Optus filed half of all network change notifications under security laws

Optus was singlehandly responsible for over half of all network change notifications filed with the government in the first two years of telecommunications national security laws that were passed in late 2017.

The telco said the notification scheme had disrupted a number of its major projects over that time by between 30 days and eight months.

Under the telecommunications security sector reforms - TSSR, telcos must counter threats posed by suppliers of equipment and managed services located in foreign countries.

They must also “notify the government of planned changes to their networks and services that could compromise their ability to comply with the security obligation.”

The TSSR is now up for statutory review, and through this process Optus revealed just how many filings it had made compared to other telcos.

“Optus has reviewed the TSSR status of well over 150 projects and proposed changes over the last two years and submitted formal TSSR notifications for 36 of them,” Optus said in a submission. [pdf]

“A comparison of Optus’ data to the industry data provided in CIC’s [the government’s critical infrastructure centre] annual reports reveals that for the first two years of the TSSR scheme, Optus has provided just over 50 percent of the notifications generated by the entire industry.”

Optus blamed “ambiguity of the notification threshold” for its apparent over-filing of network change notifications.

“The threshold is apparently being interpreted in different ways by different providers, which is leading to this differential result in terms of the distribution of notifications made by industry participants,” Optus said.

“It certainly means Optus is likely to be wearing a disproportionate share of the ‘regulatory burden’ associated with the scheme.”

Optus said it had no reason to believe that “changes it made” to networks, IT or products “were disproportionately more risky from a security perspective than changes made by other players in the industry.”

The notifications - and specifically the long lead times required to resolve them - caused havoc on the company’s own project timelines.

“The project-by-project TSSR notification process ... has been disruptive to a number of ... major projects over the last two years, and added time, cost and complexity to the delivery and execution of complex and commercially significant investment programs,” Optus said. 

“It is unclear if security outcomes have been improved commensurately. 

“This situation has occurred despite the CIC operating relatively effectively in the administration of the scheme.”

Optus also said its experience suggested “there is no easy way to predict in advance the best timing in a project’s life cycle for a TSSR notification.”

Overall, Optus said it wanted to see better definitions of the types of network changes that need to be notified, if only to clarify whether it has been over-notifying under the scheme.

“Providers face a difficult interpretive and practical choice and one path might lead to relative under-notification and the other could lead to relative over-notification,” Optus said.

Optus also said that confidentiality rules in the TSSR made it “difficult for providers to engage in detailed industry discussions on this topic to ensure a consistent application of the rules”, leading to variations in reporting.

However, it did note that at no time had the CIC suggested that Optus was filing “notifications related to changes which did not need to be notified.”