that costs associated with implementing mitigation measures will be less costly to C/CSPs (and therefore possibly to suppliers and customers) than remedial work. [redacted text] An absence of industry data means it has not been possible to quantify the cost of mitigation or remedial measures, including addressing legacy system risks that arise during system upgrades. Any attempt would be purely speculative as there is not an appropriate proxy against which to estimate costs.

The current cost to industry under the status quo is business as usual and reflected as a nil cost. This provides a neutral benchmark for considering the impacts of proposed reform options. However, there are significant costs for industry associated with compliance under the status quo due to the resources that may need to be devoted to protracted engagement. [redacted text] A key change under each of the alternative options would be to impose these costs sector-wide on a risk basis - noting that that the costs would still be proportional to individual C/CSP risk profiles.

Consequently, each reform option presents a relatively low regulatory burden compliance cost (around $500 000 per year) above business as usual or the status quo and is likely to have the most impact on those C/CSPs that do not have any mechanisms in place for managing any security risk. A key assumption is that the costs to industry of implementing any of the proposed options are likely to be minimal in comparison with revenue generated and therefore unlikely to operate as a barrier to market-entry or competition. The benefits associated with the three options to reform the status quo are also considered modest. They are important in terms of efficiency in achieving security outcomes, with greater visibility for security agencies of potential national security risks, and more targeted advice from security agencies to prevent delays to C/CSP business plans.

Competition impacts - suppliers

The management of national security risks posed through the supply of equipment and services means that there will be some restrictions, where a service is, or is likely to be, prejudicial to security. However, these restrictions already exist under the status quo. [redacted text] While there is likely to be an increased impact on the supply market under options 2, 3 and 4 through a more effective mechanism to inform C/CSPs about risks, it is not possible to predict with accuracy the difference in the impact under each option.

[redacted text] It is anticipated the security framework will minimise competition impacts by encouraging C/CSPs to work with suppliers on how they can provide equipment and services enabling them to maintain competent supervision and effective control over their networks and facilities. [redacted text]

Impact on Customers

Restrictions and/or additional requirements being placed on business solutions for some C/CSPs could result in a cascading affect to the market-place with a portion of the higher costs passed onto customers (both individuals and business). A cost to a C/CSP of meeting existing national security obligations of providing a service that is not prejudicial to security is likely to have only a marginal impact on consumers. The costs are likely to be nominal - in the range of a few cents per service due to the wide customer base and revenue stream compared to the relatively modest scale of costs against the sector's revenue. [redacted text]

In any event, if security risks are identified, remedial costs under the status quo could potentially have a significant impact on the customer. As noted above, costs associated with remediation or ceasing a service are likely to increase charges to customers or see services withdrawn (albeit at a likely low per-customer level).

The cost-benefit analysis for each option relies on the following broad assumptions:

Options discussed below do not remove existing regulatory powers - the current power under subsection 581(3) of the Telecommunications Act would remain available for the most serious security breaches.
Costs may arise if C/CSPs need to mitigate high risk network designs at a late stage or if more expensive but more secure supply options need to be chosen.
[redacted text]

5.1 Option 1 - retaining existing regulation under the status quo

5.1.1 Costs of Option 1

Industry impact

Continuing the existing regulation would not result in additional administrative or compliance costs for industry or government. Under current engagement processes costs would continue to be incurred by industry in engaging in potentially lengthy negotiations on what constitutes a security risk and what constitutes appropriate mitigation action. [redacted text]

To date larger C/CSPs have been bearing any administrative and compliance costs associated with managing security risks through processes of engagement.

Regulatory Burden and Cost Offset Estimate - Option 1: Status quo

Average Annual Regulatory Costs (from Business as usual)
Change in costs ($M) Business Community Organisations Individuals Total change in cost
Total by Sector $0 $0 $0 $0
Cost offset ($M) Business Community Organisations Individuals Total by Source
Agency $0 $0 $0 $0
Within portfolio $0 $0 $0 $0
Outside portfolio $0 $0 $0 $0
Total by Sector $0 $0 $0 $0
Are all new costs offset? N/A

□   Yes, costs are offset

Total (Change in costs - Cost offset) ( $M ) $0

5.1.2 Benefits of Option 1

[redacted text]

Additionally, C/CSPs benefit from the knowledge that the blunt regulatory instrument (use of section 581(3)) with far reaching consequences is unlikely to be used, enabling them to take some risks with a potentially unrestricted market of vendors of equipment and services and base decisions on commercial advantage.

This option also provides the greatest flexibility to industry as to when and how it engages with security agencies and matters concerning national security. Low risk C/CSPs are likely to be able to avoid putting in place mechanisms to effectively monitor and protect their networks from interference and access, without national security agency engagement.

5.1.3 Risks of Option 1

Without a clear principles-based security framework, uncertainty for industry and government will continue. Uncertainty for business usually results in greater costs in the longer term and could stifle innovation and investment in infrastructure development for some C/CSPs.

[redacted text]

Industry would continue to be pressured by shareholders to pursue lower cost procurements in the absence of clear government statements of national security risk management expectations. Where a C/CSP engages a supplier with potential risks [redacted text], security agencies would not have the ability to ensure that mitigation measures are put in place to manage these risks.

[redacted text] Cost savings of proceeding with a cheaper supplier may end up causing significant future cost implications if remedial action is required to avoid a direction to cease the service under section 581(3). This is likely to result in increasing pressure on the Attorney-General to engage his or her formal power, while balancing this with competing impacts on competition, the market and consumers. [redacted text]

Option 1 does not meet the objective of providing a mechanism to proportionally manage risks. It leaves risk management in the hands of security agencies without effective levers to engage C/CSPs.

The consultation process and ongoing dialogue with industry [redacted text] indicates that the status quo is problematic for justifying why national security should take precedence over commercial imperatives. Industry seeks a clear mandate from government that they can provide to their boards, rather than the vague threat of invoking section 581(3). This certainty, that would enable business decisions and that gives appropriate regard and weight to security concerns, is not achievable under Option 1.

5.1.4 Summary of the Net Benefits of Option 1

This approach relies on the goodwill of industry along with some government targeted engagement [redacted text] managing to contain cyber security vulnerabilities. The status quo will not, however, provide for an effective response to the potential growing area of vulnerabilities as industry is not required to voluntarily provide information or have regard to security agency advice.

This has, however, resulted in delayed decision making and significant and avoidable demands on the time of senior executives in industry, as well as Ministers and senior officials in government. Timeliness is not an outcome of the status quo. [redacted text]

[redacted text]

There are no added regulatory costs associated with this option. However, existing costs remain uncertain and difficult to predict for industry given the potentially huge costs associated with any protracted engagement process. This option fails to adequately balance the costs to industry of commercial autonomy vis-a-vis the risk of national security threats. [redacted text]

5.2 Option 2 - Co-regulation

5.2.1 Costs of Option 2

Industry Impact

A Code option would attract greater compliance costs for industry. These additional costs, above existing regulatory obligations and business-as-usual activities, relate to ensuring that their management of national security risks aligned with the Code. The limited data provided by industry means these costs are estimates only and based on a break-down of possible administrative and compliance related activity.

Costs associated with developing a Code

There is potentially significant up-front costs associated with industry developing a Code (start-up cost estimated at $679 142 to fund staff to develop and communicate expectations for a Code and initial implementation across the sector) that does not arise under other options.

Responsibility for the development of a registered Code would likely reside with an industry association, such as Communications Alliance. As such, it represents a marginally higher administrative start-up cost to industry than guidelines developed by government with industry consultations. Establishment costs would arise from C/CSPs being required to provide resources to develop a Code followed by ongoing self-assessment to ensure their compliance.

Costs to industry associated with the establishment of a Code is based on a period of six weeks to develop the code (210 hours) from 20 C/CSP staff, coordinated by Communications Alliance over a two year period. Costs associated with registration processes include a minimum of 2 months including consultation processes.

Costs associated with implementation and compliance

The assumption for implementation of the Code has been estimated at three hours for each of the 1560 C/CSPs, which would involve reading and understanding a Code and self-assessing whether any changes to network and information security and resilience are required. While it has been assumed that the status quo involves a level of information security management, the codification would clarify this and spread the costs across industry.

The overall ongoing cost to industry each year is estimated at $292 100 which includes C/CSPs' maintenance, updating (every three years) and ensuring compliance with a Code. Maintenance and review of the Code has been factored to occur every three years to take into account potential changes in technology and the market. Communications Alliance members would need to review, update and consult on any changes to code provisions which is estimated to require the equivalent of 35 hours for 20 C/CSPs per annum over three years (or 105 hours over three years).

Costs associated with compliance with Code provisions is difficult to quantify, as it will ultimately depend on the action required for a C/CSP to ensure its networks and facilities are secure and protected from unauthorised access and interference. This will vary across all C/CSPs.

The estimated cost for undertaking monitoring of networks and infrastructure to assess national security risks is the equivalent of at least two hours for each C/CSP per annum. This would involve taking into account the spectrum of effort depending on the exposure to national security risks and would range from engagement with security agencies on high national security risk propositions through to the vast majority of engagement to keep industry informed of emerging threats and risks.

Table 5.2 below breaks down the regulatory life-cycle costs of a Code from development to ongoing compliance. These relatively modest costs would likely be passed on to customers while potential enforcement action would be a matter to be resourced through the ACMA.

Table 5.2 - Industry Code Costs

Activity Number of C/CSPs Number of staff per C/CSP Hours per staff member Frequency Cost
Establish an industry Code or standard 20 1 210 [start up] $321 216
Incorporate industry Code or standards 1560 1 3 [start up] $357 926
Update industry Code or standard 20 1 35 Every three years $53 482
Compliance with an industry Code 1560 1 2 Each year $238 618

Compliance costs would also include costs associated with meeting requirements in relation to C/CSP's complying with code provisions that place obligations to meet with security agencies on a regular basis, providing information about networks, facilities and procurements. The costs would be similar to those under Option 3 assuming the Code incorporated similar requirements.

Costs to government

Participating in Code development is likely to involve officers from AGD, ACMA and security agencies. It is estimated this would take approximately two years to develop - these costs would be absorbed within existing functions and resources of relevant government agencies. The registration process and assessment of a Code would be undertaken by the ACMA as one of its functions under the Telecommunications Act.

There is an ongoing role for security agencies in engaging and monitoring compliance with the Code. Similar to the costs proposed under options 1 and 3, security agencies would be expected to engage with C/CSPs about national security risks under a Code, which would require up to five additional officers to meet demand from C/CSPs for national security assessments and advice ($700 000). These officers would also engage closely with the ACMA to escalate enforcement of non-compliance with provisions in a Code and advice to mitigate national security risks.

The additional oversight and enforcement functions for the ACMA (assumed to be three staff at $400 000) and costs associated with security agency monitoring and engagement would be expected to be cost recovered, consistent with the funding of existing regulatory functions. The ACMA has advised that to oversee and enforce compliance for national security purposes, if would require around $1m for capital costs to equip itself to protect information. The estimated total costs of $2.1m to establish and administer the Code are likely to be passed to industry through the Annual Carrier Licence Charge.

Regulatory Burden and Cost Offset Estimate - Option 2: Co-regulation

Average Annual Regulatory Costs (from Business as usual)
Change in costs ($M) Business Community Organisations Individuals Total change in cost
Total by Sector $0.360 $0 $0 $0.360
Cost offset ($M) Business Community Organisations Individuals Total by Source
Agency $0 $0 $0 $0
Within portfolio $0 $0 $0 $0
Outside portfolio $0.578 $0 $0 $0.578
Total by Sector $0.578 $0 $0 $0.578
Are all new costs offset?

□   Yes, costs are offset

Total (Change in costs - Cost offset) ( $M ) -$0.218

The regulatory cost of offsets noted in the above table have been identified within the Communications portfolio. The cost offsets are taken from the cost savings arising from the removal of retail price controls in telecommunications (costs have been agreed with OBPR and reported in Q1 2015).

5.2.2 Benefits of Option 2

A Code would be supported by some members of industry who would prefer to develop their own rules and obligations. This too would align with the general objective of the Telecommunications Act, to promote the greatest use of self-regulation (noting this is a quasi-regulatory option).

A Code would meet the objective of clarifying the expectations of government. It would promote greater transparency and accountability using a self-regulatory approach which sought to continue security agencies' focus on engagement and developing cooperative relationships with industry. A Code could also set out government's expectations about triggers for engagement with security agencies on potential national security threats and requirements in relation to information sharing and rules. This would ensure sensitive information provided by government to industry is appropriately managed and protected.

One of the key factors affecting the current framework is that C/SCPs lack a proper understanding of the risks and threats some suppliers provide. A Code could provide a proper framework for the exchange of information held by security agencies (where a Code provided rules for the handling of sensitive information). Provision of more detailed information by security agencies would enable industry participants to make informed decisions about their procurements and outsourcing material.

If a Code was drafted on the basis of imposing industry-wide obligations to protect and control networks, it could clarify that responsibility for protecting telecommunications infrastructure rests with C/CSPs and provide an enforcement regime to penalise non-compliance. It could also assist with information sharing by clearly outlining what is expected.

5.2.3 Risks of Option 2

Section 115 of the Telecommunications Act poses a risk to the effective operation of a Code dealing with how C/CSPs are to manage and protect their networks and facilities. Section 115 provides that a Code has no effect to the extent that compliance is likely to have the effect (whether direct or indirect) of requiring customer cabling, a telecommunications network or a facility to have particular design features or to meet particular design requirements. It is foreseeable that in seeking to address a potential security risk provided by a particular supplier or managed service that a Code provision may directly or indirectly engage section 115. This casts significant doubt around whether a Code can be used to put in place enforceable obligations of the type that might be required to manage telecommunications infrastructure security. The Telecommunications Act could be amended to remove the restrictions in section 115 for Codes dealing with management of national security risks. However, such an amendment would require careful consideration, given the potential wider implications for the use of Codes, because it could broaden the matters that have been deemed appropriate to be regulated through a Code.

The enforcement mechanisms do not provide for a quick and targeted resolution of non-compliance. In particular the direction power is linked to compliance with particular Code provisions which may not adequately target action to address the particular security risk. The effectiveness of a direction to secure national security outcomes is dependent on the effectiveness of the Code provisions to address specific national security risks. For example, the security concern may relate to failure to implement advice of security agencies - unless the Code contained broad provisions that required compliance with advice of security agencies (noting that such a provision may not be enforceable according to the current operation section 115), a direction to comply may not achieve a particular security outcome.

The processes involved in exercising enforcement powers would be less efficient than processes under Option 3. For example, if a C/CSP is non-compliant with obligations under the Code which presented a national security risk, security agencies would request the ACMA to issue a direction to comply with the Code. As an independent statutory agency, the ACMA would need to develop its own brief of evidence before taking regulatory action rather than just relying on external advice from security agencies on national security risks. [12] If compliance is still not achieved following the direction the ACMA could issue a formal warning and seek the imposition of a pecuniary penalty through the Federal Court. Both of these processes can be lengthy, costly and ultimately delay the achievement of national security outcomes.

As with the status quo, delay in achieving security outcomes could increase risk and cause delay to business decisions. C/CSPs could potentially use these processes to 'game' government. The risk or threat could also increase over the period of enforcement to the point that it may not be able to be managed effectively or that remediation is no longer possible (i.e. once infrastructure or capability is moved offshore it is almost impossible to reverse or mitigate).

The ACMA advises compliance and enforcement actions under a Code are better suited to minor Code breaches and for dealing with companies that are cooperative and based in Australia. The enforcement regime relies on civil penalty sanctions to penalise behaviour and provide commercial incentives to comply. It is possible that C/CSPs would be willing to bear a civil penalty if the money they would save by proceeding with a low cost procurement covered the cost of the civil penalty. A direction may not have the effect of directing mitigation action.

A further potential risk to the effectiveness of the compliance regime is that it relies on the ACMA to take enforcement action at the request of security agencies. The ACMA does not have expertise in national security matters or capabilities to detect and monitor security risks. Consequently, ACMA would need to develop a new capability on national security.

A significant risk is that a Code will be drafted by industry that does not meet government objectives. Government can assist industry to draft the Code and is best placed to articulate its expectations about security threats and risks. However, as it is developed by industry it is likely to reflect commercial interests foremost. In the event that a Code presented to the ACMA was deficient or could not be registered or enforced, the ACMA could develop a Standard. However, this would further delay addressing risks associated with the status quo and would face the same challenges as a Code with respect to being focussed on technical rules rather than broad national security outcomes.

A further significant risk is that the process for developing a Code would significantly delay implementation of this option. Codes require industry cooperation and engagement and significant lead in times. The Code development process is a lengthy process consisting of several phases of public comment, content approval and process approval, to enable registration with ACMA. It also requires stakeholder representatives to reach a consensus on the matters that will be included which can take considerable time and resources. Consensus might be reached on a high level principles-based Code, however is likely to be more challenging in relation to a detailed rules-based Code concerning national security.

Finally, Codes are usually more effectively used as an industry driven mechanism to protect consumers and industry when appropriate sanctions can be imposed and where Code objectives are consistent with commercial interests. Public awareness of Code provisions and requirements are also usually an important mechanism for ensuring Code compliance and critical to achieving the objectives relating to matters of public interest. These factors are not likely to be present in the context of addressing national security concerns so it is questionable whether a Code is an appropriate fit.

5.2.4 Summary of Net Benefit of Option 2

Option two could go some way to meeting reform objectives and would be an improvement to the status quo. It would achieve the following policy objectives:

Increased industry awareness about national security risks and implications and timely information sharing.
Formalise and clarify the relationship between government and industry and government's expectations about industry's responsibilities in respect of managing national security risks.
Provide greater certainty for industry in business decision making reducing costs.

However, Option 2 does not meet the overall objective of providing effective and efficient model to achieve security outcomes. There are a number of significant risks with this option that must be weighed against the benefits, these are:

A Code is likely to take at least two years to develop, requiring investment of resources, time and money from government and industry and may not satisfy registration requirements and remain unenforceable.
A Code may not be able to provide enforceable rules to achieve national security outcomes, (assuming the existing restrictions in section 115 were engaged).
The enforcement mechanisms do not provide for a quick and targeted resolution of non-compliance. In particular the direction power is linked to compliance with particular Code provisions which may not adequately target action to address the particular security risk.
Codes are usually appropriate for the protection of community safeguards where these can be appropriately balanced against C/CSPs business objectives and autonomy. National security objectives may require C/CSPs to put security interests above commercial interests - this would not meet the stated intention of the industry Code framework under Part 6.

The significant upfront costs for industry in developing the Code mean that this is not a low cost option for industry. However, the increased costs are still relatively low when compared with the size and value of the industry to the economy.

On balance, while the Code would achieve some reform objectives it does not provide sufficient assurance that a Code will be able to impose clear obligations on industry to implement security agencies advice and proactively protect networks and facilities. In particular the more arms-length nature of the relationship between industry and security agencies under this mechanism does not provide the certainty that security outcomes will be achieved.

5.3 Option 3 - Security Framework: Amending Legislation

5.3.1 Costs of Option 3

As with Option 2, there are additional costs associated with the compliance regime that would affect all C/CSPs. The limited data provided by industry means these costs are estimates only and based on a break-down of possible administrative and compliance related activity.

The obligation to ensure effective control will require C/CSPs to put in place a mechanism to ensure they can monitor security obligations. AGD's assessment of the additional costs suggests a modest increase to costs reflecting the fact that there is already national security regulation in place, although recognising that only a minority of C/CSPs with dominant market share are currently engaged.

Many larger C/CSPs already have staff designated to engage with government on matters of lawful interception and privacy obligations and these staff tend to also work on broader national security matters. These existing resources would manage their engagement with security agencies over potential national security risks, together with business-as-usual security assurance functions. While high priority C/CSPs are likely to have such mechanisms already in place, lower risk C/CSPs may have to develop this capability and maintain it, however, it would be proportionate to risk.

Industry impact

Of the costs associated with compliance, there will be costs associated with providing information or documents for government to assess the risks to national security. As with Option 2, a security framework would facilitate consistency in the government's approach, encouraging early engagement which could ultimately save C/CSPs time and money in terms of procurements. There is likely to be a small net increase in costs across the telecommunications sector, which are set out in the Table 5.3 below.

Table 5.3 - Security Framework

Activity Number of C/CSPs affected Number of staff Hours Frequency Cost
Implementation of the security framework 1560 1 3 [start-up] $357 926
Intensive engagement and information sharing 20 2 3 Yearly $110 131
C/CSP notification and engagement on material changes to core systems / networks 20 1 35 1 $53 536
C/CSP escalated engagement over a Direction with AGD (as regulator) 3 2 35 1 $16 061
Low priority C/CSP compliance with government's request for information 20 1 3 1 $4 589

Costs associated with implementation and compliance

Administrative costs are particularly relevant under Option 3 in terms of regulatory impact.

The cost would represent a modest additional cost to the sector which has revenue in excess of $43b a year. An estimate from Australia's large carriers was that the intensive engagement over threat information, network design and significant procurements could amount to one additional member of staff to its existing regulatory engagement team. The impact would be the diversion of some staff. This arguably occurs under the status quo, particularly where late engagement over a potentially high risk proposition is involved. For other smaller carriers, staff are likely to be reallocated causing project pressures elsewhere, although this is unlikely to be too significant.

The estimated cost under the Regulatory Burden Measurement approach, following analysis through the business cost calculator, is estimated to be $220 109 of which $184 317 is ongoing.

A start-up cost of $357 926 for 3 hours for 1560 C/CSPs is based on guidelines that set out what government's expectations are under a security framework. A high priority multi-mode carrier [redacted text] would have different expectations relating to the level of national security risk, when compared alongside a backhaul provider, or alternatively a small regional (low risk) Internet Service Provider.

Costs of Engagement

There will be costs to industry in complying with provisions (likely to be contained in guidelines), that detail requirements for industry/government engagement. For example, this may require major high priority carriers to engage in monthly meetings with security agencies and more intensive discussions for significant procurement projects with potential security concerns. Some low risk C/CSPs would be required to complete desk top audits to allow security agencies to assess their compliance.

Security advice would add a small overhead to costs associated with C/CSPs' existing regulatory obligations and informal engagement with government. [13] The table above also factors in regulatory oversight of security obligations through compliance assessment questionnaires. The assumption is that a questionnaire would be issued to [redacted text] C/CSPs based on risk prioritisation, including customer numbers, type and criticality. Three hours for one member of staff from the C/CSPs has been allocated.

Compliance costs arising from implementing security agencies advice (albeit on a cooperative basis) could include high priority/risk C/CSPs having independent security auditing and monitoring of their planned procurement activities. The cost of auditing would vary based on the size of the system. For example, a substantial program of auditing undertaken by the Australian Government for security vulnerability can range between $40 000 and $550 000 - an average of approximately $225 000 per audit. The larger carriers have teams to manage compliance and regulation including with privacy obligations and telecommunications interception.

Costs to Government

There are costs to government in developing and consulting on the proposed legislation and guidelines. However, these costs would be absorbed by the relevant government departments and agencies and would not be recovered from industry through cost recovery mechanisms.

The total estimated cost to government in administering and enforcing the scheme would be $1.6m which would include:

Security agencies costs - security agencies would need additional resources for engaging and monitoring compliance with the Framework including intensive engagement with high risk C/CSPs, developing security threat assessments and advice to C/CSPs on risk and risk mitigation, and collaborating with the regulator on enforcement action and compliance with enforcement action.
This is likely to involve [redacted text] additional officers to meet demand from C/CSPs for national security assessments and advice ($1.1m).
Cost to the Attorney-General's Department in establishing and maintaining regulatory functions, including implementing processes to engage and obtain information from lower risk C/CSPs, supporting security agency engagement processes, advising C/CSPs of obligations and requirements, supporting the regulator in the exercise of enforcement powers. These functions will require four additional staff with AGD ($0.5m).

There will also be costs associated with any enforcement action through the Federal Court to seek civil penalties in the event of non-compliance, however these will be met within existing resources.

Regulatory Burden and Cost Offset Estimate - Option 3: Security Framework

Average Annual Regulatory Costs (from Business as usual)
Change in costs ($M) Business Community Organisations Individuals Total change in cost
Total by Sector $0.220 $0 $0 $0.220
Cost offset ($M) Business Community Organisations Individuals Total by Source
Agency $0 $0 $0 $0
Within portfolio $0 $0 $0 $0
Outside portfolio $0.578 $0 $0 $0.578
Total by Sector $0.578 $0 $0 $0.578
Are all new costs offset?

[ ✓ ]   Yes, costs are offset  

Total (Change in costs - Cost offset) ( $M ) -$0.358

The regulatory cost of offsets noted in the above table have been identified within the Communications portfolio. The cost offsets are taken from the cost savings arising from the removal of retail price controls in telecommunications (costs have been agreed with OBPR and reported in Q1 2015).

5.3.2 Benefits of Option 3

A security framework would codify and support a more intensive and tailored two-way channel for the timely sharing of sensitive threat and risk information, improving both government and industry's capability to respond to threats in a strategic manner. The regime would effectively be self-governing with industry only being required to engage with government where there are material changes that affect more sensitive parts of their systems or equipment or where non-compliance resulted in enforcement.

Compliance with the core principles of the security framework (i.e. competent supervision and effective control) could be further used as a marketing opportunity by C/CSPs. For example, if a C/CSP's wholesale product or service is already compliant under the security framework, a re-seller no longer needs to demonstrate competent supervision and effective control over the same product or service. Although the re-seller would have to protect its own individual network including the details of its customers, the wholesale C/CSP's compliant product or service could be used as security assurance thereby significantly lowering the re-seller's compliance costs.

Clarity in expectations would enable C/CSPs to make informed business decisions which are appropriate to the level of security risks. A benefit may arise from frequent engagement and the provision of tailored national security threat information to high risk C/CSPs, which could reduce potential delays to future procurements. This is based on an assumption that high priority C/CSPs will have greater national security risk awareness and clarity about government's expectations than under the status quo where material changes to networks or facilities present national security risks. A consistent approach by government to national security risks may help preserve diversity of supply, by placing a greater value on trusted, higher security suppliers lifting overall security standards (through continued competition) in the longer term.

A transparent security framework would more clearly set out government's expectations over industry's management of national security risks and provision of mitigation plans at an early stage rather than late in the process, before contracts are signed, which often currently occurs. Clear authoritative signals through a direction about national security risks and means to mitigate them may make it easier for a C/CSP to persuade its Board to release funding for a secure supply option or to address potential security risks. [redacted text] This minimises complications where procurement decisions are made by boards outside Australia. Clear expectations and processes provide greater certainty for decision making. Grounds for directing mitigation or alternative actions would ultimately be determined by security agencies, based on an assessment of risk following their engagement with a C/CSP. The powers of direction would serve as a means to support the existing powers in the Telecommunications Act relating to national interest matters.

The advantages of a security framework are that it could:

focus on security outcomes rather than absolute technical requirements, making it adaptable to changes in technology and the telecommunications market;
provide greater clarity, control and certainty for industry by focusing on self-governance and demonstration of compliance;
be applied equitably across the telecommunications sector; and
provide a more effective incentive for industry to place greater emphasis on national security considerations in its business decisions.

This Option achieves security outcomes yet still provides flexibility regarding how risks are managed and networks protected. For example, subject to a direction being issued, the framework is based on broad legislative obligations rather than specifying technical requirements for networks and facilities. The administrative guidelines are intended to provide a flexible and easily revisable form to provide more detail about how these obligations should be achieved. There would however, be clear enforcement mechanisms to manage non-compliance so the security risk can be effectively managed.

The level of national security risk will determine the level of engagement required between a C/CSP and government agencies, with costs of compliance based on the level of national security risks that may be presented through any material changes to a C/CSP's networks. Security agencies would establish close relationships with a number of [redacted text] high priority carriers and meet on a monthly basis to understand the business model of the C/CSP, its network operations, and provide targeted threat information based on the characteristics of each C/CSP. The ability to require information early in a decision making process will be significant in determining the national security risk and reducing costs on industry.

Past significant procurement examples among larger carriers in recent years indicate that existing national security regulatory compliance costs are being incurred by C/CSPs that are compliant with the existing regulation. A C/CSP with advanced in-house expertise and management would benefit from a lower risk profile than a C/CSP seeking to outsource or off-shore the supply of its equipment and managed services.

Administrative guidelines would put in place clear requirements for engagement. Information flow for C/CSPs would have regard to their risk profile and will assist security agencies to properly assess the risk level and keep this up-to-date. It might be possible to achieve something similar under the Code although it is likely to be less targeted and less flexible.

There is certainty in provisions that enable enforcement. Industry may avoid having to mitigate or replace high risk systems and achieve longer term savings in infrastructure being supported by more lower risk suppliers. C/CSPs would have the flexibility to meet government's security obligations yet still be adaptable to changes in technology and the broader telecommunications market.

The framework is intended to maximise cooperative engagement between C/CSPs and government on matters of national security. Where such a relationship works effectively there may be no need to invoke more formal directive powers. Administrative penalties or directions to C/CSPs would only be imposed where a risk has been assessed as significant and prior engagement has proved ineffective.

5.3.3 Risks of Option 3

The most significant risk is that, although the framework is designed to build upon cooperative relationships and collaboration, the introduction of formal information gathering and direction powers may reduce the likelihood that national security risks will continue to be managed cooperatively. In other words, the existence of powers compelling action, and associated protections, may mean that C/CSPs would prefer to have the security of a formal notice or direction when providing information of making a decision which prioritises national security interest over commercial interests.

Risks for option 3 include pressure on market and competition costs caused by potential restrictions on significant procurements, particularly those in more sensitive parts of telecommunications infrastructure. [redacted text] Some suppliers [redacted text] may be restricted from competing for small parts of this more [redacted text] sensitive market [redacted text]. However it should be noted that this can already be achieved under the status quo.

Option 3 also potentially imposes new costs on lower risk C/CSPs that to date have avoided needing to engage with security agencies. Under this option all C/CSPs would need to engage, however the level of engagement would be proportional to the risk posed by the C/CSP. As such, any new costs are likely to be minimal or capable of being mitigated through clear communications and relying on the notification requirement under the obligation to protect networks.

[redacted text] There is a risk of possible delays to procurement or business decisions pending an assessment of risk. This is less likely to occur where a C/CSP engages early and intensively with security agencies. Just as under the status quo and Code option, C/CSPs would be required to bear the costs of considering alternative suppliers, or the cost of specific mitigations where the supply of equipment or services presents a national security risk.

Greater intervention in the planning of network design and procurement decisions may reduce business autonomy of C/CSPs. Enforceable obligations to share information and protect networks will mean that security agencies will be more influential in significant procurements that present potential risks. [redacted text] While these risks are present in all of the proposed reform options - [redacted text] the threat of applying section 581(3) can already impose such restrictions - it is more likely to have a broader effect under Option 3.

Where government seeks to reduce the risk posed by specific design features present in a system provided by a supplier, its intervention with a C/CSP may result in suppliers needing to undertake potentially costly modifications. However, early engagement with government would minimise the risk of C/CSPs entering into contractual arrangements with suppliers and/or managed services that subsequently required costly modifications to be undertaken. [14]

5.3.4 Summary of Net Benefits for Option 3

Option 3 is an improvement to maintaining the status quo and developing an industry Code. It most effectively addresses the primary policy objective of providing an effective and efficient mechanism for managing national security risks by providing:

a clear statement of government's expectations with respect to the management of national security obligations - including clarifying that responsibility for managing risks rests with C/CSPS;
enforceable obligations on C/CSPs to protect their networks - this will facilitate and incentivise proactive management of risks and early engagement with security agencies;
information gathering powers to facilitate the timely provision of information from industry to government to enable the assessment of national security risks;
broad and flexible direction powers to facilitate speedy resolution of non-compliance and national security risks and avoid protracted negotiations - for example, the regulator can specifically direct action to address a national security risk on a case-by case basis; and
a civil penalty regime to enforce directions and notices to produce information issued by the regulator.

Key risks of Option 3 include:

reduced business autonomy of C/CSPs - the requirement to protect networks and facilities may restrict business decisions on procurements and network design. While these risks are present in all of the proposed reform options - [redacted text] the threat of applying section 581(3) can already impose such restrictions - they are likely to have a broader effect under Option 3; and
reduced cooperation and increased enforcement action - the existence of formal powers may mean some C/CSPs will insist on formal notifications before releasing information and directions before implementing risk mitigation measures.

There will be a small increase in the regulatory burden to industry under this option, however this is estimated to be lower than the total regulatory burden costs associated with an industry Code. These costs will reflect the resources required to ensure networks are protected from interference, engaging with security agencies including providing information, and responding to enforcement action and will be applied equitably to the entire sector.

Greater clarity of government national security expectations will facilitate early engagement and timely provision of information which will enable security agencies to provide threat assessments more quickly. Direction powers will provide greater certainty for business planning and decision making resulting in a security management process that is more efficient and less costly. The social, community and economic benefits of a security framework for the ongoing protection of data are anticipated to outweigh the modest additional administrative and compliance costs to industry and risks.

5.4 Option 4 Investment Plans - Amending Legislation

5.4.1 Costs of Option 4

Annual administrative and compliance costs for this option would be the same as for Option three ($184 317 over 10 years) plus an additional $357 926 for the management of investment plans by approximately 1560 C/CSPs which equates to a total of: $542 243. This is using an assumption of an average three hours for each C/CSP for a professional level member of staff to complete an investment plan. This calculation is based on an assumption that carriers will be able to get some leverage from their existing compliance activities relating to an ICP in the production of an investment plan. Most CSPs will generally be using a carrier's infrastructure or re-selling services so the investment plan should be less onerous and take around three hours. The limited data provided by industry means these costs are estimates only and based on a break-down of possible administrative and compliance related activity.

Costs to Government

The estimated resources required in ASIO and AGD to implement the security framework in Option 3 totalling approximately $1.6m would also be captured under Option 4. In addition to these costs, there would be an additional resource cost for AGD to administer and assess the receipt of an annual investment plans. This is estimated to cost a further $130 000.

Regulatory Burden and Cost Offset Estimate - Option 4: Investment Plans [15]

Average Annual Regulatory Costs (from Business as usual)
Change in costs ($M) Business Community Organisations Individuals Total change in cost
Total by Sector $0.578 $0 $0 $0.578
Cost offset ($M) Business Community Organisations Individuals Total by Source
Agency $0 $0 $0 $0
Within portfolio $0 $0 $0 $0
Outside portfolio $0.578 $0 $0 $0.578
Total by Sector $0.578 $0 $0 $0.578
Are all new costs offset?

□   Yes, costs are offset

Total (Change in costs - Cost offset) ( $M ) $0

The regulatory cost of offsets noted in the above table have been identified within the Communications portfolio. The cost offsets are taken from the cost savings arising from the removal of retail price controls in telecommunications (costs have been agreed with OBPR and reported in Q1 2015).

5.4.2 Benefits of Option 4

In addition to the benefits outlined under Option 3, investment plans would require industry to focus on all procurements in the forthcoming year and systematically consider potential national security threats, drawing on government advice. Industry would benefit by transferring the management of risk to government, once a plan is submitted. The benefit to government would be access to information providing visibility of potential risks.

Similar to Option 3, this option meets the proposed reforms' outcomes of: timely information from industry on material changes to networks or facilities to enable the assessment of national security risks; timely provision of threat information to industry by security agencies; and efficient and effective mitigation of national security risks.

5.4.3 Risks of Option 4

While Option 4 would appear to be the most complete 'compliance approach', it would not focus in efficiency terms on where the highest risks lie, as it would require all C/CSPs to provide data, despite there being a very low risk of national security threats in the vast majority of the 1560 C/CSPs. It would also encourage a transfer of the management of risk from a C/CSP to government, once an investment plan is submitted. A C/CSP may consider it had discharged its obligation and responsibility for assessment and treatment of risk by submission of such a proposal.

The length and complexity of ICPs under the TIA Act are commeasurable to the size of the industry participant's infrastructure, services and customer base. They generally range from five pages (simple template response) to 100 pages, for larger C/CSPs providing multiple telecommunications services. It is assumed that investment plans would range in a similar way. [redacted text]

5.4.4 Summary of Net Benefits under Option Four

While it would achieve closer engagement with industry, the administrative costs would be significant (which may be passed on to consumers). The preparation of investment plans involves collating information across the business, preparing a detailed response and seeking clearance through legal and management. It would require the compilation of data from procurement documents and submitting it in an approved format to government. A C/CSP would be required to make an assessment of what and how much to notify and if their risk threshold is low or undetermined, could potentially result in a C/CSP providing too much detail on business planning.

Option four provides a medium - high degree of effectiveness meeting the objective, which is to establish an efficient mechanism for the management of national security risks through government and industry engagement. While national security outcomes would be able to be managed, there would be a significant compliance burden on industry and government would need to place significant resources to ensure it is able to manage the transfer of risks by way of its receipt of investment plans.

The investment plan approach considered under Option 4 is not considered to drive a net benefit, largely as the risk to government increases through the transmission of business plans from industry for assessment. This results in a larger cost to business of $578 000 and government of $1.6m a year in order to monitor these risks.

6 Who will you consult and how will you consult them?

In progressing the TSSR proposal for the government's consideration, AGD undertook extensive consultations with industry (in addition to ongoing consultations with relevant government agencies). There has also been a broader public consultation process undertaken by the PJCIS in 2012-13. Government agencies continue to support the proposed security framework and its regulation by AGD. Outcomes of industry consultations and our response are summarised below.

Initial targeted consultation with industry ( [redacted text] the largest C/CSPs and the Communications Alliance) was undertaken in early 2012 to explore views on a telecommunications security framework, including its feasibility, impact on business and cost. The feedback from industry included reservations on potential reporting/notification requirements, and potential for regulatory overlap. Other issues concerned a desire for a level playing field and clarity about government's expectations under a framework.

To address industry's key concern on new reporting/notification requirements, the proposed framework was refined to leverage the existing notification mechanism through section 202B of the TIA Act, rather than establishing another 'notification framework' for all C/CSPs. AGD also undertook further work on the presentation of the proposal to illustrate how the risk management concepts of competent supervision and effective control would apply equitably to all C/CSPs, providing assurance over national security risks presented through the supply of equipment and services.

During 2012-13 consultations, industry also sought greater clarity about government's expectations, advocating the development of guidelines to provide further details. In consultation with industry, AGD subsequently produced draft guidelines to provide industry with a better understanding of its obligations under the framework. AGD circulated the draft guidelines for comment setting out how national security threats may be minimised using the concepts of competent supervision and effective control over the network and the information held and passing across it. Industry has shown interest in working with government to develop the guidelines further and supports principles that enable choice of the most appropriate means to manage security risks. The guidelines would be a living document, and government and industry would have the opportunity to update the guidelines as needed.

The focus of the proposal presented for the PJCIS inquiry in mid-2012 was to ensure an even-handed and suitably light-touch approach - this was articulated in a discussion paper that was released publicly. In its June 2013 Report, the PJCIS noted 'warm, if cautious support' of most industry submitters for the proposed reforms and recommended the government proceed with developing a security framework. It should be noted that during the PJCIS inquiry Macquarie Telecom disagreed that there is a need for government intervention on the issue of security, submitting that providing security was already in the interest of service providers.

The PJCIS recommended (at recommendation 19) the government amend legislation to create a telecommunications security framework, including a RIS to cover aspects such as competition impact and regulatory overlap. The PJCIS also recommended government consider any existing obligations, including compatibility with existing corporate governance frameworks, and to look at any good faith provisions.

The current proposal is intended to work with existing national security regulation, particularly the good faith provisions under section 313 of the Telecommunications Act. It also supplements the existing extreme section 581(3) power of the Telecommunications Act, which allows for cessation of a service, and leverages the notification obligation under section 202B of the TIA Act rather than creating a new notification requirement. There are no direct responsibilities under corporations law relating to obligations to manage national security risks, nor are there any incompatibilities.

6.1 Early 2014 consultations

As part of the targeted engagement, AGD consulted [redacted text] carriers considered to be of the most interest from a national security perspective to provide guidance about government's expectations of the management of national security risks. Those consulted are broadly accepting of the need for a security framework.

Further consultation with industry was undertaken by AGD and Department of Communications in April-June 2014; those consultations focused on the proposed security framework and cost recovery for the regulation of the framework through the Annual Carrier Licence Charge. The consultations entailed targeted roundtable meetings in Sydney and Melbourne (April 2014 - details at Attachment B ), written submissions by key C/CSPs and industry bodies (May 2014), and individual meetings between AGD senior officials and C/CSP senior executives.

The outcome of the recent consultations highlighted that industry is reasonably comfortable with the security framework provided it is clearly communicated where national security threats apply to C/CSPs and is administered in a way that seeks to create a level playing field for C/CSPs. Issues raised by industry at the meetings and written submissions included:

clarity from government about the actual threat, where the problem lies and what will change under the security framework;
how TSSR is compatible with the government's deregulation agenda;
where responsibility for security assurance would lie in a wholesale vs retail / resale scenario;
likely compliance costs for industry;
why AGD is seeking to recover costs of up to $2m from industry for its regulatory function; and
whether the proposed transition period may be extended from 6 to 12 months.

AGD has responded to industry's key concern on the threat and the changes required under the framework by clarifying that the framework would not apply to all aspects of a C/CSP's business but to more sensitive areas of networks and facilities - this has lessened industry concerns. AGD has also undertaken to develop an administrative explanatory note (guidance document) for industry to provide greater clarity around the purpose and scope of the security framework. This would provide a communications tool (in addition to the existing industry guidelines) that would articulate the national security threat and the anticipated changes under the framework.

The guidance document would further explain that the framework would supplement existing obligations under section 581(3) of the Telecommunications Act, establishing a formal two-way information sharing process, and proportionate and graduated intervention measures for government. AGD has also agreed to work closely with Communications Alliance (as the peak industry body) to refine industry guidelines, and jointly explore options to develop an efficient and cost-effective security assurance process, which would result in the least compliance impost on industry. In addition, to address industry's concerns around the cost recovery of $2m per annum, the government has decided to not cost recover for its regulatory and administrative functions.

Regarding the transition period, AGD has suggested that C/CSPs will have sufficient time to familiarise themselves with the TSSR, so a 12 month transition period should not be necessary. If a C/CSP is not compliant when the scheme commences - security agencies will continue their engagement to resolve existing issues by developing appropriate mitigation measures. As in all cases, formal compliance measures (including directions) would only be engaged if agreement could not be reached between security agencies and C/CSPs or there was wilful non-compliance.

On 21 May 2014, to elicit greater engagement over administrative and compliance costs, AGD provided selected industry members and the Communications Alliance with a redacted version of the draft RIS (with more detailed analysis of the additional effort associated under a security framework) seeking feedback on estimates of industry compliance costs. To date, industry has been unable to provide quantitative cost estimates. However, their feedback resulted in a significant decrease in the notional number of 7 FTE that AGD had allocated across the sector, as most compliance costs are already part of existing regulation. Initially, AGD had suggested that approximately 7 FTE staff maybe required to administer changes under a security framework which was estimated at $680 000 - using the professional wage category from OBPR guidance ($43.70 an hour including on-costs).

During further consultation with industry over draft guidelines and the impact analysis from the draft RIS, industry sought greater granularity about the estimated monitoring and compliance activities that a C/CSP would need to undertake to ensure compliance with the framework. Based on feedback, ongoing regulatory burden costs for C/CSPs was revised down to $220 000.

Other key feedback received from industry has been taken into account in this RIS, particularly industry's general preference for a self-regulatory model and its costing experience developing a Code. It should be noted that the Communications Alliance and Telstra's (Telstra requested to keep its input confidential) feedback on the draft RIS expressed a preference for self-regulatory (Code) model. Optus (the second largest C/CSP) acknowledged that "...an industry Code, in itself, may not be capable of achieving a comprehensive regulatory solution as it cannot directly address the components of government involvement".

6.2 February-March 2015 Targeted Consultation

A further round of targeted industry consultation was undertaken in February-March 2015 with a small number of C/CSPs and the two peak bodies (details at Attachment B) and provided more detail about the proposed legislative provisions and how they would operate in conjunction with the draft Guidelines. The purpose of the consultation was to clarify industry's understanding of the proposed framework. The consultation took the form of a roundtable meeting and one-on-one meetings with Vodafone Hutchison Alliance, Telstra, Optus and NBN Co. While views expressed at the roundtable and one-on-one meetings were fairly consistent with feedback provided in previous consultations and there appeared to be general support for an outcomes based regulatory approach, a couple of written submissions were found to be critical of the framework.

While more detail about the proposed legislative provided some degree of certainty and comfort about the intended operation of the legislation, there was concern expressed that it was still not clear what parts of networks would need to be protected and how. Further information was provided to Telstra and the Communications Alliance in the form of a factsheet highlighting sensitive parts of networks and what changes to networks might trigger the notification requirement. More detail will be provided in the Explanatory Memorandum and revised Guidelines.

C/CSPs indicated they still do not support the cost recovery model and consider that the cost should be borne by government. Recognising the sensitivities associated with imposing further costs on the telecommunications industry on the back of data retention and copyright reforms a decision was made to drop the cost recovery proposal and fund the activity from within government.

A key area of concern was the operation of the draft industry guidelines. There was still some confusion about whether the draft guidelines were enforceable and prescribed rules. Also there was some concern that the Guidelines relied heavily on an ITU standard which some carriers (particularly Telstra) said needed addressing. It was clarified that the Guidelines are a work in progress and would be further developed with industry as they are intended to be meaningful for industry.

7 What is the best option from those you have considered?

Of the four options considered, Option 3 is considered to meet the government's policy objective of a more efficient and effective mechanism for the management of national security risks to the telecommunications sector through collaboration between government and industry.

Option 1, maintain the status quo, would not increase any regulatory burden on industry and would continue to rely on building and maintaining cooperative relationships with industry. However, costs to C/CSPs of managing national security risks on an ad hoc and cooperative basis are likely to present an overall larger cost where a national security risk necessitates extensive engagement to achieve security outcomes, including costs associated with any remedial or mitigation action. Such costs are likely to continue to be borne by the top tier carriers, potentially placing them at a commercial disadvantage to their competitors who attract less national security scrutiny. The absence of a requirement on C/CSPs to provide information to security agencies means security agencies would continue to have a low degree of visibility of risks across the telecommunications sector, and their ability to develop threat assessments is compromised. Reliance on cooperation and goodwill to achieve national security outcomes is inherently risky - it may be insufficient to counter market processes and/or cooperation may not always be achievable. Continued lack of certainty about government's national security expectations and when section 581(3) might be appropriately used means that negotiation to achieve national security outcomes will continue to be protracted, costly and time consuming for industry and government. C/CSPs will not have a clear mandate to assist their Boards balance national security risks against competitive and commercial interests. Continuing the existing regulation under Option 1 would not result in additional administrative or compliance costs for industry or government, noting that come C/CSPs already incur engagement and voluntary compliance costs.

Option 2, develop an Industry Code, would improve the status quo. It would provide a mechanism for greater clarity around government's national security management expectations, including expectations about information sharing and early engagement with government on procurement planning. The benefits of facilitating greater awareness of national security risks, greater clarity around security management expectations and codifying engagement are not sufficient when balanced with the effort required by industry to develop and register the Code, and the risks that enforcement mechanisms will be effective.

The current restrictions on the scope and operation of Industry Code rules under Part 6 of the Telecommunications Act could limit the effectiveness of the Code to impose clear and broad obligations on C/CSPs to protect networks and cooperate with security agencies on the design and planning of networks and facilities (an amendment to existing provisions could address these restrictions). It is likely that a Code would be technically, rather than national security outcomes, focussed and not provide flexibility to address national security risks on a case-by-case basis as required. The long timeframes associated with developing and enforcing non-compliance under the Code also present significant risks. If the Code fails to provide clear enforceable requirements that C/CSPs must cooperate with national security advice, associated enforcement mechanisms will be inadequate. The directions power is restricted to enforcing compliance with Code provisions. In the absence of a direction to comply, compliance with a Code provision may be treated as optional by some company boards and an insufficient mandate when considering national security risks over commercial interests. The additional regulatory burden to industry under Option 2 is approximately $360 000. Government administration costs are estimated to total $2.1m.

The legislative security framework under Option 3 is the best option for achieving an effective and efficient framework for managing national security risks to the Telecommunications sector. It provides a mechanism for imposing clear obligations on industry for the management of security risks, including an expectation that C/CSPs will proactively engage with government to manage those risks. It promotes close engagement between industry and government, while providing effective and efficient mechanisms for addressing security concerns where they cannot be achieved on a cooperative basis. It provides the most effective mechanism for ensuring that government can obtain the information it needs from the telecommunications sector to develop comprehensive and targeted threat assessments. Provided that option three is implemented in a risk-based way, focussed on achieving national security outcomes rather than technical requirements, it will substantially address industry's concerns about a direct regulatory model as confirmed through the early 2012 consultation and 2012-13 PJCIS inquiry.

Option 3 strikes a balance between a regulatory approach and allowing business to make decisions in their own interests. C/CSPs would have an overriding obligation to protect their networks and the data stored and transmitted across them, while retaining flexibility in the majority of their business and investment decisions. Implementation will need to be managed carefully to ensure the requirement to protect networks and facilities does not unnecessarily restrict innovation and network design autonomy, government is best placed to identify and assess emerging national security risks and provide clear guidance to industry on effective protections and controls to mitigate such risks, while the telecommunications industry is best placed to determine the most appropriate operational and technical controls for their respective businesses. The framework under Option 3 aims to build in flexibility by avoiding overly prescriptive regulatory requirements on industry, with Government responsible for providing a clear set of security guidelines to articulate the risks that must be managed by C/CSPs. As such, government would continue to remain sensitive to the commercial interests of industry by communicating well in advance its expectations to help industry meet their broader operational and commercial requirements.

A key risk is that the existence of formal powers may mean some C/CSPs will insist on formal notifications before releasing information and directions before implementing risk mitigation measures, reducing cooperation and inadvertently driving a compliance based approach. Early engagement and consultation with industry will seek to mitigate this risk.

There will be an increase in the regulatory burden to industry under this option in addition to existing administrative and compliance costs, and could mean that some lower risk C/CSPs would have to enhance security and engagement with government capabilities. These costs will be small given the lower level of engagement with low priority C/CSPs and will ensure administrative and compliance costs are applied more equitably across the entire sector then occurs under the status quo. The regulatory burden to industry under Option 3 is $220 000.Government administration costs are estimated to be $1.4m.

Australia's approach would also be consistent with the direction of recent international developments in managing national security risks to telecommunications infrastructure noting that likeminded countries are pursuing stronger regulatory measures (see Attachment C ).

Option 4 provides the overall net benefits of Option 3 with an added layer of regulation and cost. It potentially duplicates existing legislative obligations under the TIA Act, to produce annual Investment Plans. There are little additional benefits gained from a national security management perspective when balanced with the regulatory burden placed on industry to produce these plans. The regulatory burden to industry under Option 4 is $578 000. Government administration costs are estimated to be $1.53m.

8 How will you implement and evaluate your chosen option?

Subject to the government's agreement, Option three would be implemented through the introduction of an amendment Bill as soon as practicable through Parliament with a six month transition period to enable C/CSPs to prepare for implementation. Regulation would be supported by administrative guidelines and where relevant, timely and specific advice from security agencies on identified areas of risk to networks (including those presented through access by suppliers of concern), and steps required to protect those networks. The guidelines would be a living document. Administrative arrangements would outline the roles and responsibilities of government and industry and would help define and oversee industry's protection of its networks and facilities from a national security perspective. This would contribute to risk prioritisation, establishing engagement and information sharing processes, clarifying audit and enforcement procedures.

Should the Parliament pass amendments to the Telecommunications Act, government would work closely with industry to ensure that it is made aware of its obligations and implement risk mitigation measures to address security concerns during the transition period. An evaluation of the security framework would be undertaken after three years (or earlier if required) to ensure government's policy objectives and outcomes are being met. This evaluation would be supported by data on the number of identified instances of unauthorised access to telecommunications networks and the level of government intervention to mitigate risks.

8.1 Agency Responsible for Regulatory Functions under a security framework

[redacted text] While a security framework enabled through changes to the Telecommunications Act would appear to fall within the remit of the telecommunications regulator - the ACMA - as these reforms are focussed on achieving national security outcomes it is proposed that the appropriate regulator would be AGD. The ACMA does not currently possess national security expertise to effectively develop and implement the reforms and implement them. Furthermore, if it were to develop this capability it is likely to duplicate some of the existing functions of security agencies.

The Secretary of AGD could undertake end-to-end regulation of a security framework in terms of administration and enforcement because:

the Attorney-General has Ministerial responsibility for national security of critical infrastructure, including telecommunications networks and facilities and telecommunications interception powers and powers under the ASIO Act;
AGD has an established and close relationship with intelligence agencies which makes it, and not ACMA, well placed to provide industry with heightened and tailored threat information on Australian telecommunications traffic; and
the existing regulatory powers are managed by the Attorney-General, AGD and ASIO officers.

AGD would also be responsible for escalated statutory intervention through directions and regulatory enforcement of non-compliance as-and-when required. Government would seek to use advice and guidance to encourage risk-informed management of security concerns in the first instance. In cases where engagement with C/CSPs was unsuccessful, or a blatant disregard of security information jeopardises the government's confidence in the security and integrity of Australia's telecommunications infrastructure, powers of direction would facilitate greater compliance.

AGD would regulate the security framework including developing and disseminating guidelines (in consultation with agencies and industry), establishing and maintaining a risk framework with input from security agencies. AGD would be responsible for risk profiling, managing and auditing compliance of 'lower risk' C/CSPs [redacted text] to monitor potential changes in the market and associated risks. AGD would also manage the escalation of non-compliance matters where collaboration fails, including coordinating and engaging with the Department of Communications and relevant agencies on enforcement measures such as issuing directions, and initiating and managing the civil penalty process where non-compliance warrants enforcement. The estimated regulatory burden of $220 000 per annum will be offset by regulatory savings achieved through [redacted text] reforms within the Communications portfolio. OBPR has confirmed this and will report this in Q2 2015. There are limitations in the net benefit analysis due to limited industry data to highlight and compare the costs associated with mitigating national security risks.


Copyright notice

© Australian Taxation Office for the Commonwealth of Australia

You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).