Ross Hart (Bass, Australian Labor Party) Share this | Link to this | Hansard source

It is my very great pleasure to talk on the Telecommunications and Other Legislation Amendment Bill today because I've had a longstanding interest, notwithstanding my legal practice, in technology and telecommunications. In preparing for this, I had cause to reflect on some of the history of security surrounding telecommunications—indeed, dating back to the 1960s and early 1970s.

If you know your technological history, the history of telecommunications security extends to those wonderful people called 'phone phreakers' who used whistles and the like in order to make long distance telephone calls on the telecommunications network in the United States by using manipulation of the call tones. The development of technology since that day underscores why it's necessary to have a flexible system of security that addresses the massively significant amount of change that occurs in this industry and, indeed, in all sorts of technology that we use on a day-to-day basis. That's why it's vitally important that we have this legislation which amends the Telecommunications Act 1997 and related legislation to introduce a regulatory framework to better manage national security risks of unauthorised access to and interference with telecommunications networks and facilities.

As I indicated in my opening, this is not something that can be dealt with in the abstract. It's something that is vitally important for all of us to give consideration to. We know the maxim, 'A chain is as strong as the weakest link,' and that applies in respect of security vulnerabilities. I'll address that analogy later in this speech. This particular framework within the legislation will ensure that Australia's telecommunications networks and facilities are safe from national security risks of espionage, sabotage and foreign interference. We must acknowledge that because of the sensitive information and data that these networks and facilities are working with they could potentially become an attractive target for interference by state or non-state actors. There are significant risks that arise as a result of this, such as the compromise of defence or military networks, the loss of valuable or sensitive data, the impairment of the availability or integrity of telecommunications networks and the potential impact on other critical infrastructure or services, like banking, health and transport.

When I was practising as a legal practitioner around the year 2000, there was a lot of attention given by large corporates towards their 'year 2000 compliance'. There was a real fear that failures of networks at that time would cause significant problems for not only individual corporations but also businesses across the economy. Such was the risk that the Australian government determined that it was necessary to ensure that all businesses, large or small, took appropriate steps to ensure that they were Y2K compliant. That's an example of what occurred in the past. Now that we are up to date, we need to be absolutely certain, and it is absolutely vital, that the integrity and security of our telecommunications networks and infrastructure is maintained in the face of potential threats to national security and an increasingly uncertain international environment.

We in Labor have consistently worked with the government to ensure that our security agencies have the powers that they need to keep Australians safe. As such, we are supporting this bill subject to amendments that implement the recommendations of the Parliamentary Joint Committee on Intelligence and Security, the PJCIS. Indeed, it was a Labor government in 2012 that initially proposed telecommunications sector security reforms. There has been ongoing bipartisan support for the development of such measures and the features of the regulatory model since. A 2013 report from the PJCIS unanimously recommended that security reforms in this space be implemented, noting that 'there cannot be an effective and equitable security regime without enforcement mechanisms'. As part of its 2015 inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the same committee again indicated support for telecommunications sector security reforms.

This particular piece of legislation that we are considering today implements the recommendations from both of these inquiries, as well as public consultation, to ensure that the telecommunications industry engages with security agencies to enable early identification and collaborative management of security risks in their infrastructure and information held or carried on it. This is achieved by the establishment of a security obligation applicable to all carriers and carriage service providers that requires them to 'do their best' to protect their networks and facilities from unauthorised access and interference. I note here that the requirement for carriers to do their best imposes a subjective element which means that what is required to comply with the obligation will differ for each carrier and service provider, depending upon their risk profile. As vulnerabilities change over time, the administrative guidelines will outline what is expected of carriers to comply with their security obligation. The obligation is discharged by the carrier when they can demonstrate that they've implemented effective measures to manage the relevant risks.

It's important that I note at this stage, again, that anything to do with IT and telecommunication is notoriously quick and fast paced. What could have been standard operating procedure last year will be completely outdated upon the identification of a particular security vulnerability or the identification of a particular gap in the market. Therefore, any legislation needs to be sufficiently broad and the obligations imposed need to be sufficient to cast the obligation upon the telecommunications operator. Notwithstanding that, special power is provided to the Attorney-General to issue to a telecommunications carrier a direction requiring them to act or refrain from acting in order to manage security risks. The secretary of the Attorney-General's Department is similarly empowered to request information from carriers and service providers to monitor their compliance with security obligations. The bill also expands the operation of existing civil enforcement mechanisms in the Telecommunications Act 1997 to address noncompliance.

Upon introduction of this bill to the Senate in November last year it was referred to the PJCIS as a matter of course for further review. The committee held two public hearings and received several submissions from stakeholders as well as having a private briefing from relevant agencies and visiting Telstra's global operations centre in Melbourne. One key concern raised through the committee process was the security of telecommunications data that is stored offshore. Currently, telecommunications providers are not compelled to advise the government where retained data is stored. As is noted in the draft administrative guidelines:

Off-shoring raises security concerns because it enables access and control to critical parts of major Australian telecommunications networks outside of Australia, this can facilitate foreign intelligence collection (espionage) and disrupt the network itself (sabotage). Risks arise where control and supervision arrangements have the potential to allow unauthorised access by third parties, such as theft of customer data or sabotage of the network.

Indeed, in the United States, we've seen the recent exposure of significant amounts of consumer data through the loss of credit data in a major security breach. In its report, the committee emphasised that visibility about how and where data is being stored is absolutely critical in giving the community confidence in the security of their data and the telecommunications industry generally. The PJCIS recommended that the review of the Telecommunications (Interception and Access) Act be expanded to include consideration of the security of offshore telecommunications data that is retained by a service provider for the purpose of the data retention regime.

Ultimately, the Parliamentary Joint Committee on Intelligence and Security made 12 substantive recommendations for improvements to this bill. The recommendations can be summarised as: the revision and expansion of the administrative guidelines; the exemption of broadcasters from the obligations set out in the bill; ensuring effective and regular information sharing; allowing requests for exemptions by carriers and service providers for certain changes; clarifying that the bill does not affect the operation of privacy obligations—I think that's vitally important; expanding the annual reporting and review requirements; and clarifying the responsibilities of the Communications Access Coordinator. I'm very pleased that the government has accepted all of the recommendations of the PJCIS. Labor, as I said earlier, has taken a bipartisan stance on national security legislation introduced by the government and has consistently worked with the government to ensure our security agencies have the powers they need to keep Australians safe.

The government has until now relied upon the cooperation of the telecommunications industry to implement the advice that it receives from security agencies. Certainly, it's acknowledged that there are well-established cooperative relationships between those security agencies and the telecommunication carriers which are already in place. However, the fact that the industry is not currently obliged under law to share threat information with security agencies means that there is a potential vulnerability because those security agencies lack visibility of potential threats. One limitation on this current arrangement is that this particular industry, as I said previously, is a dynamic industry, constantly evolving and with a number of new market entrants that may not have the same cooperative relationship with government. It is important to remember that this cooperative approach is only workable when companies are willing to give due consideration to national security in the public interest.

These reforms give our security agencies the tools that they need to ensure that our telecommunications networks and infrastructure are protected from malicious actors. We know that a key source of vulnerability for espionage, sabotage and interference activity is the supply of equipment, services and support arrangements. Technology and threats are constantly changing. We need to ensure that the framework that we use for regulation is sufficiently flexibility to address the risks these present. There is always pressure upon carriers and service providers to remain contemporary with their service delivery and to serve a market that is also constantly changing. Security is vitally important and should be an overriding consideration for service providers. But, above all, it should be a question of industry culture, not something which is merely imposed.

Australian telecommunications networks rely on global supplies of equipment and services, often located offshore. This potentially creates a challenge to implementing controls to mitigate personnel, physical and ICT security risks, making networks and facilities more vulnerable to unauthorised interference. This is a lesson learned from history. In the 1960s, as I indicated earlier, when the idea of cyberattacks on IT systems and telecommunications networks was becoming an increasing concern for industry and government alike, military strategist and systems theorist Herman Kahn noted:

The aggressor has to find only one crucial weakness; the defender has to find all of them, and in advance.

Indeed, our increased reliance upon internet and telecommunications systems only serves to make us potentially more vulnerable.

Advances in technology and comms have introduced significant vulnerabilities, including the ability to disrupt, destroy or alter networks or infrastructure as well as the information held on them. These vulnerabilities potentially allow state and non-state actors to obtain unauthorised access that could be used to extract information or disrupt networks. Similarly, whilst carriers and service providers act to secure their networks to protect the personal and business information of their users, these requirements may differ from those needed to protect national security interests. The reforms in this bill require carriers and service providers to take into account a broader range of security risk factors when making investment decisions so as to protect national security interests.

As I noted earlier, this bill is the result of a process initiated under the former Labor government in 2012 that was followed by a period of consultation between government and industry. I am very pleased, again, to note that the government has accepted all of the recommendations of the PJCIS for improvements to this bill and, as such, I am confident that the framework established by this legislation can effectively operate to ensure that Australia's telecommunication networks and facilities are safe from national security risks of espionage, sabotage and foreign interference. This is something that every Australian needs to be aware of. It is very pleasing to see the government acknowledging that this threat is very, very real. It is taking it seriously. It's vitally important that we ensure that the measures we take are contemporary and effective.

Brian Mitchell (Lyons, Australian Labor Party) Share this | Link to this | Hansard source

I rise to give my support to this bill, the Telecommunications and Other Legislation Amendment Bill, which strengthens and amends the Telecommunications Act and related legislation in order to better manage the national security risks of interference with and access to telecommunications networks and facilities. The Parliamentary Joint Committee on Intelligence and Security has handed down two reports from inquiries in 2013 and 2015, and this bill is the result of a lengthy process of negotiation and cooperation between the government and the telecommunications industry which began with the former Labor government's broad review of national security issues in 2012.

In 2013 the Joint Committee on Intelligence and Security recommended that government create a telecommunications framework in recognition of threats to our national security that can be made through the telecommunications system. In a further report from the committee in 2015, telecommunications sector security reform was again supported. The bill was first introduced in November last year and was referred to the joint committee for scrutiny. The committee held two public hearings in February this year and another in March. The committee also had private briefings from relevant agencies in Canberra. The committee process of scrutiny of this bill has been rigorous and comprehensive. This is a great example of how our parliamentary system should operate and work effectively.

Before I go on about the joint committee, I just refer to this: I have just seen this on a website about the troubles affecting Equifax, which is one of the largest consumer credit companies in the US. It's in all sorts of trouble over cybersecurity. It has access to the social security details of 143 million Americans, plus a whole bunch of Poms and Canadians. They actually had passwords for their employees that were literally 'admin/admin'—just about the single worst password you could think of. This is a major consumer credit company with very private details of 143 million Americans. This is the exactly the sort of thing we want to avoid in this country, and one that I hope this process would help us to avoid in Australia.

The joint committee has made 12 recommendations, including making clear what a company's security obligations are in circumstances where telecommunications infrastructure is used but not necessarily owned or operated by a company. A company's infrastructure may be located in a foreign country and used to provide services and carry or store information from Australian customers—I'm not sure that we could recommend Equifax as a foreign company—and where a company provides cloud computing and cloud storage solutions. With our society becoming more mobile, with people accessing information from different locations and devices, the security of files and information is paramount. Gone are the days when we had a PC at home and another at work, and files were saved to floppy disks—for the young people in the gallery, they were funny little things with I think 56 kilobytes of information. Then along came CDs and USB drives, but all of them were physical media, to be transported physically from one computer to another.

That has all gone. We now live with the cloud. There is a T-shirt doing the rounds that states, 'There is no cloud—it's just somebody else's computer.' That always tickles my funny bone, because it's absolutely right—there is no cloud. The cloud, of course, is really a server, somewhere, connected to your device or devices via the internet. The server is most likely one of hundreds of thousands in a massive facility locked down in some bunker somewhere overseas. These days you will generally save your material to your cloud service, which enables you to retrieve and work on your files from whatever device you choose to log in with. You might start writing a letter at home on the PC. You will save it to the cloud. Then on the bus you might log in and edit the file on your mobile. You will save it again. Then you might get to work and log in via your work PC and finish it off and email it.

Major companies are moving their services to the cloud. Adobe, which owns publishing software like InDesign and Photoshop, now offers all its applications via cloud-based services and has stopped providing software via physical media. It doesn't even offer an online downloadable subscription. The parliament, which does offer InDesign and Photoshop as a work software to members, has to have a special deal with Adobe to get a service that is not cloud-based because of the security issues. Most customers are required to have ongoing cloud-based subscriptions. The cloud is where the world is moving to. In making this change, Adobe is counting on the fact that its customer base—in the main designers, artists and journalists—are comfortable working in an internet environment. That's probably a good assumption to make. Most people are comfortable in that environment, and I would guess that many more companies are going to be offering exactly the same sort of application. We need to get used to the fact that the internet, the cloud, is where services are going to be. That's exactly why we need better cybersecurity and more formal arrangements in place.

While universal availability, dependent on decent internet—let's not talk about the NBN—helps to make our lives easier, it does raise questions. First, it can be impossible to switch off from work, when you can work at home at all hours. Second, and more relevant to this bill, ensuring security of data in a cloud based environment is vital. When working inside the cloud or with remote servers your security is only as good as the company that hosts your data. Sure, you might have file passwords, but you still don't want unauthorised third parties to be able to even get near your encrypted data.

My electorate of Lyons is pretty big and I'm often in my car, along with my iPad and my mobile phone, and that is pretty much my office for much of the week in my electorate. Using the parliament's cumbersome and frankly archaic log-in security services, I can access the remote parliamentary server and edit files as necessary, when I can get on, when I can get decent internet, just as I can from the office PC. The proviso is that the remote server is very slow, even over pretty good internet, and it is a pretty clunky setup. Hopefully there will be some changes in the near future.

What I can't argue with is the need for the security. I accept that. The last thing I want to do is log on remotely while on the road and have someone able to hack into my signal and gain access to my office data, much of which can contain personal information on staff and constituents. I'm not a fan of overbeating the egg on national security. I am generally of the view that we should not dismantle our freedoms in order to protect them, but I do accept we need to take cybersecurity very seriously. It is a huge part of both our national security and our corporate security effort. Frankly, we all need to think a bit more seriously about cybersecurity and, at a personal level, we should ensure that whatever cloud service we use is reputable.

Personal information provided to cloud services includes names, addresses, passwords and billing information, so I would hazard a guess that perhaps people should try to avoid Russian based internet cloud services that they don't know about. Let's make sure we are not handing the information to crooks. What happens to all our information and files if the cloud server is compromised in some way? Is data and information safe? What are the risks? These are the questions we must ask.

Many of the cloud services people use are hosted internationally. It is reassuring to know this bill also includes measures to consider the security of offshore information for Australian providers and carriers. This bill places an obligation on carriers and carriage service providers to notify the government of any changes to offshore arrangements. The last thing we want is a cloud server shifting from Nebraska to North Korea, without anyone knowing about it—though, of course, that would be illegal.

While there will always be an element of risk in relation to the storage of information and data by telcos, this bill goes some way to mitigating this risk and providing confidence that there are measures in place to help keep our telecommunications systems safe. A little shout-out here to Google, Amazon, Apple and others: Tasmania is the ideal place to house your servers. We have a cool, relatively dry climate, we are geologically sound and we have a fairly stable political system. We also have lots of regional, affordable land. We are well worth a visit—come on down.

While on the issue of security, all of us also put a lot of information out there, on social media especially, and thieves like to harvest it. For example, receiving birthday wishes on Facebook can give cyber crooks access to your birthday, one of the questions often used as a security question. We all put the names of our pets and our kids and spouse on social media. All this seemingly innocent material can be harvested by crooks and used to forge false identities with banks and other authorities. Reclaiming a false identity is no easy matter.

This legislation is not just about protecting personal information and files. It is about protecting the wider communications network across the country. Advances in technology like cloud systems and the ways in which we work, communicate and store information have opened vulnerabilities within our systems, risking unauthorised access to networks, with the potential to cause major disruption and potentially disable critical networks. If there were a breach in one area of our telecommunications network, it could have catastrophic consequences and ramifications for the country as a whole. A compromised telecommunications system during an emergency could have wide-reaching implications, particularly in terms of our first responders and security agencies being able to act and to provide the necessary support and action in a timely manner. We have been given a warning of this. There is no better example than Die Hard 4.0Live Free or Die Hard. John McClane is tasked with bringing in a hacker because the villain, played by Timothy Olyphant, is threatening a 'fire sale', a term that means everything must go—energy, telecommunications, finance, transport systems, national security—because it's all wired and it's all connected. Fiction, you say? We'll see.

The bill also puts measures in place that require carriage service providers and carriers to protect their networks and facilities from unauthorised access and interference. While we may think about security of our telecommunications system in terms of the data and information that telcos might hold, security in this instance also refers to the physical assets of the carriers and service providers. So, expect a few more cameras and security patrols around infrastructure.

The security and resilience of our telecommunications infrastructure is vital to the social and economic wellbeing of the nation as a whole. Perhaps they should have a big ugly fence go around them—but that may be a bit controversial. This security and resilience is particularly important in regional areas, such as my electorate of Lyons, where many small communities rely on a secure service in order to stay in touch with family and friends, stay healthy and be successful in business. This bill will give the people of my electorate security in the knowledge that their communications and data are as safe as we can make them. The question of reliability of service and connection is something that can be debated on another day in this place—I'm still talking about the NBN.

Telecommunication companies hold vast quantities of sensitive data, such as billing and other information. If this material is unlawfully accessed it poses great risk, not only to the country but to individuals. Personal security of individuals can be put at risk if sensitive information, such as addresses, is obtained by nefarious characters. Currently, telecommunications companies work voluntarily with government to keep our critical infrastructure safe from foreign and other threats. This bill formalises this constructive relationship between government and telcos. While the current environment and relationship is one that operates on goodwill between telcos and governments, this bill puts measures in place to ensure there is a regulatory framework should that goodwill cool in the future.

Security agencies currently work with telcos to help them manage vulnerabilities in their networks. Increasingly, there are new players in the industry who may not have established those relationships over time. The current cooperative and voluntary arrangement works well, but it does so only with the goodwill of all parties involved. We need something a bit more formal, and that is what this bill hopes to achieve. We cannot take those relationships for granted, so it is important that we have that regulatory framework in place to ensure that current arrangements carry over to all carriers and service providers.

Labor has consistently worked with the government to make sure our security agencies have the powers they need to help keep Australia safe. Labor is pleased the government has adopted all the recommendations from the Joint Committee on Intelligence and Security, and we commend the committee for its rigorous investigation into the government's proposals.

Ed Husic (Chifley, Australian Labor Party, Shadow Parliamentary Secretary to the Shadow Treasurer) Share this | Link to this | Hansard source

When I heard that the member for Lyons was a candidate in the 2016 federal election, I had known him for quite some time and was very pleased and happy that he was standing as a candidate. He was subsequently elected, and he is doing a great job in his seat. But my faith in him was validated just now, when I had the opportunity to hear him quote from the movie Die Hard 4 in the federal parliament—this is the cherry on top of the cake! I never thought I'd hear that happen in this place. Well done, and kudos to you!

You made a number of very important points, emphasising what a lot of us believe is important with respect to the security of the services that are used and accessed by people online and, increasingly, every day. I think the member for Bass also made an important contribution in this debate. It reinforces in my mind that when it comes to digital economy matters the delegation from Tasmania that sits in the federal parliament today thinks very deeply about this, both in the House and in the other place, and it is to be commended for it.

I think we do not celebrate enough the contribution of the digital economy to the broader Australian economy. We have a number of firms in a wide variety of forms that are making an important contribution to the Australian economy. I note the presence of the member for Robertson, who, in a former life, worked for one of the major telcos in this country—a telco that is making a major contribution not only in this nation, but, importantly, within our region as well, in the form of Telstra. These are all firms that are in one way, shape or form providing jobs, providing commercial value to other firms, and contributing to the economy. More often than not, I think we overlook or take for granted their contribution. I mention this because I was very concerned by the submission that was made by four industry groups representing a lot of these firms as part of the process of considering the legislation that the government's put before the House—the submission of the Ai Group, the Australian Information Industry Association, the Australian Mobile Telecommunications Association, and the Communications Alliance. There were a number of things that were written in that submission that I want to be able to cover today, because I remain deeply concerned. I think it's important that, while we provide a very thorough security framework, we do promote best practice when it comes to cybersecurity. There were some things that were raised in that submission that I was deeply concerned about, and I think we need to set a marker down to keep an eye on them through the implementation process and beyond.

These firms rightly point out that the Australian ICT sector is 100 billion strong. That includes telecommunications carriers, carriage service providers, vendors and intermediaries. In the submission that they made, they raised a number of points. They said that the purpose of the reforms was unclear; that the nature of the compliance requirements was 'onerous', in their words; that there is no established strategy to brief carriage service providers on the threat environment; that there was vague drafting in what was put forward; and that the legislation itself doesn't include, or at least limit, the requirement for carriage service providers to retrofit or remove existing facilities. These are very serious concerns. Bear in mind that it is in the commercial interests of a lot of these companies to take very seriously cybersecurity threats and to be able to demonstrate to their customers that the network they are providing is as secure as it can possibly be. A lot of them recognise the value of it.

There are two groups of people who do not like how seriously a lot of tech firms take cybersecurity and privacy. The two groups are the people who want to cause ill and to be able to exploit vulnerabilities, and the government. The reason: a lot of these phones—for example, the iPhone, of which there's been a new version released today. I met with Apple's head of AI and Siri in the US earlier this year. A lot of people worry that when they talk to their phones—and I don't want to activate my own phone in the process of going through this example!—all of that data is retained on the phone. It cannot be accessed. It is not provided back to the servers at Apple, for example. In the next iteration of their product, the facial recognition elements of that, none of the facial recognition elements will go back overseas either. They will all be retained on the phone. These firms take very seriously the data there. We've had a debate in this country about how you can access—as was the case in the US where Apple stood very firm on not allowing government access to phones where there was a serious national security issue that underpinned the request to access those phones. But these firms take it seriously. It's not as though they are blithe or treating in any sort of lackadaisical manner the issue of cybersecurity; they treat it very seriously.

As much as the government is putting a lot of emphasis on these firms to maintain, to ensure that they invest in and to be able to demonstrate to government the security of their tech, what is interesting and what has been raised by this submission is that there is not an equivalent collaborative arrangement or mindset in government to work with these firms. This is a very important criticism that has been extended by the sector towards government. In the submission that was put forward by these four industry associations, they rightly pointed to the collaborative nature of the working relationship between government and industry in cybersecurity in the US. They did a similar sort of thing in pointing out what happens in the UK. In this country it appears to be a one-way street, where the government will dictate what the firms must do, but government will not share any sort of advance knowledge about threats to ensure that the sector can prepare. All the penalty and risk has to be borne by the industry, and there is no commensurate behaviour by government to inform of threats in advance.

I think this is a serious problem, because we all have a stake in improving cybersecurity. We all have a stake in making sure that these services continue to deliver, on top of what the sector is already doing, and this was raised through the committee process. The government recognises it needs to do more, but the test will be, 'Will they share information about threats in a timely way to allow the sector to respond accordingly?' Again, I quote from the submission:

Further, there is no obligation established in the legislation for the Attorney-General's Department to work cooperatively and proactively with Industry in identifying, communicating and responding to threats and attacks …

I think this is a vulnerability, and it needs to be addressed by government. It needs to be able to also ensure that industry is treated as a partner, not as someone that just basically jumps the minute government clicks their fingers. It shouldn't be that way. For example, something I was very concerned about was highlighted in the submission:

… there is no corresponding obligation on Government to justify its actions, take responsibility for any unintended outcomes, bear the costs or deliver a practical and timely threat advice service. Nor is there any guidance or limitation on regulatory creep—

none of that. The government just stonewalls on this. It keeps saying, 'No, we need to do this; there are threats at play, and industry simply needs to respond.' Industry, as I said, takes this seriously, and they should be treated seriously. Government should be better at lifting the general approach to cybersecurity when it comes, in particular, to what we're dealing with here. Again, I quote from their submission:

… the Associations reiterate a preferred approach would be to reconsider the roles and responsibilities of risk assessment through collaborative sharing of information about actual and potential threats, and what tools and techniques are recommended to ensure appropriate action is taken to protect all the components that make up networks (i.e. hardware and software)—

these are not outrageous things to request; they are quite straightforward—

Industry-developed frameworks are likely to be significantly more flexible with regards to the frequent adaptations required to keep up with technological progress and market changes—

another well-made point. The other thing that concerned me was that, if, for example, there is a case where government believes that there needs to be a retrofit of certain systems, the entire onus and cost is shifted onto industry. As I said in my earlier remarks, there's not enough flagging of potential threats to industry and sending a signal to the sector about things they need to do. That's absent. Then, if there is a problem and it requires a huge investment of resources, time and money to retrofit a particular network, for example, that cost could be completely borne by industry, with no regard by government. Government has said, through the course of the inquiry process, that this would be an extreme instance—and I agree; I think it would be extreme—but there needs to be a better assurance about how that cost issue would be managed. Again, in terms of those notification requirements, I go back to the submission:

It appears highly inefficient that C/CSPs are obliged to proactively notify Government of proposed changes to their networks … and proposed risk mitigation strategies while Government is not compelled to equally notify C/CSPs of any potential or real security threats …

The government agrees it needs to work better on that. On the issue of retrofitting, this is still left out there without any real commitment as to what will happen. In fact, I think the government has said no. This is despite the fact that the sector said in its submission:

… a simple assurance in the Explanatory Memorandum and Guidelines that non-compliant systems will not be penalised does not create sufficient certainty for C/CSPs.

… the legislation itself ought to be amended to reflect the intention to not require retrofits except in rare and extremely serious circumstances.

Again, these are important points, but the government has refused to come at least halfway—well, not even halfway; it's basically said it's not going to do it. I am very concerned that, in the rare instance that this occurs, the impact on the sector is significant. The way that the sector concluded their submission was by saying:

… the Associations do not believe that a comprehensive case for TSSR has been made. In its current form, the legislation is too discretionary and vague and is lacking two-way cooperation and information, thereby imposing substantial costs, uncertainty and regulatory risk onto the entities proposed to be regulated. The legislation is an over-reach and an unnecessary imposition …

I make these remarks in this debate so that they are markers, more than anything else. From my consultation with the sector, the industry echoed the remarks of some of my colleagues—that they were very happy with the way the committee process and the hearings went. They believe that the industry were heard. They do still have some concerns. They're very pragmatic. They say, 'Obviously, you're not going to get everything that you want,' but there are some serious issues in there that I think we need to keep tabs on in the longer term.

Throughout the whole debate about metadata—the issue about the costs and the way in which industry would have to respond on data storage and management as a result of that—the government played hardball with the sector for quite some time, even though how much cost would be imposed on them was well documented. Obviously, with the requirement for additional regulation, there will always be a cost. But I think we have to always bear in mind that costs are already put in place by the sector in their pursuit of customers and to be able to demonstrate to those customers that those systems are strong and are able to withstand known threats and potential vulnerabilities. They already invest in that. When government itself refuses to provide detail about potential threats and allows those industry players to modify their networks accordingly, but then leaves hanging over them the threat that there might be a cost for retrofit or for other required amendments to their network, I think that is pretty unfair to the sector.

So I'll be watching with interest. Obviously, our side has been keen to work with the government on this. We'll work with them on national security issues. But I think those industry concerns should be listened to.

Gai Brodtmann (Canberra, Australian Labor Party, Shadow Parliamentary Secretary for Defence) Share this | Link to this | Hansard source

For the last 18 months, here in Canberra, I've been campaigning very, very hard on the NBN. Up until about two or three months ago, the vast bulk of my electorate of Canberra wasn't even on the NBN rollout map. So I campaigned very hard for Canberra to be placed on the NBN rollout map and, finally, we achieved that a few months ago after a lot of lobbying and a lot of effort.

Now I'm lobbying and advocating for an even approach to the technologies that are going to be rolled out in Canberra. At the moment, we're going to have three technologies—fibre to the kerb, fibre to the node and fibre to the premises—in the one street, which is completely and utterly unacceptable. The concern I also have is despite the fact that we are finally on the rollout map, after 18 months of advocating and trying and campaigning on the issue, and encouraging people in Canberra to send me their speeds, most of Canberra is not going to be rolled out with the NBN until late next year and early 2019.

For the past 18 months I have been reading and sharing with the rest of Canberra the appalling speeds that Canberrans are having to deal with, which are significantly hampering their educational opportunities, significantly hampering their business opportunities and significantly hampering their ability to take part in what I call active citizenry. We have Canberrans, like Jenny and Steve from Fadden, who are regular subscribers to my Send Me Your Speeds campaign. They've been sending me speeds for months now: Jenny and Steve, thank you so much for taking part in this campaign and thank you so much for being active contributors to the campaign. You can really understand why they are so concerned about their speeds, why they want to jump on the bandwagon of this campaign, why they want to see Canberra prioritised in the NBN rollout map and why they want to see even technologies. We'd love fibre to the premises. Why should we be penalised for the fact that we weren't even on the NBN rollout map until a few months ago? Why can't we get fibre to the premises like we have in Gungahlin on the north side?

A digital divide exists in Canberra as a result of different technologies in one street, in my electorate, these different technologies between the north and south side of the ACT. There's a real digital divide and there's a real case of haves and have-nots, which is why I want technology that's as even as possible across my electorate—ideally, fibre to the premises for everyone. If we can't get that, I want fibre to the kerb and fibre to the node. I will come to some concerns I have about fibre to the node after I've run through my Send Me Your Speeds campaign, which will tell you why Canberra needs to be prioritised on the NBN rollout map.

We are talking the nation's capital. We are talking 2017. We are talking suburbs that are less than 20 kilometres from this very Parliament House. And these are the speeds they are dealing with. I will run through some speeds that Jenny and Steve have been sending me over recent months. One day, recently, they had an upload speed of 1.91 megabits per second and a download speed of 1.91 megabits per second. Those speeds are pretty bad—but it get's worse. I'm warning you now: brace yourself. As if those absolutely appalling speeds weren't bad enough, Jenny and Steve also have regular interruptions to their service, which makes using the internet absolutely impossible. Then they sent me speeds of 0.43 megabits per second for download, and—listen to this; they might as well not even try—an upload speed of 0.05 megabits per second!

This is in Canberra; this is in Fadden—less than 20 kilometres from this Parliament House, in 2017, in our nation's capital. We're not talking remote Australia here. We're not talking the outback. We're not talking some sort of mountain range or chasm or gorge. We are talking less than 20 kilometres from Parliament House, in our nation's capital, in 2017: upload speeds of 0.05 megabits per second. Jenny and Steve recently had an upload and download speed of just 0.15 megabits per second. Jenny said that recently she was watching Q&A and a question was asked regarding internet speed satisfaction. Seventy per cent of the audience were dissatisfied. Jenny also sent me speeds of 0.92 download and 0.11 upload. Jenny is concerned about trying to communicate with these absolutely appalling speeds, but then she hears on Q&A that 70 per cent of the audience are actually dissatisfied with their NBN. She's rightly concerned, given that she's dealing with this absolutely appalling state of things now, about what the future will look like when we actually get NBN, particularly given the distance she is from the exchange. I will showcase once more the appalling situation Jenny and Steve have to live with, with a download speed of 7.5 megabits per second and an upload speed of 0.09. At least it wasn't 0.05 download speed and 0.09 upload speed, which was one of their recent readings.

Another response from a participant in the Send Me Your Speeds campaign that underscores why we need to be prioritised on the NBN rollout map and need the best NBN possible in terms of the fibre to the premises and fibre to the curb was from Bec, also from Fadden. She sent me an email saying her broadband speeds were so low she couldn't manage to get a speed test done. That's how bad it was! Poor old Bec couldn't actually send me her speed because she couldn't actually download it. She is less than 20 kays from the Parliament House, in the national capital, in 2017! When she did find enough speed, poor little thing—pedalling away there—to run the test, it was a download speed of 0.20 and an upload speed of—listen to this!—0.03 megabits per second.

Julia from Kambah emailed me earlier this year after receiving a copy of the Brodtmann Bulletin in her mailbox. She's getting a download speed of just 0.25 megabits per second and an upload speed of 0.03. Poor old Bec and poor old Julia! Julia wrote:

I am currently on an ADSL plan with iiNet and at times it's worse than the ye olde dial up. IiNet would never own up to it, but I'd bet my bottom dollar they're making the existing ADSL connections crap to induce their customers to sign up to their VDSL network before the NBN rolls out.

Victor from Macarthur is getting a download speed of 0.12 megabits per second and an upload of 0.06. He says that it's a real challenge to get one-tenth of a megabit per second each day and when he does actually achieve that it's a good day. He lives with his girlfriend, who studies, and she says it's nearly impossible to study and watch her lectures for universities. The videos and documents just won't load. That's not surprising, Madam Deputy Speaker, when you've got a download speed of 0.12 and an upload speed of 0.06. I'm surprised she can download anything with those speeds.

Paul from Fadden has a download speed of 4.8 megabits per second and an upload of 0.84.

For Craig from Yarralumla it's a download speed of 0.19 and an upload speed of 0.28. He says a friend of his, who lives in Virginia in the US, showed him speeds of nearly 900 megabits per second, which he's getting for $69 per month. So there's poor Craig in Yarralumla, just down the road from here, five minutes away from Parliament House, getting a download speed of 0.19 and an upload of 0.28, while his mate in Virginia has a speed of 900 megabits per second for $69 per month. That's something we can only dare to dream of.

Ahmed from Calwell has a download speed of 5.15 megabits per second and an upload speed of 1.30. To quote him:

The biggest question is why my street is planned for fibre to the node in April while people in the same suburb will get fibre to the kerb on the same date. Why not fibre to the premises like Gungahlin? Are we second class citizens?

Another response was from a family who didn't wish to be identified but wanted to have their experience heard:

Our kids were keen to do maths tutoring based in the US but needed a minimum download speed of 5 megabits per second and an upload speed of about 2 megabits per second. As you can see from the screen shot we didn't even come close so the kids missed out.

As I said, my community is missing out on educational opportunities as a result of the fact that we have these absolutely appalling download and upload speeds.

The government, despite my many, many attempts to communicate with the Minister for Communications, doesn't care. It does not care about the fact that this community is having its educational opportunities impeded, it's having its business opportunities impeded and it's having its citizenry opportunities impeded by these absolutely appalling speeds that basically don't allow for the community to communicate. I have told the minister this many times, and this government just does not care. We need to be prioritised. My community is actually getting a second-class service. As Ahmed said, they are being treated as second-class citizens by this government because of its inability to prioritise areas with these appalling speeds and its inability to get an even approach to the technology that's being rolled out. As I said, in one street there is fibre to the curb, fibre to the premises and fibre to the node. It is unacceptable.

Here we have a family whose children are missing out on the opportunity to take part in maths tutoring based in the US because their internet speed is about two megabits per second and the requirement is five megabits per second. They go on to say:

We certainly can't watch HD through the internet and the kids struggle to do internet based homework on a regular basis. Even using Skype with my parents in Sydney is a chore with frozen screens, pixelations and bad quality sound. And our mobile phone reception isn't much better either. I need to step outside to take some calls.

I've heard that said quite often. Further, they say:

Good luck getting the Senate to listen to ordinary Australian family challenges with the world's slowest internet speeds.

In terms of the experience of this person, who chose to remain anonymous, I've heard so many times from Canberrans that they have to step outside to make phone calls because the reception is so bad. At one of the NBN forums that I held in Tuggeranong, I remember I woman saying that she had to climb up on top of her garage roof to get reception for her mobile phone. I hate to think what she did at night. I hope she had some decent lighting there. This is happening here, now, in our national capital! It's just breathtaking.

Bill, from Chisholm, is another frustrated Canberran broadband user. He says:

An update on my never ending saga with slow internet speeds here in my home in Tuggeranong.

This is a real problem, particularly in Tuggeranong. Whenever it rains, things go pear shaped. You can forget about communicating whenever it rains in our nation's capital in 2017. Bill goes on to say:

Last weekend when we had some rain and the internet dropped out ...

This happens all the time. I can read so many written accounts sent to me by Canberrans about their appalling internet speeds. As I've said so many times, these slow speeds are having a significant impact on the ability of my community to take part in educational opportunities, in business opportunities, in citizenry opportunities and in the e-health options that exist. My community is being seriously impeded in its options, choices and opportunities for prosperity and growth as a result of the Turnbull government's continued ignorance and continued contempt for Canberra and also for the suffering that is going on here in terms of telecommunications.

Matt Thistlethwaite (Kingsford Smith, Australian Labor Party, Shadow Parliamentary Secretary for Foreign Affairs) Share this | Link to this | Hansard source

I rise to speak on the Telecommunications and Other Legislation Amendment Bill 2017. I can concur with the comments of the member for Canberra regarding the National Broadband Network. I think what's happening in most Australian communities regarding the NBN can be perfectly summed up by the tweet that was posted by Annabel Crabb a couple of weeks ago:

When people complained about the NBN, I used to think privately "Surely it can't be that bad". I hereby apologise to those people.

That says it all about the National Broadband Network in Australia at the moment. My community, the community of Kingsford Smith, is one of those suffering because of this government's incompetence when it comes to delivering a decent telecommunications system. If Labor were still in government, the NBN would've been rolled out in three-quarters of the community that I represent by now. It would've been world-class, fibre-optic cable to the premises. Most homes and businesses would have received it, yet, at the moment, only a very, very small proportion of homes and businesses in our community have actually received the NBN. Basically, only new developments in our area have received the NBN.

I went to a briefing with the NBN Co here at parliament a couple of years ago. I asked, 'When will it be rolled out in my community?' They said, 'It should start being rolled out in your area by the beginning of 2017.' To date, it hasn't been rolled out. Then, I went to another briefing a couple of months ago. Again, I asked: 'You told me that the NBN would be rolled out in 2017. It hasn't happened yet. When will it happen?' They looked at the map and said, 'It will now probably be 2018 when it is rolled out.' So I imagine, when I go to the next briefing, that that will be pushed back to 2019 and so on.

The people of Kingsford Smith, like the people of every other community in this country, are crying out for decent telecommunications services. All we want is the world standard that other nations, including underdeveloped nations compared to Australia, are receiving so that businesses can operate their businesses effectively and efficiently and so that Australians can do their work, can study and can live fulfilling lives using modern telecommunications and the internet. Sadly, this government is lacking in delivering that.

In respect of this bill that we're debating here today, the Telecommunications and Other Legislation Amendment Bill, this is a reform that the Labor Party and I are supporting. The purpose of this bill is to create a regulatory framework to manage national security risks of espionage, sabotage and foreign interference to Australia's telecommunications networks and facilities. The bill will provide the Attorney-General with a new power to direct a carrier, carriage service provider or carriage service intermediary to do or not to do a specified thing on a security-related ground—for example, alter a procurement assessment as giving rise to security risks.

The proposed measures in this bill form part of a package of reforms to national security legislation identified by the former Labor government in 2012, commonly referred to as the telecommunications sector security reforms. The TSSR is the process of developing a regulatory mechanism to ensure that industry engages with security agencies to enable the early identification and collaborative management of security risks to their infrastructure and information held on or carried over it.

There's been parliamentary interest and consideration of issues related to security of the telecommunications sector for a number of years. I recall being a member of the infrastructure committee, where we looked at this very issue, the interaction between security agencies and ISPs in Australia and cases where security agencies and, indeed, other financial regulatory agencies had had cause to shut down telecommunications sites for particular reasons. This bill reflects previous considerations of issues pertaining to the security of the telecommunications sector generally by the Parliamentary Joint Committee on Intelligence and Security.

This bill assists the national security agencies to manage risk in this space by imposing a new security obligation on carriers and CSPs to do their best to manage the risks related to unauthorised access and interference to networks and facilities that they own and operate. It also imposes notification requirements on carriers and certain nominated CSPs to notify the government of planned changes to their systems and services that are likely to make the network or facility vulnerable to unauthorised access and interference. The Secretary of the AGD is provided with information-gathering powers to facilitate monitoring of and investigations into compliance with the new security obligations. The Attorney-General is provided with two directions powers, subject to certain conditions being met, to direct a carrier or a CSP to do or not to do a specified thing—for example, alter a procurement assessed as giving rise to security risks or shut down a specific service, notably through a specific shutdown power, and by providing enforcement mechanisms by extending the civil remedies regime provided for parts 30, 31 and 31A of the act to address noncompliance with security obligations, a ministerial direction or a notice to produce information or a document.

This bill is a result of several years of negotiations and cooperation between the government and the telecommunications industry. In 2015, as part of the committee's inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill, the PJCIS again supported telecommunications sector security reforms and recommended that the government ensure a framework of enacted reforms before the end of the implementation of the data retention regime, which was in April of this year.

A division having been called in the House of Representatives—

Sitting suspended from 18:15 to 19:05

These reforms were also subject to two rounds of public consultation on exposure draft legislation before the current bill was introduced to the Senate. The bill was introduced to the Senate on 9 November 2016 and immediately referred to the PJCIS for careful scrutiny and review. That committee received eight submissions and four supplementary submissions from industry, government and academia. The PJCIS held public hearings, and an advisory report on the bill was made by that committee. They made 12 recommendations for improvements to the bill, the explanatory memorandum and the administrative guidelines accompanying the bill. Subject to these 12 recommendations being implemented, the PJCIS recommended that the bill be passed.

When it comes to legislation pertaining to interests and matters of national security, I'm pleased to say that the Labor Party and the coalition have been at one, particularly since 2014, and close scrutiny has been applied to all measures designed to bolster our national security. Through the PJCIS, Labor recommended improvements to the bill that have consequently been adopted and presented by the government. These include clarifying company obligations, making clear that the bill does not apply to certain broadcasters, a recommendation that the Attorney-General's Department share information with industry where possible and making clear that the bill does not impact on existing legislated privacy obligations.

The bill bestows significant powers upon the Attorney-General, allowing the AG, subject to strict criteria, the power to direct a carrier or service provider to do or refrain from doing an act to eliminate or reduce risks that are associated with security issues. A test of reasonable necessity has been applied as a safeguard, and the Attorney-General must also be satisfied that all reasonable steps have been taken to reach agreement and to consult affected carriers or carriage service providers in good faith.

Labor is totally committed to ensuring our national security organisations and agencies have the power, resources and flexibility needed to protect our nation's people and interest. We're pleased to accept all of the recommendations of the parliamentary joint committee and therefore commend this bill to the House.

Michelle Rowland (Greenway, Australian Labor Party, Shadow Assistant Minister for Communications) Share this | Link to this | Hansard source

I rise to speak on the Telecommunications and Other Legislation Amendment Bill. It is to the benefit of every Australian that our telecommunications industry has worked diligently over the past decade to ensure that the networks we use are safe and resilient. Communications is at the heart of our society, and with every passing day we become more dependent upon the applications and services they make possible. This increasing dependence on connectivity also means that the impact of any disruption to our networks is greater than ever. These risks permeate critical sectors of the economy, such as government, banking, finance and energy. The Internet of Things is also transforming Australian industry. The next phase of digitisation will integrate connectivity into industrial applications that have traditionally been free of any digital dependence.

Just imagine what the world might look like in 2030, with autonomous vehicles coordinating themselves through peak-hour traffic, underpinned by high-speed connectivity through next generation mobile networks. I make this observation to emphasise that technology changes much faster than our laws. This has been the case in the past and will remain the case in the future. From this vantage point the evolving technology and security environment warrants a careful assessment to ensure our capabilities, systems, processes and laws remain fit for purpose. Ultimately this comes down to a question of what arrangements can best preserve the confidentiality of communications carried on telecommunications networks and equally ensure the availability, resilience and integrity of these networks.

Over the past decade, the Australian telecommunication industry has been voluntarily working with the government to ensure that Australia's critical infrastructure is safe from foreign interference, threats or espionage. The security professionals in companies such as Telstra and Optus are world leaders in threat detection and response, and both the Australian public and the private sector have benefited from their expertise. We are indebted to industry for its cooperation, engagement and goodwill over this period. However, it has been recognised on both sides of parliament that the existing framework for managing these risks in the telecommunications industry is not adequate for the times we are in. The current framework relies on voluntary cooperation and goodwill, which may not always be sufficient, given the nature of the risks to national security and the increasing consequences if those risks were to materialise. Put another way, security agencies have a legitimate need for greater visibility and certainty, and this includes protecting against the possibility that such goodwill may not be voluntarily forthcoming from all telecommunications companies at some unknown point in the future.

Addressing this gap is largely the subject of the bill before us. The Telecommunications and Other Legislation Amendment Bill puts a framework around that working relationship to ensure that both government and industry know what is required to keep Australians safe and what is expected of them to ensure that these measures are taken. The bill is the result of several years of negotiation and cooperation between the government and the telecommunications industry, arising from a broader review of national security issues by the previous Labor government in 2012. It implements the recommendations of two separate inquiries by the PJCIS in 2013 and 2015. In 2013 the PJCIS examined telecommunications security as part of its inquiry into potential reforms of Australia's national security legislation. Arising from that review, it was recommended that the government create a telecommunications security framework. In 2015, as part of its inquiry into data retention legislation, the PJCIS again supported telecommunications sector security reforms and recommended the government ensure a framework be enacted prior to the implementation of the data retention regime. The bill was subsequently introduced to the Senate on 9 November 2016 and was referred to the PJCIS for scrutiny and review. The PJCIS report on this bill made 12 substantive recommendations to improve and clarify its operations. As the shadow Attorney-General has outlined, Labor supports the PJCIS recommendations, and we are pleased the government has also agreed to all 12 recommendations.

The bill seeks a balance between the legitimate needs of security agencies and the regulatory cost and uncertainty often borne by industry when there is legislative change. The amended bill seeks to achieve this by providing a proportionate and escalating framework for addressing national security risks, which includes granting the Attorney-General powers, subject to certain checks and balances, to ensure certain steps are satisfied before any direction is issued. The key elements of the bill include establishing a security obligation applicable to all carriers, CSPs and intermediaries, requiring them to do their best to protect their networks and facilities from unauthorised access and interference. It requires carriers and nominated CSPs to notify the communications access coordinator of planned key changes to telecommunications services or systems that could compromise their ability to comply with this security obligation. Notifications may be provided in the form of either an individual notification or an annual security capability plan. It provides the Attorney-General with the power to issue carriers or CSPs with a direction requiring them to do, or refrain from doing, a specified thing in order to manage security risks. It empowers the Secretary of the Attorney-General's Department to request information from carriers and CSPs to monitor their compliance with the security obligation, and expands the operation of existing civil enforcement mechanisms in the Telecommunications Act to address noncompliance with the obligations set out in the bill. Further, the bill seeks to strengthen existing arrangements, including information sharing between government and industry.

On the topic of information sharing, I would like to offer a metaphor which can hopefully add to how we think about risks to telecommunications infrastructure. On the topic of nuclear reactors, The Economist once observed that safety was not a technological given; rather, it was an operational achievement. That is, we cannot guarantee a given technology is absolutely safe. Instead, we should strive to implement the best systems, processes and controls in order to make something as safe as it can be. This example reminds us there is no such thing as technological determinism. Safety and security are and will remain an operational achievement. We need to keep refreshing our tools and frameworks whilst remaining acutely aware of this reality.

This applies to the security of telecommunications networks, which brings me to the importance of enhanced information sharing between government and industry. Network security is core business for large telecommunications companies and they devote considerable resources because it is in their interests and, frankly it's what the market expects, particularly of the larger providers. As Senator McAllister has noted in the Senate during the PJCIS inquiry, industry stakeholders raised concerns that the bill did not place an obligation on the government to proactively brief industry about possible threats and attacks. Stakeholders argued that it would be challenging for industry to notify the government about possible vulnerabilities in their networks or infrastructure when industry may not be aware of a specific threat or risk information. The PJCIS recommended that the Attorney-General's Department work collaboratively with industry to further develop this and to ensure effective and regular information sharing—in particular, sharing such threat information with industry.

I strongly endorse this approach and consider it in the common interest of security agencies and industry to ensure there is effective and regular information sharing. It is essential that all parties work together to ensure that professionals have access to relevant and timely information to mitigate threats where necessary. The safety of telecommunications networks is a common endeavour. We are all in this together. Labor have worked consistently with the government to ensure Australian security agencies have the powers they need to keep citizens safe, and we are pleased the government has accepted the 12 recommendations of the PJCIS.

Michael Keenan (Stirling, Liberal Party, Minister for Justice) Share this | Link to this | Hansard source

I thank all honourable members who have contributed to this debate—the members for Bass, Lyons, Chifley, Kingsford Smith and Greenway. In particular, I thank the Parliamentary Joint Committee on Intelligence and Security, which made important observations and contributions that have resulted in recommendations that the government has implemented through government amendments.

Since 2014, the coalition government has led the most significant program of national security legislation reform in a generation. This bill, the Telecommunications and Other Legislation Amendment Bill 2017, is now the ninth tranche of significant national security legislation this government has introduced in the past three years. This bill is a critically important piece of national security architecture. Telecommunications networks form part of Australia's critical infrastructure and also support other critical sectors such as health, finance, transport, water and power. The existing framework for managing risks to telecommunications networks is inadequate. It relies on voluntary cooperation and goodwill, which is not sufficient given the nature of the risks to national security.

The bill will amend the Telecommunications Act 1997 to place an obligation on all carriage service providers and carriage service intermediaries to do their best to protect telecommunications networks and facilities from unauthorised interference and unauthorised access. This obligation will be supported by a new notification requirement to encourage early engagement to allow risks to be assessed and mitigated. In line with the risk based nature of these reforms, the notification regime includes an exemptions process. This will reduce the regulatory burden on some companies and ensure that the resources of security agencies are targeted.

Following introduction of the bill on 9 November 2016, the Attorney-General referred it to the committee for inquiry. The committee recognised that protecting telecommunications infrastructure requires a joint partnership between government and industry. The recommendations of the committee provide greater clarity and certainty for industry, encourage information sharing and enhance the transparency of the regime's operation. In addition to the committee's inquiries, these reforms have been the subject of extensive industry consultation since 2012. A number of changes were made to improve the operation of the proposed legislation in response to this feedback, including providing additional safeguards to govern the use of the proposed regulatory powers and clarifying the intended scope and application of requirements to be imposed on telecommunications providers. I would like to extend my thanks to those who contributed throughout the consultation process.

This bill will establish a regulatory framework to better manage national security risks of espionage, sabotage and foreign interference, and better protect networks and the confidentiality of information stored on and carried across them from unauthorised interference and access. I again thank colleagues from all sides of the House for recognising the need for these important reforms. The reforms will ensure our legislative framework is more effective and better targeted to the current national security threat. The bill will ensure that the Australian public can continue to rely on telecommunications networks to store and transmit their data securely, while allowing the industry the necessary flexibility to remain innovative.

Maria Vamvakinou (Calwell, Australian Labor Party) Share this | Link to this | Hansard source

The question is that the bill be now read a second time.

Question agreed to.

Bill read a second time.

Ordered that this bill be reported to the House without amendment.

Federation Chamber adjourned at 19:21