The federal government is pushing ahead with a plan to force telcos to inform it about network changes and procurement intentions, today introducing its long-awaited security bill into parliament.
The Telecommunications and Other Legislation Amendment Bill 2016 bill, introduced into the senate today, gives the Attorney-General power to order a telco to take a particular course of action if it appears there is a risk to national security.
The power can only be used if the AG has received an adverse security assessment from ASIO, the bill states.
Telcos will be required to "do their best" to protect the networks and facilities they "own, operate or use" from "unauthorised access and interference". The secretary of the Attorney-General's Department will be given the power to order information from telcos to assess their compliance with the obligations.
Telcos will similarly be required to inform the department about any changes they plan to make to their systems or services that could have a "material adverse impact" on their obligation to secure their networks.
Types of changes the government says it should be notified about include outsourcing or offshoring sensitive parts of a network, buying kit or services for a sensitive part of a network, and changes to the management of services.
Telcos will be given the option of submitting an annual "security capability plan" that covers expected changes to their systems and services, instead of notifying the government each time a change is made.
The obligation for telcos to "do their best" to protect networks will apply to all carriage service providers in the country, while the notification provision will only apply to those nominated under the TIA Act.
The government denied the proposed legislation was intended to lock specific vendors out of Australia's telecommunications market. It controversially banned Chinese vendor Huawei from tendering for work on the NBN, citing national security concerns.
The government said while it is already in telcos' interests to secure their networks for existing regulatory and business purposes, they may not necessarily be doing so for national security reasons.
"For example, some business delivery models may expose a telecommunications network, facility or service to high risks of espionage, sabotage and unauthorised interference and access, but may not otherwise affect the business continuity or general security of the network or facility," the bill states.
"The reforms are intended to require C/CSPs to take into account a broader range of security risk factors when making investment decisions, to protect broader national security interests."
It said the proposed framework would replace existing "informal co-operative arrangements" with industry, which the government claimed only worked when carriers are willing to engage.
"The absence of a comprehensive and proportionate security framework means security agencies do not have adequate levers (except in the most extreme circumstances) to engage those companies who choose not to engage on a voluntary basis with security agencies," the bill states.
"Not only does this limit security agencies’ visibility of potential vulnerabilities which could be exploited by malicious actors across a large part of the sector, it compromises existing cooperative relationships with carriers who seek a level playing field.
"The aim is to encourage early engagement on proposed changes to networks and services that could give rise to a national security risk and collaboration on the management of those risks."
Communications Alliance CEO John Stanton said at first glance some of the revisions to the bill were useful, but he remained concerned about others.
"Among other things there still appears ... to be a requirement on industry players to 'protect' networks that they use, even if those networks are not under their control," he said.
The government has estimated it will cost $1.6 million each year for AGD and ASIO to administer the scheme. The costs of compliance for telcos has been estimated at around $184,000 per organisation annually.