Brandis hits telcos with new security reforms

The federal government is planning to introduce new laws that would force telcos and ISPs to hand over details of network changes and procurement plans or be hit with civil penalties for non-compliance. 

The Attorney-General's department today released information on its proposed 'telecommunications security sector reforms', a regulatory framework aimed at managing national security risks associated with unauthorised access and interference with Australia's telecommunications networks.

The federal government is concerned about the threat posed by suppliers of equipment and managed services that are located in foreign countries.

"This can create further challenges in implementing controls to mitigate personnel, physical and ICT security risks in some locations and therefore make networks and facilities more vulnerable to unauthorised access and interference," the AGD wrote today.

Currently, security agencies rely on the goodwill of telcos and ISPs when it comes to addressing a potential security threat on a network, the department said.

It means only limited information is proactively shared, and depends heavily on the existing relationship between the government security agency and telco/ISP. 

"The absence of clear obligations results in ad hoc, reactive and delayed approaches to address any potential concerns," it wrote.

"Rapid changes in market dynamics and technologies increases opacity – carrier/carriage service providers initially considered to present a low risk can suddenly present a high risk due to factors such as rapid expansion in market share or expansion of services."

Additionally, no matter how good the relationship, telcos and ISPs will generally act in their company's best financial interest when designing networks and procuring goods and services, the AGD said.

The government has therefore opted to impose new reforms on the industry which would, among other things, require telcos and ISPs to hand over information on network changes and procurement plans should the AGD decide they could create espionage and sabotage vulnerabilities in networks and systems.

The level of monitoring and scrutiny will depend on the individual size of the business and how critical its infrastructure is.

"Government and business have increasing amounts of information that are stored electronically on and communicated across telecommunications networks and facilities," the agency wrote.

"The networks and infrastructure of carriers, carriage service providers and carriage service intermediaries (C/CSPs) have become attractive targets for those who wish to harm Australian interests."

The draft Telecommunications and Other Legislation Amendment Bill 2015 [pdf] would establish the Secretary of AGD as a regulator able to direct telcos and ISPs to comply with their obligations and enforce powers under a civil penalty regime.

The Secretary would act on advice provided by spy agency ASIO, according to the draft bill.

The telco or ISP must comply with the direction to hand over information or face being taken to court for civil penalties of around $250,000, the legisation states.

The Secretary would also have the power to retain the information for as long as necessary.

Telcos and ISPs are currently required under the TIA Act to notify the government of any planned changes to services or systems that are likely to have an adverse effect on the provider's ability to secure its systems, but no penalties apply for non-compliance.

Such changes include outsourcing, offshoring equipment or services, procuring new equipment, and changes to the management of services.

"Early engagement and notification of changes to networks will enable any security risks associated with a proposed business model to be identified early and mitigation measures built into the design stage early," the AGD said today.

The department said the ongoing costs of resourcing and administering the scheme were estimated to be $1.6 million annually for the government.

For telcos and ISPs, the costs of compliance is likely to be around $184,000 per organisation annually.

The bill - which is to go to parliament later this year - also reiterates a carrier's obligation to "do their best" to protect their networks from unauthorised access and interference, adding to previous obligations to protect networks from being used to commit offenses.

Stop using services

The Secretary of AG would also have powers to direct a telco or ISP to stop using a particular service in the interest of national security.

Those powers currently reside with the Attorney-General but have never been used.

CEO of the Communications Alliance John Stanton said while he was pleased the government decided to dump its plan to recover $2 million annually in costs from the industry for the new legislation, the proposed regime represented more red tape, additional compliance costs and higher levels of intrusion.

" Whether this is a proportionate response is a question that the parliament will need to consider in consultation with industry," Stanton said.

"The government has indicated that the proposed legislation will not be used as a tool to prohibit specific equipment suppliers from operating in the Australian marketplace and this needs to be assured, given the potential competition impacts of such a move and the potential for overall network costs to be driven upward, to the detriment of industry and consumers."

The industry is growing increasingly frustrated with the federal government over an ongoing slew of new obligations heaped onto the telecommunications industry since it came into power in 2013.

The new telco sector security reforms add to the mandatory data retention bill passed in March and the website blocking bill and industry code aimed at tackling copyright infringement.

The government is taking submissions on its new draft bill until July 31.