Ross Hart (Bass, Australian Labor Party) Share this | Hansard source

It is my very great pleasure to talk on the Telecommunications and Other Legislation Amendment Bill today because I've had a longstanding interest, notwithstanding my legal practice, in technology and telecommunications. In preparing for this, I had cause to reflect on some of the history of security surrounding telecommunications—indeed, dating back to the 1960s and early 1970s.

If you know your technological history, the history of telecommunications security extends to those wonderful people called 'phone phreakers' who used whistles and the like in order to make long distance telephone calls on the telecommunications network in the United States by using manipulation of the call tones. The development of technology since that day underscores why it's necessary to have a flexible system of security that addresses the massively significant amount of change that occurs in this industry and, indeed, in all sorts of technology that we use on a day-to-day basis. That's why it's vitally important that we have this legislation which amends the Telecommunications Act 1997 and related legislation to introduce a regulatory framework to better manage national security risks of unauthorised access to and interference with telecommunications networks and facilities.

As I indicated in my opening, this is not something that can be dealt with in the abstract. It's something that is vitally important for all of us to give consideration to. We know the maxim, 'A chain is as strong as the weakest link,' and that applies in respect of security vulnerabilities. I'll address that analogy later in this speech. This particular framework within the legislation will ensure that Australia's telecommunications networks and facilities are safe from national security risks of espionage, sabotage and foreign interference. We must acknowledge that because of the sensitive information and data that these networks and facilities are working with they could potentially become an attractive target for interference by state or non-state actors. There are significant risks that arise as a result of this, such as the compromise of defence or military networks, the loss of valuable or sensitive data, the impairment of the availability or integrity of telecommunications networks and the potential impact on other critical infrastructure or services, like banking, health and transport.

When I was practising as a legal practitioner around the year 2000, there was a lot of attention given by large corporates towards their 'year 2000 compliance'. There was a real fear that failures of networks at that time would cause significant problems for not only individual corporations but also businesses across the economy. Such was the risk that the Australian government determined that it was necessary to ensure that all businesses, large or small, took appropriate steps to ensure that they were Y2K compliant. That's an example of what occurred in the past. Now that we are up to date, we need to be absolutely certain, and it is absolutely vital, that the integrity and security of our telecommunications networks and infrastructure is maintained in the face of potential threats to national security and an increasingly uncertain international environment.

We in Labor have consistently worked with the government to ensure that our security agencies have the powers that they need to keep Australians safe. As such, we are supporting this bill subject to amendments that implement the recommendations of the Parliamentary Joint Committee on Intelligence and Security, the PJCIS. Indeed, it was a Labor government in 2012 that initially proposed telecommunications sector security reforms. There has been ongoing bipartisan support for the development of such measures and the features of the regulatory model since. A 2013 report from the PJCIS unanimously recommended that security reforms in this space be implemented, noting that 'there cannot be an effective and equitable security regime without enforcement mechanisms'. As part of its 2015 inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the same committee again indicated support for telecommunications sector security reforms.

This particular piece of legislation that we are considering today implements the recommendations from both of these inquiries, as well as public consultation, to ensure that the telecommunications industry engages with security agencies to enable early identification and collaborative management of security risks in their infrastructure and information held or carried on it. This is achieved by the establishment of a security obligation applicable to all carriers and carriage service providers that requires them to 'do their best' to protect their networks and facilities from unauthorised access and interference. I note here that the requirement for carriers to do their best imposes a subjective element which means that what is required to comply with the obligation will differ for each carrier and service provider, depending upon their risk profile. As vulnerabilities change over time, the administrative guidelines will outline what is expected of carriers to comply with their security obligation. The obligation is discharged by the carrier when they can demonstrate that they've implemented effective measures to manage the relevant risks.

It's important that I note at this stage, again, that anything to do with IT and telecommunication is notoriously quick and fast paced. What could have been standard operating procedure last year will be completely outdated upon the identification of a particular security vulnerability or the identification of a particular gap in the market. Therefore, any legislation needs to be sufficiently broad and the obligations imposed need to be sufficient to cast the obligation upon the telecommunications operator. Notwithstanding that, special power is provided to the Attorney-General to issue to a telecommunications carrier a direction requiring them to act or refrain from acting in order to manage security risks. The secretary of the Attorney-General's Department is similarly empowered to request information from carriers and service providers to monitor their compliance with security obligations. The bill also expands the operation of existing civil enforcement mechanisms in the Telecommunications Act 1997 to address noncompliance.

Upon introduction of this bill to the Senate in November last year it was referred to the PJCIS as a matter of course for further review. The committee held two public hearings and received several submissions from stakeholders as well as having a private briefing from relevant agencies and visiting Telstra's global operations centre in Melbourne. One key concern raised through the committee process was the security of telecommunications data that is stored offshore. Currently, telecommunications providers are not compelled to advise the government where retained data is stored. As is noted in the draft administrative guidelines:

Off-shoring raises security concerns because it enables access and control to critical parts of major Australian telecommunications networks outside of Australia, this can facilitate foreign intelligence collection (espionage) and disrupt the network itself (sabotage). Risks arise where control and supervision arrangements have the potential to allow unauthorised access by third parties, such as theft of customer data or sabotage of the network.

Indeed, in the United States, we've seen the recent exposure of significant amounts of consumer data through the loss of credit data in a major security breach. In its report, the committee emphasised that visibility about how and where data is being stored is absolutely critical in giving the community confidence in the security of their data and the telecommunications industry generally. The PJCIS recommended that the review of the Telecommunications (Interception and Access) Act be expanded to include consideration of the security of offshore telecommunications data that is retained by a service provider for the purpose of the data retention regime.

Ultimately, the Parliamentary Joint Committee on Intelligence and Security made 12 substantive recommendations for improvements to this bill. The recommendations can be summarised as: the revision and expansion of the administrative guidelines; the exemption of broadcasters from the obligations set out in the bill; ensuring effective and regular information sharing; allowing requests for exemptions by carriers and service providers for certain changes; clarifying that the bill does not affect the operation of privacy obligations—I think that's vitally important; expanding the annual reporting and review requirements; and clarifying the responsibilities of the Communications Access Coordinator. I'm very pleased that the government has accepted all of the recommendations of the PJCIS. Labor, as I said earlier, has taken a bipartisan stance on national security legislation introduced by the government and has consistently worked with the government to ensure our security agencies have the powers they need to keep Australians safe.

The government has until now relied upon the cooperation of the telecommunications industry to implement the advice that it receives from security agencies. Certainly, it's acknowledged that there are well-established cooperative relationships between those security agencies and the telecommunication carriers which are already in place. However, the fact that the industry is not currently obliged under law to share threat information with security agencies means that there is a potential vulnerability because those security agencies lack visibility of potential threats. One limitation on this current arrangement is that this particular industry, as I said previously, is a dynamic industry, constantly evolving and with a number of new market entrants that may not have the same cooperative relationship with government. It is important to remember that this cooperative approach is only workable when companies are willing to give due consideration to national security in the public interest.

These reforms give our security agencies the tools that they need to ensure that our telecommunications networks and infrastructure are protected from malicious actors. We know that a key source of vulnerability for espionage, sabotage and interference activity is the supply of equipment, services and support arrangements. Technology and threats are constantly changing. We need to ensure that the framework that we use for regulation is sufficiently flexibility to address the risks these present. There is always pressure upon carriers and service providers to remain contemporary with their service delivery and to serve a market that is also constantly changing. Security is vitally important and should be an overriding consideration for service providers. But, above all, it should be a question of industry culture, not something which is merely imposed.

Australian telecommunications networks rely on global supplies of equipment and services, often located offshore. This potentially creates a challenge to implementing controls to mitigate personnel, physical and ICT security risks, making networks and facilities more vulnerable to unauthorised interference. This is a lesson learned from history. In the 1960s, as I indicated earlier, when the idea of cyberattacks on IT systems and telecommunications networks was becoming an increasing concern for industry and government alike, military strategist and systems theorist Herman Kahn noted:

The aggressor has to find only one crucial weakness; the defender has to find all of them, and in advance.

Indeed, our increased reliance upon internet and telecommunications systems only serves to make us potentially more vulnerable.

Advances in technology and comms have introduced significant vulnerabilities, including the ability to disrupt, destroy or alter networks or infrastructure as well as the information held on them. These vulnerabilities potentially allow state and non-state actors to obtain unauthorised access that could be used to extract information or disrupt networks. Similarly, whilst carriers and service providers act to secure their networks to protect the personal and business information of their users, these requirements may differ from those needed to protect national security interests. The reforms in this bill require carriers and service providers to take into account a broader range of security risk factors when making investment decisions so as to protect national security interests.

As I noted earlier, this bill is the result of a process initiated under the former Labor government in 2012 that was followed by a period of consultation between government and industry. I am very pleased, again, to note that the government has accepted all of the recommendations of the PJCIS for improvements to this bill and, as such, I am confident that the framework established by this legislation can effectively operate to ensure that Australia's telecommunication networks and facilities are safe from national security risks of espionage, sabotage and foreign interference. This is something that every Australian needs to be aware of. It is very pleasing to see the government acknowledging that this threat is very, very real. It is taking it seriously. It's vitally important that we ensure that the measures we take are contemporary and effective.

See this speech in context