Mark Dreyfus (Isaacs, Australian Labor Party, Shadow Attorney General) Share this | Hansard source

The Telecommunications and Other Legislation Amendment Bill 2017 amends the Telecommunications Act 1997 to introduce a regulatory framework for managing national security risks to Australia's telecommunications infrastructure. This bill puts in place a regulatory framework that will ensure that Australia's telecommunications networks and facilities are safe from national security risks of espionage, sabotage and foreign interference. Telecommunications companies are already voluntarily working with the government to ensure that Australia's critical infrastructure is safe from foreign interference, threats or espionage. This bill puts a framework around that working relationship to ensure both government and industry know what is expected and what is required to keep Australians safe and what is expected of them to ensure that these measures are taken.

The key elements of the bill include, firstly, establishing a security obligation applicable to all carriers and carriage service providers and intermediaries requiring them to do their best to protect their networks and facilities from unauthorised access and unauthorised interference.

Secondly, the bill includes requirements on carriers and nominated carriage service providers to notify the communications access coordinator of planned key changes to telecommunications services or systems that could compromise their ability to comply with the security obligation. Notifications can be provided in the form of either an individual notification or an annual security capability plan.

Thirdly, the bill provides the Attorney-General with a power to issue carriers and carriage service providers a direction requiring them to do or refrain from doing a specified thing in order to manage security risks.

Fourthly, the bill empowers the Secretary of the Attorney-General's Department to request information from carriers and carriage service providers to monitor compliance with the security obligation.

Fifthly, the bill expands the operation of existing civil enforcement mechanisms in the Telecommunications Act 1997 to address noncompliance with the obligations that are set out in the bill.

This bill is the result of several years of negotiation and cooperation between the government and the telecommunications industry. It implements the recommendations of separate inquiries by the Parliamentary Joint Committee on Intelligence and Security in 2013 and 2015. In 2013, the PJCIS examined the question of telecommunications security as part of its inquiry into potential reforms of Australia's national security legislation. The committee recommended that the government create a telecommunications sector security framework in recognition of the threats to Australia's national security that can be affected through telecommunications systems. In 2015, as part of the committee's inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the PJCIS again supported telecommunication sector security reforms and recommended that the government ensure that a framework be enacted before the end of the implementation of the data retention regime, which was in April this year.

These reforms were also subject to two rounds of public consultation on exposure draft legislation before the current bill was introduced to the Senate. The bill was introduced to the Senate on 9 November 2016 and immediately referred to the PJCIS for careful scrutiny and review. The PJCIS received eight submissions and four supplementary submissions from industry, government and academia. The PJCIS held public hearings on 16 February 2017 and on 23 March 2017 as well as a private briefing from relevant agencies in Canberra and visited Telstra's global operation centre in Melbourne. The PJCIS's advisory report on this bill made 12 recommendations for improvements to the bill, the explanatory memorandum and the administrative guidelines accompanying the bill. Subject to these 12 recommendations being implemented, the PJCIS recommended that the bill be passed.

Since September 2014, Labor has taken a bipartisan stance on all national security legislation introduced by the government. Labor has closely scrutinised all national security legislation through the mechanism of the PJCIS, which has made recommendations for improvements on all of the bills that the government has presented. These recommendations have all been accepted by the government. The recommendations that the PJCIS made on this bill include making clear what a company's security obligations are in circumstances where a company is providing or reselling an over-the-top service, where telecommunications infrastructure is used but not necessarily owned or operated by the company, where a company's infrastructure is located in a foreign country and used to provide services and carry or store information from Australian customers and where a company provides cloud computing and cloud storage solutions. The recommendations include making clear that the bill does not apply to certain broadcasters and a recommendation that the Attorney-General's Department work collaboratively with industry to ensure effective and regular information sharing, including threat information to aid industry compliance.

Further recommendations ask that the sorts of changes that require notification to the Communications Access Co-ordinator be made clear and recommend outlining the application process for exemptions from notification requirements; making clear that the bill does not affect the operation of existing legislated privacy obligations; specifying what must be included in the annual report presented to parliament; and making it clear that the Attorney-General will take into account whether the Communications Access Co-ordinator has complied with the applicable statutory time frames before issuing a direction.

A final group of recommendations suggested outlining the avenues available for industry to recover reasonable costs in certain circumstances; expanding the scope of the PJCIS's review of the data retention regime to include consideration of the security of offshore data that have been retained under the regime; introducing a new requirement that carriers and carriage service providers notify the Communications Access Co-ordinator of any new or amended offshoring arrangements; and, finally, introducing a new requirement that the PJCIS review the operation, effectiveness and implications of the reforms within three years.

Labor has consistently worked with the government to ensure that our security agencies have the powers they need to keep Australians safe. This bill will provide our security agencies with the powers and tools they need to protect our telecommunications networks from malicious actors. Without these reforms, the government, up until now, has had to rely on the goodwill of the telecommunications industry to voluntarily implement advice from security agencies. If telecommunications companies do not wish to implement the advice voluntarily, at present our security agencies do not have adequate levers to ensure that networks and facilities are safe.

The Attorney-General currently has the power to direct a carrier or carriage service provider to cease its services on security grounds where necessary. Due to the severe impact that the use of this power might have on innocent users of non-complying telecommunications companies, as well as on Australia's economy and telecommunications infrastructure, the power has never been used. This bill does not change the operation or effect of the existing power but does increase safeguards around the use of the power by adding a requirement that ASIO must have issued an adverse security assessment before it can be exercised and ensuring that a decision to issue a direction can be subject to judicial review.

The bill also grants the Attorney-General the power to direct a carrier or carriage service provider 'to do, or to refrain from doing, a specified act or thing' within a specified period to eliminate or reduce risks that are prejudicial to security. The types of things that the Attorney-General can direct a carrier or carriage service provider to do must be 'reasonably necessary' to reduce or eliminate the risk of unauthorised access or interference. There are a number of safeguards also around the use of this power. It cannot be exercised without an adverse security assessment, and the Attorney-General must be satisfied before issuing a direction that all reasonable steps have been taken to reach agreement and to consult the affected carrier or carriage service provider in good faith.

Industry stakeholders raised concerns about the threshold for issuing a direction, through the PJCIS inquiry into the bill. This concern was also raised by the Law Council of Australia in their submission on the exposure draft of the bill. The Law Council concluded that, as it was 'unclear whether a risk or prejudice to security must be substantial, likely, imminent or of severe potential impact before an adverse security assessment is issued', the threshold was not sufficiently transparent. The Law Council recommended that the exercise of the directions powers should only be permitted where there is a sufficient level of risk to security to justify the exercise of the powers. However, the Attorney-General's Department highlighted that lowering the threshold would undermine the purpose of the reforms:

… which is to encourage industry to engage early with Government to ensure any potential national security risks are appropriately mitigated before they become substantial and imminent.

The bill also empowers the Secretary of the Attorney-General's Department to request information that relates to security threats to carriers and carriage service providers and their intermediaries. The fact that currently industry is not obliged under law to share threat information with security agencies means that our agencies lack the visibility of potential threats.

This bill puts in place processes for information sharing, to ensure that agencies are aware of any threats to critical infrastructure. However, industry stakeholders raised concerns that the bill does not place an obligation on the government to proactively brief industry about possible threats and attacks. Optus noted that it would be challenging for industry to notify the government about possible vulnerabilities in their networks or infrastructure where industry may not be aware of a specific threat or risk information. The PJCIS agreed with these concerns and recommended that the Attorney-General's Department should collaborate with industry to ensure effective and regular information sharing—in particular, sharing threat information with industry.

A key issue that was raised through the PJCIS hearings related to the security of telecommunications data that is stored offshore. The Attorney-General's Department advised:

… the law does not currently compel telecommunications providers to tell the Government where retained data is stored.

The draft administrative guidelines for the bill note:

Offshoring raises security concerns because it enables access and control to critical parts of major Australian telecommunications networks outside of Australia, this can facilitate foreign intelligence collection (espionage) and disrupt the network itself (sabotage). Risks arise where control and supervision arrangements have the potential to allow unauthorised actions by third parties, such as theft of customer data or sabotage of the network.

Macquarie Telecom Australia raised concerns about the offshoring of data and stated that it considered it important that Australia retain sovereignty over certain types of information.

The PJCIS expressed concern in its advisory report on the bill that existing laws do not provide government with visibility about where and how data is being stored, and emphasised that it is critical that the Australian community can have confidence in the telecommunications sector—especially in the security of stored data. The PJCIS recommended that the committee's review of the Telecommunications (Interception and Access) Act be expanded to include consideration of the security of offshore telecommunications data that is retained by a service provider for the purpose of the data retention regime. It also recommended that the bill be amended to include, in relation to data retained under part 5-1A of the Telecommunications (Interception and Access) Act 1979, a specific obligation within the notification requirement in proposed section 314A to require carriers and carriage service providers to notify the Communications Access Coordinator of any new or amended offshoring arrangements.

Labor is pleased that the government has accepted all of the recommendations of the Parliamentary Joint Committee on Intelligence and Security for improvements to this bill and commends the bill and the amendments to the bill to the House.

Debate adjourned.

See this speech in context