The Bill and its referral
1.1
On 9 November 2016, Senator the Hon James McGrath, Assistant Minister to the Prime Minister, introduced the Telecommunications and Other Legislation Amendment Bill 2016 (the Bill) into the Senate.
1.2
In his second reading speech, Senator McGrath stated that the Bill will ‘place an obligation on all carriers, carriage service providers and carriage service intermediaries to do their best to protect telecommunications networks and facilities from unauthorised interference and unauthorised access for the purpose of security’.
1.3
Senator McGrath explained that:
Australia’s telecommunications networks are the critical infrastructure that enables all of us to conduct business and to go about our everyday lives online. Australia’s economic prosperity and wellbeing are increasingly dependent on telecommunications networks and the data that flows across them.
1.4
Senator McGrath outlined the findings of the Australian Cyber Security Centre’s Threat Report 2016 to affirm the scale of the cyber threat to Australian organisations, noting that ‘telecommunications networks are a key pathway for unauthorised interference by malicious actors’. He quoted the former director of the United States National Security Agency, General Keith Alexander, who argued that ‘ongoing cyber-thefts from the networks of public and private organisations … represent the greatest transfer of wealth in human history’.
1.5
Senator McGrath emphasised that it is vital that the security and resilience of Australia’s telecommunications networks are maintained.
1.6
The Explanatory Memorandum to the Bill identifies limits with existing telecommunications security arrangements:
The absence of a comprehensive and proportionate security framework means security agencies do not have adequate levers (except in the most extreme circumstances) to engage those companies who choose not to engage on a voluntary basis with security agencies. Not only does this limit security agencies’ visibility of potential vulnerabilities which could be exploited by malicious actors across a large part of the sector, it compromises existing cooperative relationships with carriers who seek a level playing field.
1.7
On 9 November 2016, the Attorney-General, Senator the Hon George Brandis QC, wrote to the Parliamentary Committee on Intelligence and Security to ask that it inquire into the Bill.
1.8
The Attorney‑General stated in his letter that the Bill will amend the Telecommunications Act 1997 to introduce a regulatory framework to better manage national security risks of unauthorised access to, and interference with, telecommunications networks and facilities. The Attorney‑General provided the Committee with a copy of draft administrative guidelines that are intended to provide industry with greater clarity about the operation of the regulatory framework outlined in the Bill, and noted that it is his intention that the guidelines be further refined and finalised following passage of the Bill.
1.9
The Attorney-General asked the Committee to table its report in the early months of 2017 and requested that, as far as possible, it conduct its inquiry in public.
Context of the inquiry
1.10
The Bill is the outcome of substantial cooperation and negotiation between government and industry over several years. It seeks to implement the recommendations of two separate inquiries by the Parliamentary Joint Committee on Intelligence and Security (the Committee).
1.11
The Committee examined telecommunications security, including a proposal for an industry‑wide obligation to protect telecommunications, in the 43rd Parliament as part of its inquiry into potential reforms of Australia’s national security legislation. The Attorney‑General’s Department prepared a substantial discussion paper in July 2012 to support the Committee’s inquiry. The then Committee tabled its report on 24 June 2013.
1.12
The 2013 report acknowledged the extent of ‘threats to Australia’s national security that can be effected through the telecommunications systems’, and also that ‘the greatest improvements to telecommunications sector security would come through dialogue—with both industry and Government exchanging useful, and sensitive, information’.
1.13
The Bill will implement Recommendation 19 of the 2013 report:
The Committee recommends that the Government amend the Telecommunications Act 1997 to create a telecommunications security framework that will provide:
A telecommunications industry-wide obligation to protect infrastructure and the information held on it or passing across it from unauthorised interference,
A requirement for industry to provide the Government with information to assist in the assessment of national security risks to telecommunications infrastructure, and
Powers of direction and a penalty regime to encourage compliance.
1.14
The Committee further recommended that the Government, through a Regulation Impact Statement (RIS), address a range of issues including impacts on competition and how the framework would interact with existing corporations law and protections for service providers who have acted in good faith.
1.15
In 2015, as part of its inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the Committee again supported telecommunications security reforms and recommended that the Government ensure that the proposed telecommunications sector security framework be enacted prior to the end of the implementation period of the data retention regime.
1.16
The proposed reforms were subject to consultation prior to the Bill’s introduction into the Senate. In its submission to the inquiry, the Attorney‑General’s Department noted that there had been ‘significant consultation with the telecommunications industry since 2012, including two rounds of public consultation on exposure draft legislation and associated documentation (in June – July 2015 and November 2015 – January 2016, respectively)’.
1.17
In his second reading speech, the Assistant Minister similarly noted that there had been extensive consultation over the last four years and that industry feedback had ‘shaped the detail of the proposed reforms’.
1.18
In its submission, the Attorney-General’s Department outlined the amendments that were made to the draft Bill and Explanatory Memorandum to address industry feedback during public consultation periods, including to:
clarify and limit the scope of the security obligation to protect telecommunications networks and facilities by limiting it to networks or facilities owned operated or used by a C/CSP [carrier/carriage service provider]
increase the threshold for the exercise of regulatory powers, ie so that the Attorney-General may only give a direction where satisfied that [it is] ‘reasonably necessary’ to eliminate or reduce the security risk of unauthorised access or interference which is prejudicial to security,
allow companies (under information-gathering powers) to provide copies of documents, and also be entitled to reasonable compensation for complying with a requirement to provide a copy of a document,
expand confidentiality requirements to protect the confidentiality of commercially sensitive information or documents provided in individual notifications or security capability plans,
increase the implementation period from six to 12 months, and
provide an option for industry to determine whether to provide individual notifications or annual security capability plans depending on the method that better suits their business model.
1.19
In submissions to this inquiry, industry stakeholders acknowledged the efforts of the Government, the Attorney‑General’s Department and other agencies to work in consultation with industry:
… the current Bill includes some adjustments made in response to views provided by stakeholders into each of those consultations, and we appreciate the efforts of the Government to respond to stakeholder concerns.
The Associations … commend Government for its response – by way of amendments – to some of the concerns raised by industry during 2015/16 in respect of the first and second exposure drafts of the Telecommunications and Other Legislation Amendment Bill…
It should be noted that the Attorney-General and agencies in the department have worked with us, through two exposure drafts, to make improvements to the legislation and that there have been substantial improvements.
Conduct of the inquiry
1.20
The Committee announced the inquiry by media release on 15 November 2016 and invited submissions from interested members of the public by 3 February 2017.
1.21
The Committee received eight submissions and four supplementary submissions from industry, government and academia. A list of submissions received by the Committee is at Appendix A.
1.22
The Committee held two public hearings on 16 February 2017 and one public hearing on 23 March 2017. The Committee also received one private briefing from relevant agencies in Canberra and visited Telstra’s Global Operations Centre in Melbourne. A list of hearings and witnesses who appeared before the Committee is included at Appendix B.
1.23
Copies of submissions received and transcripts of public hearings can be accessed on the Committee’s website at: http://www.aph.gov.au/pjcis. Links to the Bill and the Explanatory Memorandum are also available on the Committee’s website.
Summary of the Bill
1.24
The Bill will amend the Telecommunications Act 1997 and related legislation, including the Telecommunications (Interception and Access) Act 1979, the Administrative Decisions (Judicial Review) Act 1977 and the Australian Security Intelligence Organisation Act 1979.
1.25
The key elements of the Bill include:
establishing a security obligation, applicable to all carriers/carriage service providers (C/CSPs) and intermediaries requiring them to ‘do their best’ to protect their networks and facilities from unauthorised access and unauthorised interference,
requiring carriers and nominated carriage service providers (NCSPs) to notify the Communications Access Co-ordinator (CAC) of planned key changes to telecommunications services or systems that could compromise their ability to comply with the security obligation. Notifications can be provided in the form of either an individual notification or an annual security capability plan,
providing the Attorney-General with a power to issue a C/CSP a direction requiring them to do or refrain from doing a specified thing in order to manage security risks,
empowering the Secretary of the Attorney-General's Department to request information from C/CSPs to monitor compliance with the security obligation, and
expanding the operation of existing civil enforcement mechanisms in the Telecommunications Act 1997 to address non-compliance with the obligations set out in the Bill.
1.26
The Bill also includes obligations relating to information sharing and confidentiality and an obligation on the Secretary of the Attorney-General’s Department to provide an annual report to the Attorney-General, which must then be presented to the Parliament.
1.27
The Explanatory Memorandum and RIS note that the proposed telecommunications sector security reforms would be supported by administrative guidelines and advice from security agencies to assist industry to understand and meet its obligation, and to inform C/CSPs how they can maintain competent supervision and effective control over their networks.
Report structure
1.28
This report consists of six chapters:
This chapter sets out the context and conduct of the inquiry, as well as a brief summary of the Bill,
Chapter 2 examines the case for telecommunications sector security reforms, as put forward in the Explanatory Memorandum and in evidence to the Committee, including international approaches,
Chapter 3 discusses the security obligation upon C/CSPs and intermediaries to protect telecommunications networks and facilities,
Chapter 4 discusses the notification requirements,
Chapter 5 discusses the direction and information-gathering powers, information‑sharing and confidentiality and enforcement mechanisms, and
Chapter 6 examines other matters raised in evidence to the Committee, including transparency, accountability and performance (including the annual report requirements); retrofitting of systems; and location of data storage.