Andrew Hastie (Canning, Liberal Party) Share this | Link to this | Hansard source

On behalf of the Parliamentary Joint Committee on Intelligence and Security, I present the committee's Advisory report on the Telecommunications and Other Legislation Amendment Bill 2016.

Report made a parliamentary paper in accordance with standing order 39(e).

by leave—I am pleased to present the committee's Advisory report on the Telecommunications and Other Legislation Amendment Bill 2016. The bill will amend the Telecommunications Act 1997 to manage national security risks of espionage, sabotage and foreign interference to Australia's telecommunication networks and facilities. The task of the Commonwealth government is to provide the Australian people with national and economic security, and this bill is designed to fulfil that very obligation. It will increase the security of telecommunications infrastructure that is so fundamental to the economic prosperity and social wellbeing of all Australians.

The bill introduces a security obligation whereby carriers and carriage service providers will be required to protect telecommunication networks and facilities from unauthorised interference and unauthorised access for the purposes of security. The bill will require certain telecommunications companies to notify the government of changes to telecommunications systems and services that could have a material adverse effect on their ability to meet this national security obligation.

A key objective of the bill is to formalise and strengthen the existing collaborative relationship between government and the telecommunications industry. In doing so the bill aims to provide a more transparent, consistent and enforceable set of security obligations across industry than currently exist. The committee recognises that the bill will implement recommendations made by this committee in earlier reports. In addition, the bill has been subject to extensive consultation over several years, which has addressed many concerns raised by industry stakeholders. The committee examined outstanding concerns around the operation of the proposed framework.

The committee supports the legislative framework that establishes the security of Australia's telecommunications infrastructure as a joint responsibility between government and industry. In its bipartisan report, the committee has recommended that the bill be passed by the parliament and made 12 further recommendations aimed at increasing clarity and certainty for industry, strengthening information sharing between government and industry and improving transparency and accountability. In particular, the committee considered that the 12-month implementation period for the bill will be crucial. The Attorney-General's Department must work closely with industry during this period to ensure that the administrative guidelines that support the legislation are revised and expanded to maximise certainty for industry.

In this regard, the committee has recommended greater clarity be provided with respect to the following: a company's security obligations for over-the-top services, infrastructure that is used but not necessarily owned by a company, infrastructure located in a foreign country but used to carry or store Australian customer information, cloud computing and cloud storage arrangements, and, finally, the sorts of changes to services and systems that will require notification to the government.

Similarly, the implementation period must be used to identify and implement effective mechanisms to share information—particularly threat information—with industry. Early engagement about security risks and the effective sharing of threat information with industry will help telecommunications companies make decisions that consider national security early in the planning process. Early engagement will also provide the government with increased visibility of national security risks.

The committee was concerned that existing laws do not provide the government with sufficient information about where and how data is being stored. To provide greater assurance the committee has recommended that a specific obligation be included within the notification requirement to ensure that industry notifies the communications access coordinator of any new or amended offshoring arrangements for stored data under the Telecommunications (Interception and Access) Act 1979.

Finally, with respect to ensuring transparency and accountability, the committee has recommended that certain key regulatory performance information be included in the annual report presented to parliament and that framework be reviewed after three years to ensure that it is operating effectively. I commend the report to the House.

Mark Dreyfus (Isaacs, Australian Labor Party, Shadow Attorney General) Share this | Link to this | Hansard source

by leave—I rise also to speak on the PJCIS Advisory report on the Telecommunications and Other Legislation Amendment Bill 2016. Increasingly over the past decade, the Parliamentary Joint Committee on Intelligence and Security has played a vital role in national security in Australia. The bipartisan work of the PJCIS to review and make improvements to national security legislation proposed by the government has ensured that Australia has national security legislation that is fit for purpose. Australians can be proud that our national security legislation strikes an appropriate balance between keeping Australians safe and ensuring that rights and freedoms are not unnecessarily infringed on.

The Abbott-Turnbull government has introduced a range of national security legislation, and the PJCIS played an important role in ensuring that there are safeguards and protections in place. These safeguards ensure that the measures do not unnecessarily infringe on civil liberties or go further than what is necessary to keep Australians safe. The telecommunications sector security reforms that this bill is about are not a novel or groundbreaking approach to national security. They are legislative reform. They are the outcome of a long history of negotiations between the telecommunications industry and the government. Consultation on these reforms started several years ago during the first term of the Labor government. The PJCIS first examined the issue of telecommunications security during the 43rd Parliament as part of its 2012 Inquiry into potential reforms to national security legislation. It was acknowledged that threats to Australia's national security can arise through telecommunications systems and that there needs to be a framework for assessing and responding to those threats.

In its 2013 report that followed the inquiry, the PJCIS recommended that a telecommunications security framework be implemented that would impose an obligation on the industry to protect its infrastructure and information. The PJCIS also recommended that industry be required to pass on information to the government that's necessary for assessing security risks, that the government be granted powers to direct the industry and that there be a civil penalty regime imposed to encourage compliance.

In 2015, again, the committee expressed its support for the telecommunications sector security reforms as part of its advisory report on another bill, the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014. It was hoped that these reforms would be enacted prior to the end of the implementation phase of the data retention regime which began in April this year. Unfortunately that was not possible, but the bill is again before the House accompanied now by this report of the PJCIS.

Telecommunications companies are already voluntarily working with the government to ensure that Australia's critical infrastructure is safe from foreign interference, threats or espionage. This bill puts a framework around that working relationship to ensure that both government and industry know what is required to keep Australians safe and what is expected of them to ensure these measures are taken. Until now the government has relied on the goodwill of industry to voluntarily implement security advice. Security agencies do not currently have adequate levers to ensure the cooperation of those who do not wish to engage voluntarily. If security risks are identified and an agreement cannot be reached with the relevant carrier or carriage service provider, the only thing that the government can currently do is to use its so-called shutdown power—that is, the power to stop a service under section 581(3) of the Telecommunications Act. Because of the severe impact that the use of this power might have on innocent users of non-complying telecommunications companies, as well as on Australia's economy and telecommunications infrastructure, the power has never been used. The bill also gives the Attorney-General the power to direct a carrier or carriage service provider 'to do or to refrain from doing a specified act or thing within a specified period'. This will ensure that the Attorney-General can act to eliminate or reduce risks that are prejudicial to security. In contrast to the existing shutdown power, this new power provides a more proportionate and graduated power of intervention and enforcement.

The bill also empowers the secretary of the Attorney-General's Department to request information that relates to security threats from carriers or carriage service providers and their intermediaries. The fact that industry is not currently obliged under law to share threat information with security agencies means that our agencies may be unaware of potential threats. This bill puts in place processes for information sharing to ensure that agencies will be aware of threats to critical telecommunications infrastructure. The bill also inserts additional safeguards around the use of the directions powers by adding a requirement that ASIO must have issued an adverse security assessment before the power can be exercised. The bill also ensures that the directions are subject to judicial review.

The PJCIS is often tasked with weighing up the need for enhanced powers for Australia's security agencies against the need to protect the civil liberties of Australia's citizens. The task before the PJCIS in considering this bill was an additional task. The committee had to weigh up commercial interests with national security concerns in determining the appropriateness of the measures proposed. I believe that following the implementation of the recommendations of the advisory report we will have a bill that strikes an appropriate balance between those competing concerns. I commend the work of the PJCIS in engaging in careful scrutiny of this bill, and, as always, ensuring that we have national security legislation that is fit for purpose and gives security agencies the powers and tools they need to keep Australians safe.