The Australian government has softened its proposals for a package of telecoms infrastructure security reforms after industry consultation, shifting to an outcomes-based framework that would be less prescriptive on administrative and technical requirements.
But the latest version of the planned measures – aimed at “mitigating the risks posed to Australia’s communications networks by certain foreign technology and service suppliers” – could still see carriers obliged to demonstrate “competent supervision and effective controls” over their network. Failure to do so would invite penalties and directions from the Attorney-General’s Department. And those directions, while they might need signoff of the ASIO director general of security and the secretary of the Department of Broadband, Communications and the Digital Economy, could in turn see carriers compelled to change even existing infrastructure – at their own cost.
An extensive discussion paper prepared by the AGD and released by the parliamentary joint committee on intelligence and security – which has now commenced its inquiry into the planned reforms – publicly lays bare the current iteration of the plan in unprecedented detail. It confirms that the AGD originally consulted with industry on the proposal earlier in 2012, as exclusively reported in CommsDay on 30 March. However, it also indicates that the proposal has subsequently been toned down somewhat.
“During the consultation about a possible regulatory framework that originally included a notification obligation in place of the requirement to provide information to government on request, industry expressed a preference for an approach that avoids the need for government approval of network architecture at a technical or engineering level and instead focuses on the security outcome, leaving industry to choose the most effective way to achieve it,” said the paper. “As a consequence an alternative regulatory framework designed with less focus on administrative processes and technical requirements, but greater emphasis on outcomes, has been developed for consideration.”
PROPOSAL FOR ACCREDITATION? The AGD added that government was now considering the means by which it might be assured that industry was taking reasonable steps to address risk – potentially including “accreditation of industry for self‐assessment purposes or a role for third parties in providing audit and assurance services.”
The main thrust of the proposals, though – to harden the security of Australia’s telecom infrastructure with a risk-based regulatory framework, established via amendments to the Telecommunications Act and/or other legislation – remains unchanged. “There is a lack of awareness of national security risks in business decisions by many C/CSPs, which means engagement often occurs late in the decision making process,” said the paper. “Government is concerned that the telecommunications industry is not fully informed about national security risks and is therefore not equipped to respond adequately to these risks. As both businesses and consumers are also exposed to the consequences of potential security risks, there is a compelling case to act now. Australia is at a critical stage of telecommunications infrastructure development driven by the NBN’s construction.”
The framework mooted in the paper would include an industry-wide obligation on all carriers and carriage service providers to “protect their infrastructure and the information held on it or passing across it from unauthorised interference to support the confidentiality, integrity and availability of Australia’s national telecommunications infrastructure.” This would require them to demonstrate a level of oversight of their network operations and location of data, as well as direct authority to protect their networks from unauthorised access – for example, by repatriating information and systems in response to such access. It would also contain a requirement for C/CSPs to provide government, when requested, with information to assist in the assessment of national security risks to telecommunications infrastructure; and powers of direction plus a penalty regime to encourage compliance.
The current suggestion is that the power of direction would be used after first attempting direct engagement with carriers who did not toe the line, and could require the concurrence of the AGD and DBCDE as well as the director general of security. Once signed off, however, “directions could involve targeted mitigation or remediation of security risks, including modifications to infrastructure, audit, and ongoing monitoring, with costs to be borne by the relevant C/CSP.”
“Should any legislative changes be agreed, this would require all C/CSPs to comply with the security obligations. In some instances this will require the application of mitigation measures to existing infrastructure. The security obligations would apply to existing and new infrastructure,” said the paper. “Government recognises that it would need to work closely with industry to ensure that there is a reasonable transition period.”
INTERCEPTION AND DATA RETENTION: The scope of the proposed reforms is not limited to tightening security for telco infrastructure. The other elements of the proposal package are aimed at “modernising lawful access to communications and associated communications data” and “enhancing the operational capacity of Australian intelligence community agencies.”
On the first point, the government is seeking the views of the Committee on expanding the basis of interception activities, establishing an offense for failure to assist in the decryption of communications, and instituting industry response timelines. It has also raised the spectre of data retention, asking the Committee to consider the possible application of “tailored data retention periods for up to 2 years for parts of a data set, with specific timeframes taking into account agency priorities and privacy and cost impacts.”
Submissions on the paper and terms of reference therein are due by 6 August.