Carriers, government agencies, and security agencies need a more structured forum for sharing classified information about security threats, according to the federal Parliamentary Joint Committee on Intelligence and Security (PJCIS).
In a 50-page report published yesterday, the committee also concluded that long-standing requirements that carriers “do their best” to secure their networks should be formalised with standards set by either the same forum or a second, separate one.
Currently, threat information is shared within the Trusted Information Sharing Network, a body that the report recommends be bolstered in two ways: with a “renewed focus on telecommunications security”, and with “advice from security agencies regarding ongoing and emerging threats”.
PJCIS wants the government to establish a dedicated forum for sharing telecommunications security threat information, allowing “ASIO and Australian Signals Directorate (ASD) to brief telecommunications stakeholders about ongoing and emerging threats to the maximum classified level possible”.
This could either exist under the existing Trusted Information Sharing Network (part of the Cyber and Infrastructure Security Centre’s communications sector group); or under the standards working group also recommended in the report.
Either way, the new working group would allow the industry to get “appropriately classified and secured briefings” from ASIO and the ASD, perhaps through a “dedicated group with appropriately cleared staff”.
Standards in place of "best efforts"
On reporting requirements, PJCIS concluded that the current regulatory regime has worked well enough up to now, but that it "cannot be assured that a reliance on industry alone to counter threats is sustainable, nor that the Telecommunications Act as a whole can continue to uphold the security requirements for the industry.”
The committee noted divergence in how different carriers and carriage service providers interpreted their obligations to tell government about threats to their network.
It found “some inconsistent applications” of the obligation that carriers and service providers “do their best” to meet their obligations.
The “do their best” principle was created in the controversial 2017 telecommunications sector security reforms, which also required carriers to inform governments of their procurement plans and significant changes to their networks.
Those reforms’ most public outcome was in the 2018 ban on Huawei participating in 5G rollouts.
The report noted that some carriers were more likely to notify the government of threats on an early but informal basis, which for example “resulted in a very different outcome regarding final notifications between Telstra and Optus.”
To bridge the gap, the committee recommended a working group be established comprising carriers and service providers, ASIO and the ASD “when appropriate”, and representatives of the departments of Infrastructure, Transport, Regional Development and Communications, and Home Affairs.
This working group would “set agreed standards and best practice principles to inform the work of the Cyber and Infrastructure Security Centre’s advice and resources”, and is also suggested as hosting the proposed information sharing working group.