The government's proposed security reforms for the telco sector would have the opposite effect and set Australia back in the fight against cyber threats, the industry claims.
The Attorney-General's Department late last month released its proposed 'telecommunications sector security reforms', which would allow the department to direct telcos and ISPs to hand over sensitive information about their networks and procurement plans.
Australia's biggest telco Telstra and industry representative body the Communications Alliance last week attacked the proposed law as too broad, intrusive and burdensome, and the rest of the industry today lent its voice to the fierce criticism.
In a joint submission, the Australian Industry Group (Ai Group), the Australian Information Industry Association (AIIA), the Australian Mobile Telecommunications Association (AMTA) and the Communications Alliance said the legislation would fail to achieve its objectives.
Importantly, the legislation would disrupt the deployment of technologies that can prevent cyber attacks - having the opposite effect than the reforms intend, they argued.
“[We] see the very real danger that the proposed reforms will mean a step backwards in dealing with cyber threats and breaches as they will divert resources from investing in addressing cyber security threats to compliance with onerous obligations,” the submission stated.
“It is likely that Australian authorities will struggle to understand very new technologies and their use within networks and, as a result of this inexperience and lack of expertise, may ‘err on the side of caution’ and deny implementation.”
The industry groups argued the reforms were out of step with policies in the UK, US and Canada and would place undue burdens on an industry already struggling with a newly-heavier regulatory load.
Additionally, the legislation also lacks transparency, fails to provide adequate mechanisms for appeal, will deter investment in Australian technology, and lead to higher costs for consumers, they argued.
Lengthy bureaucratic processes to hold up action
In terms of competition, the industry bodies highlighted the additional difficulties the legislation would pose to carriers with a head office located overseas, such as Optus and Vodafone.
“Often the release of the information required by authorities is dependent on the decisions of the CSP’s head office and such commercially sensitive data may need to be discussed on an internal basis weeks (or even months) before it may be approved for external release,” the submission stated.
While Australia's telcos believe an “overarching cyber security framework is necessary”, the groups said, the government needs to “undertake a ‘re-think’ – and detailed discussions with industry – before proceeding down a path that will be, on balance, detrimental”.
Under the draft bill, a telco or ISP that fails to comply with an AGD direction would face civil penalties of around $250,000.
Telcos and ISPs would be required to hand over information on new equipment, outsourcing, offshoring equipment or services, and changes to the management of services if the AGD decides they could create vulnerabilities in networks.
The AGD would also have the power to retain the information for as long as necessary.