Tough NZ comms interception, network security law kicks in

Powered by SC Magazine
 

Aussie operators in NZ must register with police.

Local and international telcos and network providers in New Zealand are now required to comply with strict and complex new communications interception and security legislation.

The new law will apply to Australian businesses and providers operating in the country, such as Vocus which runs data centres and networks in New Zealand.

Known as the Telecommunications (Interception Capability and Security) Act (TICSA), the new law requires network operators to register with the NZ Police. Similary, suppliers of a wholesale or retail  telecommunications service must provide their information to the police registry.

Registrants must tell the police their total number of connections, customers and size of their geographic coverage, and ensure that law enforcement agencies have access to customer data and connections when needed.

As part of the new law - which requires the country's main signals intelligence agency, the Government Communications Security Bureau (GCSB) to play a prime role in network and systems security - providers are now dutybound to notify the state about any design and procurement decisions before implementation, according to government guidance [PDF].

Prior to TICSA, network operators were free to design their infrastructure according to their wishes and to meet commercial demands, and to buy equipment and software from any supplier.

From this month, the GCSB has to be notified of and approve proposed changes to a provider's network operations centre, core network including gateways and interconnects as well customer databases and authentication systems.

GCSB network security vetting process schematic

Providers will also be required to have their staff vetted for security clearance. However, the GCSB will not run the security clearance process itself, and warns that this "may take a significant length of time." 

Neverthless, there are certain things that network operators are permitted to do without notifying the GCSB.

Network providers can patch and update software and firmware, and make changes to power, air conditioning and fire suppression systems.

They are also not required to inform the spy agency of emergency changes to networks, at least not immediately. Nor will providers have to notify the GCSB about home routers, servers and databases sold to customers.

Failure to comply with the new legislation, GCSB, or ministerial direction on network design and equipment, could land providers with hefty fines.

These can be as steep as NZ$50,000 (A$46,000) to NZ$500,000 a day.

The new law was slammed by web giants Google, Facebook and Microsoft last year as being from the 19th century and incompatible with international privacy legislation.

Despite this, the New Zealand government declined to exempt overseas operators from the new law.

Copyright © iTnews.com.au . All rights reserved.


Tough NZ comms interception, network security law kicks in
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  13%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 437

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 210

Vote