6.1
This chapter discusses a number of other matters raised during the inquiry, including:
transparency, accountability and performance:
the applicability of the Regulator Performance Framework,
annual reporting requirements, and
meeting statutory timeframes.
retrofitting of systems, and
location of data storage.
Transparency, accountability and performance
Regulator Performance Framework
6.2
In its submission to the inquiry, Optus noted that the Bill would establish the Communications Access Co-ordinator (CAC) as a regulator with a ‘substantially expanded set of obligations, a broader range of legislated decision-making duties to perform, and new powers under the Telecommunications Act 1997’. Optus suggested that, given this expanded mandate, and noting the existing role under the Telecommunications (Interception and Access) Act 1979, a formal framework should be put in place to provide accountability and transparency over the regulatory functions of the CAC and Attorney‑General’s Department.
6.3
Optus further suggested that the Government’s Regulator Performance Framework could provide a mechanism to achieve transparency and accountability, and queried whether public reporting of key performance indicators would apply. In response, the Attorney-General’s Department noted that it is ‘committed to transparent reporting’, and subsequently advised that the Government Regulator Performance Framework will apply to the regulatory functions in the Bill.
6.4
The purpose of the Regulator Performance Framework is to provide ‘common performance measures to assess how Commonwealth regulators operate’. The Regulator Performance Framework contains six key performance indicators covering
reducing regulatory burden,
risk-based and proportionate approaches,
efficient and coordinated monitoring,
Annual report
6.5
Proposed section 315J obliges the Secretary of the Attorney-General’s Department to provide an annual report to the Attorney-General on the operation of the provisions in the Bill. The Attorney‑General will be required to present the report in each House of Parliament within 15 sitting days.
6.6
Optus submitted that section 315J should be expanded to specify the sorts of information the annual report will contain:
[N]either the Bill nor the Explanatory Memorandum provide any detail about what is required to be contained in those annual reports and what is the objective. Therefore there is no certainty that the desired transparency and information about regulator performance will be supported by this reporting requirement and we recommend that section 315J in the Bill be expanded to detail what is expected to be contained in the report.
6.7
In its supplementary submission, Optus outlined the sorts of items it considered the CAC should be required to report against in the annual report:
how many notifications it has received (individual and in annual plans),
how many decisions were made,
the timeliness of its decision-making process,
feedback from stakeholders making notifications to the CAC,
instances where direction powers were used,
any learnings about the functioning of the Part of the Act it is administering,
whether the information exchange between industry and government is functioning,
whether the proposed guidelines have been effective in assisting the implementation of the provisions,
whether any lessons for national security and critical infrastructure protection have been learnt,
whether the notification and decision-making process has had any apparent impact on the level or rate of investment being undertaken by the communications sector,
trends in threat and risk information and analysis relevant to this Part of the Act,
the use of information‑gathering powers, and
any breaches of security in the notification or decision-making process being administered by the CAC.
6.8
Optus suggested that, if public reporting raises issues sensitive to national security, there could be reporting to the Committee, or to the Inspector‑General of Intelligence and Security.
6.9
In a supplementary submission, the Attorney-General’s Department noted the annual report could contain information such as:
the number of notifications received,
the CAC’s average response timeframes, and
the number of occasions on which the information-gathering power has been exercised.
Meeting statutory timeframes by the CAC
6.10
Optus noted the potential impacts on industry that could arise if the regulatory performance of the CAC is not efficient and processes implemented within statutory timeframes:
If the process administered by the CAC is not run efficiently and within the mandated timeframes, it has the potential to disrupt billions of dollars in investments made by communications companies each year, adversely impacting business plans and consumers nation-wide.
6.11
Optus suggested that, if the statutory timeframe requirements for the CAC responding to notifications and security capability plans are not met, then the notification or security capability plan should be deemed as ‘agreed’, unless a formal notice is provided by the CAC of an extended assessment period:
Sections 314B(6) and 314D(6) of the Bill impose timeframes in which the CAC is required to respond to individual notifications and security capability plans, however, they are silent on what occurs if these timeframes are not met by the CAC. This places an unacceptable level of commercial risk on providers.
The Bill should outline what the outcome will be if the CAC does not respond within the required timeframe. In Optus’s view, if the CAC does not respond with a decision within the specified time limits, the notification or security capability plan should be deemed to be agreed unless formal notice is provided by the CAC of an extended assessment period with a revised notification date. Such a notice should be open to administrative review and further deadlines so it cannot be rolled over indefinitely.
6.12
In response, the Attorney-General’s Department argued that Optus’s suggestion would ‘not be appropriate or effective within the framework established by the Bill’:
The Communications Access Co-ordinator does not have any role in agreeing to (or rejecting) notifications or security capability plans. The purpose of the notifications and security capability plans and the role of the Communications Access Co-ordinator is to enable early engagement and advice on changes that create a risk of unauthorised interference with, or unauthorised access to, telecommunications networks or facilities and to enable appropriate risk mitigation strategies to be implemented.
6.13
The Attorney-General’s Department added:
In the unlikely event the Communications Access Co-ordinator does not respond to a notification or security capability plan within the prescribed timeframe, this would be a factor the Attorney-General would need to consider before exercising the direction under s315B. The Attorney-General is required to consider if all attempts to negotiate in good faith with the C/CSP had occurred before issuing this direction.
6.14
However, the Attorney‑General’s Department noted that it was ‘open’ to
amending the Explanatory Memorandum to specify that, if the Communications Access Co-ordinator does not respond within the prescribed timeframe, the Attorney-General must take account of this as part of his or her assessment of whether negotiations with the carrier or nominated carriage service provider had been carried out in good faith.
6.15
During a public hearing, the Committee asked the Attorney‑General’s Department if there would be any mechanism for compensation or other forms of redress if a company did not receive a response to a notification from the CAC within the statutory timeframes set out in the Bill.
6.16
The Attorney‑General’s Department indicated that it was ‘not proposing any compensation mechanisms in the Bill.’
Committee comment
6.17
The Committee considers regulation of the telecommunications sector should be efficient, effective, transparent and accountable; ensuring minimal regulatory burden is imposed on regulated entities, while also meeting national security objectives.
6.18
The Committee notes that the following aspects of the Bill are intended to support transparency and accountability:
statutory consultation requirements,
requirements to provide industry with information about decisions, such as written notices about adverse security assessments,
a requirement to produce an annual report.
6.19
The Attorney-General’s Department also confirmed during the inquiry that the Government’s Regulator Performance Framework will apply to the regulatory functions in the Bill.
6.20
The Committee notes that proposed section 315 of the Bill requires an annual report on the provisions in the Bill to be produced, however, it does not specify what information the report should contain. The Committee recommends that the Bill specify particular reporting requirements.
6.21
The Committee recommends that section 315J of the Telecommunications and Other Legislation Amendment Bill 2016 be amended to specify that the annual report presented to Parliament must include:
the number of occasions the information-gathering powers have been exercised,
the number of notifications and security capability plans received,
regulatory performance measures, including the average response timeframes of the Communications Access Co-ordinator to notifications and the proportion of responses made within the statutory timeframes,
details of the Government’s information-sharing arrangements with industry,
a summary of any feedback or complaints received from stakeholders, and
the number of occasions the directions-powers have been exercised.
The annual report should indicate if trends or issues have emerged in relation to any of the above.
6.22
The Bill contains clear statutory timeframes for the CAC to respond to notifications and security capability plans received from industry. The Attorney-General’s Department has provided assurances that it would be unlikely for CAC to fail to meet these timeframes.
6.23
However, the Committee notes that industry has sought clarity about what would happen in circumstances where the CAC did fail to meet the statutory timeframes for notification set out in the Bill. The Attorney‑General’s Department advised that, prior to issuing any direction, the Attorney‑General is required to consider whether all attempts have been made to negotiate in good faith with C/CSPs. Accordingly, in such circumstances, the Attorney‑General would consider whether response timeframes have been met. The Committee recommends the Explanatory Memorandum be amended to reflect this.
6.24
Industry suggested that, if statutory timeframes for the CAC are not met, then the notification or security capability plan should be deemed as ‘agreed’, unless a formal notice is provided by the CAC of an extended assessment period. The Committee appreciates that delays in responses by the CAC could create uncertainty and hinder the ability of companies to innovate and invest. The onus should be on the CAC to provide adequate notice if he or she is not able to respond to the notification within the statutory timeframe. In the absence of such notice, the Committee considers it reasonable that the carrier or nominated carriage service provider should be able to proceed with a proposed change and should not be financially penalised if it is later directed to reverse the change, particularly if the company has acted in ‘good faith’ throughout the process. While there is no specific mechanism proposed in the Bill for companies to seek recovery of costs in these circumstances, the Committee considers it reasonable that compensation avenues are available.
6.25
The Committee considers that the Explanatory Memorandum should be amended to outline the existing avenues available for industry to recover reasonable costs in circumstances where the CAC has not responded to a notification within the statutory timeframe, and, as a result, a C/CSP is required to change a business decision it has already proceeded with (such as procuring new equipment or entering into a contract) following issuance of a direction by the Attorney‑General.
6.26
The Committee notes that the Commonwealth Government has powers to provide discretionary financial assistance in circumstances where there is a moral responsibility to provide assistance, rather than a legal responsibility. Assistance may be made available, for example, where a person or entity has suffered detriment due to the defective actions or inaction of the Commonwealth Government, including defective administration.
6.27
The Committee recommends the Explanatory Memorandum for the Telecommunications and Other Legislation Amendment Bill 2016 be amended to clarify that negotiating in ‘good faith’, as set out in proposed subsection 315B(5), includes whether the Communications Access Co-ordinator has complied with the applicable statutory timeframes.
This would make it clear that the Attorney-General will take into account whether the Communications Access Co-ordinator responded to any relevant notifications or security capability plans received from industry within the applicable statutory timeframe, prior to issuing a direction.
6.28
The Committee recommends that the Explanatory Memorandum to the Telecommunications and Other Legislation Amendment Bill 2016 be amended to outline the avenues available for industry to recover reasonable costs in circumstances where:
the Communications Access Co-ordinator has not responded within the statutory timeframe to the carrier or nominated carriage service provider (C/NCSP)’s notification of a proposed change, and
the C/NCSP has proceeded with the proposed change on the basis of no response having been received, and
the Attorney-General has subsequently issued a direction relating to the change.
Retrofitting of systems
6.29
Industry Associations and Macquarie Telecom Group raised concerns about the possible retrofitting of existing systems in order to meet the security obligations in the Bill. The Industry Associations suggested the Bill should, ‘at the very least’, make explicit that the intention is not to require retrofits except in ‘rare and extremely serious circumstances’:
Section 313 (1) places security obligations on C/CSPs without further distinction of the age of the systems, networks and facilities (jointly systems) or whether systems are already existing and in place vs. newly installed systems.
Given the very high bar placed by the definition of security, the large financial commitment that telecommunications infrastructure typically represents and the risk that a retrofit direction could cost a C/CSP hundreds of millions of dollars—or more—a simple assurance in the Explanatory Memorandum and Guidelines that non-compliant systems will not be penalised does not create sufficient certainty for C/CSPs.
6.30
The Industry Associations further suggested that a sunset clause should be included on the ability to issue a direction for network retrofit:
The legislation could, for example, state that Government’s right to require a retrofit expires 12 months after the expiry of the implementation period (i.e. two years after the date of Royal Assent). This would provide at least some element of certainty for C/CSPs as to the longevity of existing systems.
6.31
In its submission, the Attorney-General’s Department noted:
C/CSPs will not be expected to retrofit all systems in order to comply with the security obligation to protect networks and facilities from unauthorised interference and access. Should there be a case where significant national security vulnerabilities are identified in an existing system, security agencies would work collaboratively with the C/CSP to develop solutions to better manage the risks posed by the existing vulnerability.
6.32
The Attorney-General’s Department elaborated on this position in its supplementary submission:
C/CSPs are not expected to retrofit existing systems on commencement of this security obligation. However, there may be very rare cases where a significant security vulnerability is found in an existing system that could facilitate acts of espionage, sabotage and foreign interference. In such cases, government agencies will work with the C/CSP to develop cost effective solutions to better manage risks posed by the identified vulnerability.
If a risk was identified for an existing system (as opposed to a risk associated with a proposed change), this would be taken into account in any direction making process, particularly with regard to the requirement that agencies and industry negotiate in good faith. The Attorney-General would only issue a direction to do or not do a specified act or thing as a measure of last resort where all efforts to reach agreement cooperatively have failed. This power also requires the Attorney-General to take into account a range of matters, including costs likely to be incurred by the C/CSP.
6.33
The Explanatory Memorandum provides the following advice with respect to possible retrofitting:
While the security obligation will have immediate effect from the expiry date of the implementation period, existing networks and facilities in place at the time the security obligation comes into effect that are non-compliant will not be subject to civil penalties for non-compliance with the security obligation to protect networks and facilities under subsections 313(1A) and (2A). C/CSPs are not expected to retrofit all systems on commencement of this security obligation. However, there may be very rare cases where a significant security vulnerability is found in an existing system that could facilitate acts of espionage, sabotage and foreign interference. In such cases, Government agencies will seek to work with the provider to develop cost effective solutions to better manage the risks posed by the existing vulnerability. Subject to how serious the security risk is and how willing the C/CSP is to collaborate with Government to manage the risk, the Attorney-General could issue a direction requiring mitigation measures to be implemented.
Committee comment
6.34
The Committee acknowledges industry’s concern that the powers in the Bill could be potentially used to compel companies to retrofit existing systems at a significant cost to those companies.
6.35
The Committee notes that the Explanatory Memorandum states that C/CSPs would only be required to retrofit systems in ‘very’ rare cases where a ‘significant’ security vulnerability is found in an existing system that could facilitate acts of espionage, sabotage and foreign interference.
6.36
The Committee also notes that C/CSPs will not be required to retrofit all systems on commencement of the proposed security obligations in the Bill. If existing networks and facilities are found to be non‑compliant at the commencement of the security obligation, then the owners of those networks will not be subject to civil penalties for non-compliance with the security obligation.
6.37
However, the Committee considers that industry’s proposition that the Bill include a blanket sunset clause on the power to issue a direction for network retrofit could reduce the capability to address such serious national security vulnerabilities.
6.38
As discussed in Chapter 5, the Bill sets out that before issuing any direction the Attorney-General would need to be satisfied that the Government had taken ‘reasonable steps’ to negotiate in good faith with the C/CSP or intermediary. Further, the Attorney-General would need to have regard to the costs likely to be incurred by the C/CSP or intermediary and the potential consequences for customers or for competition in the industry. The Attorney-General must also consult with the Minister for Communications and the Arts about the proposed direction.
6.39
The Committee considers that these requirements should ensure that directions are only issued in relation to existing systems where there are pressing national security needs and a satisfactory outcome has not been able to be addressed through collaboration and good faith negotiations.
6.40
Therefore, the Committee does not consider any change is required to the Bill in this respect.
Location of stored data
6.41
The draft administrative guidelines to support the implementation of the regime proposed in the Bill indicate that the practice of offshoring raises security concerns because it creates a greater level of vulnerability to espionage and sabotage. The draft administrative guidelines note:
Offshoring raises security concerns because it enables access and control to critical parts of major Australian telecommunications networks outside of Australia, this can facilitate foreign intelligence collection (espionage) and disrupt the network itself (sabotage). Risks arise where control and supervision arrangements have the potential to allow unauthorised actions by third parties, such as theft of customer data or sabotage of the network.
6.42
The Attorney-General’s Department noted that the Bill does not specify where or how data must be stored, but instead supports a risk-based approach:
The Bill does not specify where or how data must be stored. The Bill supports a risk-based approach to managing national security concerns to the telecommunications sector, while also retaining flexibility in decision making for industry. The constantly changing nature of the telecommunications environment necessitates the need for industry to innovate and be in a position where they can retain flexibility to support their changing business needs and to minimise any regulatory burden on their ability to conduct business internationally.
6.43
In regards to the location of stored data and the mitigation of risks the Attorney‑General’s Department advised that:
the reforms do not prohibit providers from storing data outside Australia and this would not be warranted. The TSSR reforms are designed to enable the identification and mitigation of risk to security wherever they exist.
6.44
Accordingly, irrespective of the location of stored data:
C/CSPs would be expected to be able to demonstrate, for example, that they have processes and arrangements in place to manage who can access systems and networks and facilities. If any risks were identified Government would work with industry to mitigate those risks, including where consultations were ineffective, the use of the directions‑making power.
6.45
Macquarie Telecom Group raised concerns about the offshoring of data and stated that it considered it important that Australia retain sovereignty over certain types of information.
6.46
The Attorney-General’s Department advised that ‘the law does not currently compel telecommunications providers to tell the Government where retained data is stored’. The Attorney‑General’s Department noted that the reforms set out in the Bill could enable the Attorney-General’s Department to ‘obtain information, including on existing offshore arrangements’:
The telecommunication sector security reforms are designed to better manage security risks, including risks posed by offshoring, and will provide greater protection not only for Australian metadata stored offshore, but also metadata stored in Australia that can be accessed offshore. The reforms will require providers to protect existing networks and systems and enable the department to obtain information, including on existing offshore arrangements. There is also a further obligation on providers to notify the department of any proposed changes that are likely to create a security risk.
6.47
The Attorney-General’s Department noted that, with respect to networks or facilities located overseas or outsourced, the security obligation in the Bill would apply ‘irrespective of whether the location of that part of a C/CSP’s operation is located in Australia, or overseas’:
The regulatory framework applies to all C/CSPs within the meaning of the Telecommunications Act 1997. This includes C/CSPs that have networks and facilities based in Australia, or based overseas which are used to provide services and carry and/or store information from Australian customers.
The Bill would require C/CSPs to do their best to protect sensitive parts of their networks and facilities from unauthorised interference and access. This would include those parts of networks and facilities which are of greatest security interest such as operations centres and any part of a telecommunications network that manages or stores information about customers.
6.48
The Attorney-General’s Department added that, under the Bill
C/CSPs would be expected to pay particular attention to identifying and addressing risks posed by higher risk service delivery models (such as outsourcing or offshoring). C/CSPs would be expected to be able to demonstrate, for example, that they have processes and arrangements in place to manage who can access systems and networks and facilities (as part of their requirement to demonstrate competent supervision and effective control).
Committee comment
6.49
It is critical that the Australian community can have confidence in the telecommunications sector and especially the security of stored data.
6.50
As part of the 2015 inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the (then) Committee considered the importance of location in relation to the security of stored data and ‘agreed that this underlies the importance of implementing the telecommunications sector security reforms’. The Committee recommended that the Government enact the proposed telecommunications security framework prior to the end of the implementation period of the data retention regime.
6.51
The Committee notes that this timeframe has not been met.
6.52
Australia’s existing legal framework for the protection of information includes requirements under the Privacy Act 1988 and the Telecommunications (Interception and Access) Act 1979, including mandatory encryption for retained telecommunications data, as well as a recently introduced mandatory data breach notification scheme.
6.53
The Committee notes that the telecommunications sector security framework would apply to C/CSPs irrespective of whether certain parts of a C/CSP’s operation are located in Australia, or overseas. The Committee also appreciates that the location of data is not necessarily a determinant of its security. However, there may be specific risks associated with certain off‑shore data storage.
6.54
The Committee is greatly concerned that existing laws do not provide government with visibility about where and how data is being stored.
6.55
The notification requirements proposed in the Bill (as discussed in Chapter 4) will require telecommunications companies to notify the Government of any changes they propose to make that are likely to have a ‘material adverse effect’ on their ability to comply with their security obligations. The Committee expects this requirement would include any decisions to store critical data offshore.
6.56
The Committee also notes that the Bill contains strong information-gathering powers that could be used, if necessary, to compel companies to provide information that is relevant to assessing compliance with the security obligation to the Secretary of the Attorney-General’s Department.
6.57
In order to increase public assurance in the security of retained telecommunications data, the Committee considers that the security of telecommunications data retained offshore should be included in the scope of its review of the mandatory data retention regime. This review, mandated under section 187N of the Telecommunications (Interception and Access) Act 1979, is scheduled to commence by 13 April 2019.
6.58
The Committee recommends that, at the time of the review required to be undertaken by the Parliamentary Joint Committee on Intelligence and Security under section 187N of the Telecommunications (Interception and Access) Act 1979, the scope of the review be expanded to include consideration of the security of off-shored telecommunications data that is retained by a service provider for the purpose of the data retention regime.
6.59
In order to better facilitate oversight of security arrangements in place to protect sensitive telecommunications data, the Committee also considers that the Bill should be amended to include, in relation to data retained under Part 5-1A of the Telecommunications (Interception and Access) Act 1979, a specific obligation within the notification requirement in proposed section 314A to require C/NCSPs to notify the CAC of any new or amended offshoring arrangements.
6.60
This will provide a mechanism for government to be informed of prospective changes to off-shoring practices. It will also ensure that there is a greater amount of information on the types, proportion and security implications of telecommunications data being stored off-shore available to the Committee at the time of its review of the mandatory data retention scheme.
6.61
The Committee recommends that the Telecommunications and Other Legislation Amendment Bill 2016 be amended to include, in relation to data retained under Part 5-1A of the Telecommunications (Interception and Access) Act 1979, a specific obligation within the notification requirement in proposed section 314A to require C/NCSPs to notify the CAC of any new or amended offshoring arrangements.
6.62
To ensure the efficient and effective operation of the telecommunications sector security reforms outlined in the Bill, the Committee recommends the regime be reviewed within three years of Royal Assent. The key areas of focus of the review should be the security of critical and sensitive data, the adequacy of information-sharing arrangements between government and industry, and the adequacy of the administrative guidelines.
6.63
The Committee also notes that industry queried whether possible regulatory imbalances or impacts on competition could result from the telecommunications sector security reforms, particularly with respect to over-the-top services and cloud computing services (as discussed in Chapter 3). Consequently, the Committee considers that implications of the reforms should form part of the review.
6.64
The Committee recommends that the Telecommunications and Other Legislation Amendment Bill 2016 be amended to require the Parliamentary Joint Committee on Intelligence and Security to review the operation, effectiveness and implications of the reforms, commencing within three years of the Bill receiving Royal Assent. The scope of the review should include:
the security of critical and sensitive data,
the adequacy of information-sharing arrangements between government and industry, and
the adequacy and effectiveness of the administrative guidelines in providing clarity to industry on how it can demonstrate compliance with the requirements set out in the Bill.
Concluding comments
6.65
The Committee notes that a key objective of the Bill is to formalise and strengthen the existing engagement between government and the telecommunications industry on national security risks. In doing so, the Bill aims to provide a more transparent, consistent and enforceable set of security obligations across industry than currently exist.
6.66
The Committee acknowledges that the Bill has been subject to extensive consultation over several years, which has addressed many previous concerns raised by industry stakeholders. The Committee has focused its inquiry on examining outstanding concerns around the operation of the proposed framework. In particular, the Committee has made recommendations aimed at increasing clarity and certainty for industry.
6.67
The 12 month implementation period for the Bill will be crucial. The Attorney-General’s Department must work closely with industry during this period to ensure the administrative guidelines are revised and expanded. This will ensure there is the clear guidance that is needed in order to maximise certainty for industry to enable them to implement the Bill. Several of the Committee’s recommendations are directed toward this.
6.68
The implementation period must also be used to identify and implement effective mechanisms for sharing information, particularly threat information, with industry. These mechanisms should be designed to assist companies to make decisions that consider national security interests, in addition to commercial interests, early in the planning process.
6.69
These recommendations are intended to strengthen the Bill, the operation of the Bill and compliance with its obligations.
6.70
The Committee thanks all participants in the inquiry for their valuable contributions and constructive approach.
6.71
The Committee commends the report to the Parliament and recommends that, subject to the recommendations in this report being accepted, the Bill be passed.
6.72
The Committee recommends that, subject to the above recommendations being accepted, the Telecommunications and Other Legislation Amendment Bill 2016 be passed.
June 2017