Tough NZ comms interception, network security law kicks in

Powered by SC Magazine
 

Aussie operators in NZ must register with police.

Local and international telcos and network providers in New Zealand are now required to comply with strict and complex new communications interception and security legislation.

The new law will apply to Australian businesses and providers operating in the country, such as Vocus which runs data centres and networks in New Zealand.

Known as the Telecommunications (Interception Capability and Security) Act (TICSA), the new law requires network operators to register with the NZ Police. Similary, suppliers of a wholesale or retail  telecommunications service must provide their information to the police registry.

Registrants must tell the police their total number of connections, customers and size of their geographic coverage, and ensure that law enforcement agencies have access to customer data and connections when needed.

As part of the new law - which requires the country's main signals intelligence agency, the Government Communications Security Bureau (GCSB) to play a prime role in network and systems security - providers are now dutybound to notify the state about any design and procurement decisions before implementation, according to government guidance [PDF].

Prior to TICSA, network operators were free to design their infrastructure according to their wishes and to meet commercial demands, and to buy equipment and software from any supplier.

From this month, the GCSB has to be notified of and approve proposed changes to a provider's network operations centre, core network including gateways and interconnects as well customer databases and authentication systems.

GCSB network security vetting process schematic

Providers will also be required to have their staff vetted for security clearance. However, the GCSB will not run the security clearance process itself, and warns that this "may take a significant length of time." 

Neverthless, there are certain things that network operators are permitted to do without notifying the GCSB.

Network providers can patch and update software and firmware, and make changes to power, air conditioning and fire suppression systems.

They are also not required to inform the spy agency of emergency changes to networks, at least not immediately. Nor will providers have to notify the GCSB about home routers, servers and databases sold to customers.

Failure to comply with the new legislation, GCSB, or ministerial direction on network design and equipment, could land providers with hefty fines.

These can be as steep as NZ$50,000 (A$46,000) to NZ$500,000 a day.

The new law was slammed by web giants Google, Facebook and Microsoft last year as being from the 19th century and incompatible with international privacy legislation.

Despite this, the New Zealand government declined to exempt overseas operators from the new law.

Copyright © iTnews.com.au . All rights reserved.


Tough NZ comms interception, network security law kicks in
 
 
 
Top Stories
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
What InfoSec can learn from the insurance industry
[Blog post] Another way data breach laws could help manage risk.
 
A ten-point plan for disrupting security
[Blog post] How can you defend the perimeter when it’s in the cloud?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1034

Vote