Michelle Rowland (Greenway, Australian Labor Party, Shadow Assistant Minister for Communications) Share this | Hansard source

I rise to speak on the Telecommunications and Other Legislation Amendment Bill. It is to the benefit of every Australian that our telecommunications industry has worked diligently over the past decade to ensure that the networks we use are safe and resilient. Communications is at the heart of our society, and with every passing day we become more dependent upon the applications and services they make possible. This increasing dependence on connectivity also means that the impact of any disruption to our networks is greater than ever. These risks permeate critical sectors of the economy, such as government, banking, finance and energy. The Internet of Things is also transforming Australian industry. The next phase of digitisation will integrate connectivity into industrial applications that have traditionally been free of any digital dependence.

Just imagine what the world might look like in 2030, with autonomous vehicles coordinating themselves through peak-hour traffic, underpinned by high-speed connectivity through next generation mobile networks. I make this observation to emphasise that technology changes much faster than our laws. This has been the case in the past and will remain the case in the future. From this vantage point the evolving technology and security environment warrants a careful assessment to ensure our capabilities, systems, processes and laws remain fit for purpose. Ultimately this comes down to a question of what arrangements can best preserve the confidentiality of communications carried on telecommunications networks and equally ensure the availability, resilience and integrity of these networks.

Over the past decade, the Australian telecommunication industry has been voluntarily working with the government to ensure that Australia's critical infrastructure is safe from foreign interference, threats or espionage. The security professionals in companies such as Telstra and Optus are world leaders in threat detection and response, and both the Australian public and the private sector have benefited from their expertise. We are indebted to industry for its cooperation, engagement and goodwill over this period. However, it has been recognised on both sides of parliament that the existing framework for managing these risks in the telecommunications industry is not adequate for the times we are in. The current framework relies on voluntary cooperation and goodwill, which may not always be sufficient, given the nature of the risks to national security and the increasing consequences if those risks were to materialise. Put another way, security agencies have a legitimate need for greater visibility and certainty, and this includes protecting against the possibility that such goodwill may not be voluntarily forthcoming from all telecommunications companies at some unknown point in the future.

Addressing this gap is largely the subject of the bill before us. The Telecommunications and Other Legislation Amendment Bill puts a framework around that working relationship to ensure that both government and industry know what is required to keep Australians safe and what is expected of them to ensure that these measures are taken. The bill is the result of several years of negotiation and cooperation between the government and the telecommunications industry, arising from a broader review of national security issues by the previous Labor government in 2012. It implements the recommendations of two separate inquiries by the PJCIS in 2013 and 2015. In 2013 the PJCIS examined telecommunications security as part of its inquiry into potential reforms of Australia's national security legislation. Arising from that review, it was recommended that the government create a telecommunications security framework. In 2015, as part of its inquiry into data retention legislation, the PJCIS again supported telecommunications sector security reforms and recommended the government ensure a framework be enacted prior to the implementation of the data retention regime. The bill was subsequently introduced to the Senate on 9 November 2016 and was referred to the PJCIS for scrutiny and review. The PJCIS report on this bill made 12 substantive recommendations to improve and clarify its operations. As the shadow Attorney-General has outlined, Labor supports the PJCIS recommendations, and we are pleased the government has also agreed to all 12 recommendations.

The bill seeks a balance between the legitimate needs of security agencies and the regulatory cost and uncertainty often borne by industry when there is legislative change. The amended bill seeks to achieve this by providing a proportionate and escalating framework for addressing national security risks, which includes granting the Attorney-General powers, subject to certain checks and balances, to ensure certain steps are satisfied before any direction is issued. The key elements of the bill include establishing a security obligation applicable to all carriers, CSPs and intermediaries, requiring them to do their best to protect their networks and facilities from unauthorised access and interference. It requires carriers and nominated CSPs to notify the communications access coordinator of planned key changes to telecommunications services or systems that could compromise their ability to comply with this security obligation. Notifications may be provided in the form of either an individual notification or an annual security capability plan. It provides the Attorney-General with the power to issue carriers or CSPs with a direction requiring them to do, or refrain from doing, a specified thing in order to manage security risks. It empowers the Secretary of the Attorney-General's Department to request information from carriers and CSPs to monitor their compliance with the security obligation, and expands the operation of existing civil enforcement mechanisms in the Telecommunications Act to address noncompliance with the obligations set out in the bill. Further, the bill seeks to strengthen existing arrangements, including information sharing between government and industry.

On the topic of information sharing, I would like to offer a metaphor which can hopefully add to how we think about risks to telecommunications infrastructure. On the topic of nuclear reactors, The Economist once observed that safety was not a technological given; rather, it was an operational achievement. That is, we cannot guarantee a given technology is absolutely safe. Instead, we should strive to implement the best systems, processes and controls in order to make something as safe as it can be. This example reminds us there is no such thing as technological determinism. Safety and security are and will remain an operational achievement. We need to keep refreshing our tools and frameworks whilst remaining acutely aware of this reality.

This applies to the security of telecommunications networks, which brings me to the importance of enhanced information sharing between government and industry. Network security is core business for large telecommunications companies and they devote considerable resources because it is in their interests and, frankly it's what the market expects, particularly of the larger providers. As Senator McAllister has noted in the Senate during the PJCIS inquiry, industry stakeholders raised concerns that the bill did not place an obligation on the government to proactively brief industry about possible threats and attacks. Stakeholders argued that it would be challenging for industry to notify the government about possible vulnerabilities in their networks or infrastructure when industry may not be aware of a specific threat or risk information. The PJCIS recommended that the Attorney-General's Department work collaboratively with industry to further develop this and to ensure effective and regular information sharing—in particular, sharing such threat information with industry.

I strongly endorse this approach and consider it in the common interest of security agencies and industry to ensure there is effective and regular information sharing. It is essential that all parties work together to ensure that professionals have access to relevant and timely information to mitigate threats where necessary. The safety of telecommunications networks is a common endeavour. We are all in this together. Labor have worked consistently with the government to ensure Australian security agencies have the powers they need to keep citizens safe, and we are pleased the government has accepted the 12 recommendations of the PJCIS.

See this speech in context