The government has progressed long-mooted reforms that will compel the telecommunications industry to take steps to protect network infrastructure.
The <i>Telecommunications and Other Legislation Amendment Bill 2015</i> (PDF) will amend the Telecommunications Act 1997 to strengthen the current framework for managing national security risks to Australia’s telecommunications networks.
In a 2013 report, the Parliamentary Joint Committee on Intelligence and Security had recommended that the government create a telecommunications security framework.
That framework would include an obligation to protect infrastructure and data passing through it, compel industry to provide the government with information to assess national security risks to telco infrastructure and a penalty regime to include compliance.
In its report earlier this year that rubber-stamped the introduction of data retention, the PJCIS included as a recommendation that the government enact the 'Telecommunications Sector Security Reforms' (TSSR) prior to the end of the implementation phase for data retention.
The government indicated it supported the recommendation.
"TSSR is designed to ensure the security and integrity of Australia’s telecommunication infrastructure by encouraging ongoing awareness and responsibility for network security by the telecommunication industry, and will extend to provide better protection of information held by industry in accordance with data retention obligations," the submission from the Attorney-General's Department to the data retention inquiry stated.
"TSSR will impose an obligation on service providers to do their best to prevent unauthorised access and unauthorised interference to telecommunications networks and facilities, including where the provider outsources functions."
The bill unveiled last week will enhance existing information sharing and relationships between government and telecommunications carriers, carriage service providers and carriage service intermediaries (C/CSPs) to "ensure greater consistency, transparency and accountability for managing national security risks across all parts of the telecommunications sector," a draft explanatory memorandum states.
Communications Minister Malcolm Turnbull said the bill will provide a security framework to strengthen the government’s ability to manage national security risks to telecommunications networks by:
- Obliging all carriers, carriage service providers and carriage service intermediaries to do their best to protect their networks from unauthorised access and interference.
- Requiring carriers to notify security agencies of key changes to networks and management systems that could adversely affect their ability to protect their networks.
- Providing the Secretary of the Attorney-General's Department with direction and information gathering powers, enforceable by a civil penalty regime.
“This framework builds on existing obligations in the Telecommunications Act 1997 and will be implemented via a collaborative partnership with industry, involving increased engagement and information sharing with government agencies,” a statement issued on behalf of the communications minister and Attorney-General George Brandis said..
Government agencies would also provide general and targeted threat assessments and mitigation advice to assist telecommunications carriers and carriage service providers to manage risks to their networks.
The regulatory framework would be supported by administrative guidelines, which are being developed in consultation with the telecommunications industry, the statement said.
"These guidelines will help carriers and carriage service providers understand which parts of their networks are particularly vulnerable to unauthorised access and interference. They would also provide guidance on the controls and measures that can be implemented to manage these vulnerabilities," the statement said.
According to the government, the reforms will ensure that businesses, individuals and the public sector can continue to rely on telecommunication networks to store and transmit data securely.
However, implementation will be based on a regime of industry consultation, advice and guidelines.
“The new regulatory powers of direction will only be used as a last resort, to protect the national interest,” the government's statement said.
The Attorney-General’s Department is conducting a public consultation on the bill.
The draft documents can be found on the Attorney-General’s website.
Public submissions close on 31 July.
Follow Hamish Barwick on Twitter: @HamishBarwick