Michael Keenan (Stirling, Liberal Party, Minister for Justice) Share this | Link to this | Hansard source

I move:

That this bill be now read a second time.

The Telecommunications and Other Legislation Amendment Bill 2016 will amend the Telecommunications Act 1997 and related legislation to strengthen the security of Australia's telecommunications networks.

National security threats to the telecommunications sector

Australia's telecommunications networks are the critical infrastructure that enables all of us to conduct business and to go about our everyday lives online. Australia's economic prosperity and wellbeing are increasingly dependent on telecommunications networks and the data that flows across them.

Cyber threats to Australia are persistent, whether they arise from sabotage, espionage, serious and organised crime, or other technology-enabled crime. Espionage and clandestine foreign interference activity against Australian interests is extensive.

The Australian Cyber Security Centre's Threat Report 2016 demonstrates the scale of the cyberthreat to Australian organisations. Telecommunications networks are a key pathway for unauthorised interference by malicious actors. The report identifies that diverse state-based adversaries are attempting cyberespionage against Australian systems to satisfy strategic, operational and commercial intelligence requirements. It also acknowledges that the ongoing theft of intellectual property from Australian companies continues to pose significant challenges to the future competitiveness of Australia's economy.

The number, type and sophistication of cybersecurity threats to Australia and Australians are increasing. Australian businesses and organisations face a range of serious threats, from foreign state-sponsored adversaries to serious and organised criminals.

Compromise is expensive. It can include financial losses, damage to reputation, loss of intellectual property and disruption to business.

This is why it is so vital that the security and resilience of our telecommunications networks are maintained.

It is also why, after a broad public consultation, the bipartisan Parliamentary Joint Committee on Intelligence and Security recommended in 2013 that the government create a security framework for the telecommunications sector.

This committee also recommended establishing this security framework again in 2015 in the context of data-retention legislation. The reforms proposed in this bill will complement the data-retention regime by improving the security of networks as a whole and provide an additional layer of protection for retained data.

The reforms set out in the bill form part of the Australian Cyber Security Strategy, launched by the Prime Minister in April 2016. This reflects the particular importance of secure telecommunications networks to the functioning and wellbeing of Australian communities.

In June 2017, under the chairmanship of Andrew Hastie, the committee recommended that the bill be passed, subject to its recommendations being accepted. The committee's recommendations aim to provide greater clarity and certainty for industry, encouraging information sharing, and enhancing the transparency of the regime's operation.

Policy objectives of this bill

This bill builds on existing obligations in the Telecommunications Act 1997.

These reforms have been subject to extensive consultation over the past four years. Industry feedback through this process has shaped the detail of the proposed reforms. In particular, a number of key amendments have been made to the bill following the release of two exposure drafts for public consultation in mid and late 2015.

Strong industry government partnerships are critical to managing these threats and securing our most important systems. This bill will formalise the relationship between industry and government and ensure consistency, transparency and proper accountability for all parts of the telecommunications industry.

It will provide clarity around government's expectations on how national security risks to telecommunications networks are to be managed, and will provide more proportionate mechanisms for managing these risks.

The bill will not introduce a prescriptive legislative approach. Rapid changes in technology and service delivery mean a prescriptive approach would simply not be possible.

Overview of key measures

Amendments to the Telecommunications Act 1997 proposed in this bill will place an obligation on all carriers, carriage service providers and carriage service intermediaries to do their best to protect telecommunications networks and facilities from unauthorised interference and unauthorised access for the purpose of security.

This obligation will encourage companies to consider national security risks, such as espionage, sabotage and foreign interference risks to the confidentiality of information and communications, as well as the availability and integrity of telecommunications networks and facilities.

This obligation will be supported by new notification obligations, which are modelled on the existing notification regime in the Telecommunications (Interception and Access) Act 1979. Carriers and nominated carriage service providers will be required to notify changes to systems and services if the carrier or nominated carriage service provider becomes aware that a proposed change is likely to have a material adverse impact on their ability to meet the security obligations to protect networks and facilities from unauthorised access and interference.

Companies will also be given the opportunity to forecast changes to telecommunications systems in annual security capability plans.

Early notification to security agencies will allow them to provide advice at the planning stage and ensure security considerations are factored into the proposed design as early as possible in a cost-effective manner.

In line with the risk-based nature of these reforms, the notification regime includes an exemptions process. Following recommendations of the committee, the bill has been amended to include an application process for exemptions. This will reduce the regulatory burden on some companies and ensure that the resources of security agencies are targeted.

Establishment of a broader security framework

The regulatory model will be supported by a comprehensive administrative framework. The scheme relies on a 'light touch' approach to regulation and allows for meaningful collaboration and cooperation with industry to manage risks in a way that is satisfactory to both industry and government, without the government being too prescriptive and retaining flexibility for industry.

We recognise that telecommunications companies already make significant investments in security and have considerable technical expertise in mitigating and responding to threats.

This administrative framework is premised on a collaborative partnership with industry, involving increased engagement and information sharing with government agencies. Implementation will be based on a regime of industry consultation, advice and guidance.

The reforms recognise that security is a joint responsibility and this is why enhanced engagement between government and industry is at the heart of these reforms.

Safeguards built into the regulatory powers

New information gathering and directions powers provided for in this bill will only be used as a last resort.

Importantly, a number of safeguards are built into these regulatory powers to ensure their use is reasonably necessary.

For example, the Attorney-General can only issue a direction to a company after he or she has received an adverse security assessment from the Australian Security Intelligence Organisation recommending action and has considered the costs of the direction on the company, as well as broader market and competition effects.

In addition, a direction can only be made after consultation with the affected company and after the Attorney-General is satisfied that reasonable steps have been taken to negotiate an outcome in good faith.

A range of review rights will be available for companies to ensure proper accountability for decision-making.

Conclusion

This bill will ensure that businesses, individuals and the public sector can continue to rely on telecommunications networks to store and transmit their data safely and securely. It will promote informed risk management of national security concerns by providing industry with clarity and certainty of government expectations.

Importantly, it will not be prescriptive. It will allow industry the necessary flexibility to find the best and most innovative solutions. This will ensure the security and resilience of Australia's telecommunications infrastructure, as well as the competitiveness of the sector in a rapidly changing global market.

Mark Dreyfus (Isaacs, Australian Labor Party, Shadow Attorney General) Share this | Link to this | Hansard source

The Telecommunications and Other Legislation Amendment Bill 2017 amends the Telecommunications Act 1997 to introduce a regulatory framework for managing national security risks to Australia's telecommunications infrastructure. This bill puts in place a regulatory framework that will ensure that Australia's telecommunications networks and facilities are safe from national security risks of espionage, sabotage and foreign interference. Telecommunications companies are already voluntarily working with the government to ensure that Australia's critical infrastructure is safe from foreign interference, threats or espionage. This bill puts a framework around that working relationship to ensure both government and industry know what is expected and what is required to keep Australians safe and what is expected of them to ensure that these measures are taken.

The key elements of the bill include, firstly, establishing a security obligation applicable to all carriers and carriage service providers and intermediaries requiring them to do their best to protect their networks and facilities from unauthorised access and unauthorised interference.

Secondly, the bill includes requirements on carriers and nominated carriage service providers to notify the communications access coordinator of planned key changes to telecommunications services or systems that could compromise their ability to comply with the security obligation. Notifications can be provided in the form of either an individual notification or an annual security capability plan.

Thirdly, the bill provides the Attorney-General with a power to issue carriers and carriage service providers a direction requiring them to do or refrain from doing a specified thing in order to manage security risks.

Fourthly, the bill empowers the Secretary of the Attorney-General's Department to request information from carriers and carriage service providers to monitor compliance with the security obligation.

Fifthly, the bill expands the operation of existing civil enforcement mechanisms in the Telecommunications Act 1997 to address noncompliance with the obligations that are set out in the bill.

This bill is the result of several years of negotiation and cooperation between the government and the telecommunications industry. It implements the recommendations of separate inquiries by the Parliamentary Joint Committee on Intelligence and Security in 2013 and 2015. In 2013, the PJCIS examined the question of telecommunications security as part of its inquiry into potential reforms of Australia's national security legislation. The committee recommended that the government create a telecommunications sector security framework in recognition of the threats to Australia's national security that can be affected through telecommunications systems. In 2015, as part of the committee's inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the PJCIS again supported telecommunication sector security reforms and recommended that the government ensure that a framework be enacted before the end of the implementation of the data retention regime, which was in April this year.

These reforms were also subject to two rounds of public consultation on exposure draft legislation before the current bill was introduced to the Senate. The bill was introduced to the Senate on 9 November 2016 and immediately referred to the PJCIS for careful scrutiny and review. The PJCIS received eight submissions and four supplementary submissions from industry, government and academia. The PJCIS held public hearings on 16 February 2017 and on 23 March 2017 as well as a private briefing from relevant agencies in Canberra and visited Telstra's global operation centre in Melbourne. The PJCIS's advisory report on this bill made 12 recommendations for improvements to the bill, the explanatory memorandum and the administrative guidelines accompanying the bill. Subject to these 12 recommendations being implemented, the PJCIS recommended that the bill be passed.

Since September 2014, Labor has taken a bipartisan stance on all national security legislation introduced by the government. Labor has closely scrutinised all national security legislation through the mechanism of the PJCIS, which has made recommendations for improvements on all of the bills that the government has presented. These recommendations have all been accepted by the government. The recommendations that the PJCIS made on this bill include making clear what a company's security obligations are in circumstances where a company is providing or reselling an over-the-top service, where telecommunications infrastructure is used but not necessarily owned or operated by the company, where a company's infrastructure is located in a foreign country and used to provide services and carry or store information from Australian customers and where a company provides cloud computing and cloud storage solutions. The recommendations include making clear that the bill does not apply to certain broadcasters and a recommendation that the Attorney-General's Department work collaboratively with industry to ensure effective and regular information sharing, including threat information to aid industry compliance.

Further recommendations ask that the sorts of changes that require notification to the Communications Access Co-ordinator be made clear and recommend outlining the application process for exemptions from notification requirements; making clear that the bill does not affect the operation of existing legislated privacy obligations; specifying what must be included in the annual report presented to parliament; and making it clear that the Attorney-General will take into account whether the Communications Access Co-ordinator has complied with the applicable statutory time frames before issuing a direction.

A final group of recommendations suggested outlining the avenues available for industry to recover reasonable costs in certain circumstances; expanding the scope of the PJCIS's review of the data retention regime to include consideration of the security of offshore data that have been retained under the regime; introducing a new requirement that carriers and carriage service providers notify the Communications Access Co-ordinator of any new or amended offshoring arrangements; and, finally, introducing a new requirement that the PJCIS review the operation, effectiveness and implications of the reforms within three years.

Labor has consistently worked with the government to ensure that our security agencies have the powers they need to keep Australians safe. This bill will provide our security agencies with the powers and tools they need to protect our telecommunications networks from malicious actors. Without these reforms, the government, up until now, has had to rely on the goodwill of the telecommunications industry to voluntarily implement advice from security agencies. If telecommunications companies do not wish to implement the advice voluntarily, at present our security agencies do not have adequate levers to ensure that networks and facilities are safe.

The Attorney-General currently has the power to direct a carrier or carriage service provider to cease its services on security grounds where necessary. Due to the severe impact that the use of this power might have on innocent users of non-complying telecommunications companies, as well as on Australia's economy and telecommunications infrastructure, the power has never been used. This bill does not change the operation or effect of the existing power but does increase safeguards around the use of the power by adding a requirement that ASIO must have issued an adverse security assessment before it can be exercised and ensuring that a decision to issue a direction can be subject to judicial review.

The bill also grants the Attorney-General the power to direct a carrier or carriage service provider 'to do, or to refrain from doing, a specified act or thing' within a specified period to eliminate or reduce risks that are prejudicial to security. The types of things that the Attorney-General can direct a carrier or carriage service provider to do must be 'reasonably necessary' to reduce or eliminate the risk of unauthorised access or interference. There are a number of safeguards also around the use of this power. It cannot be exercised without an adverse security assessment, and the Attorney-General must be satisfied before issuing a direction that all reasonable steps have been taken to reach agreement and to consult the affected carrier or carriage service provider in good faith.

Industry stakeholders raised concerns about the threshold for issuing a direction, through the PJCIS inquiry into the bill. This concern was also raised by the Law Council of Australia in their submission on the exposure draft of the bill. The Law Council concluded that, as it was 'unclear whether a risk or prejudice to security must be substantial, likely, imminent or of severe potential impact before an adverse security assessment is issued', the threshold was not sufficiently transparent. The Law Council recommended that the exercise of the directions powers should only be permitted where there is a sufficient level of risk to security to justify the exercise of the powers. However, the Attorney-General's Department highlighted that lowering the threshold would undermine the purpose of the reforms:

… which is to encourage industry to engage early with Government to ensure any potential national security risks are appropriately mitigated before they become substantial and imminent.

The bill also empowers the Secretary of the Attorney-General's Department to request information that relates to security threats to carriers and carriage service providers and their intermediaries. The fact that currently industry is not obliged under law to share threat information with security agencies means that our agencies lack the visibility of potential threats.

This bill puts in place processes for information sharing, to ensure that agencies are aware of any threats to critical infrastructure. However, industry stakeholders raised concerns that the bill does not place an obligation on the government to proactively brief industry about possible threats and attacks. Optus noted that it would be challenging for industry to notify the government about possible vulnerabilities in their networks or infrastructure where industry may not be aware of a specific threat or risk information. The PJCIS agreed with these concerns and recommended that the Attorney-General's Department should collaborate with industry to ensure effective and regular information sharing—in particular, sharing threat information with industry.

A key issue that was raised through the PJCIS hearings related to the security of telecommunications data that is stored offshore. The Attorney-General's Department advised:

… the law does not currently compel telecommunications providers to tell the Government where retained data is stored.

The draft administrative guidelines for the bill note:

Offshoring raises security concerns because it enables access and control to critical parts of major Australian telecommunications networks outside of Australia, this can facilitate foreign intelligence collection (espionage) and disrupt the network itself (sabotage). Risks arise where control and supervision arrangements have the potential to allow unauthorised actions by third parties, such as theft of customer data or sabotage of the network.

Macquarie Telecom Australia raised concerns about the offshoring of data and stated that it considered it important that Australia retain sovereignty over certain types of information.

The PJCIS expressed concern in its advisory report on the bill that existing laws do not provide government with visibility about where and how data is being stored, and emphasised that it is critical that the Australian community can have confidence in the telecommunications sector—especially in the security of stored data. The PJCIS recommended that the committee's review of the Telecommunications (Interception and Access) Act be expanded to include consideration of the security of offshore telecommunications data that is retained by a service provider for the purpose of the data retention regime. It also recommended that the bill be amended to include, in relation to data retained under part 5-1A of the Telecommunications (Interception and Access) Act 1979, a specific obligation within the notification requirement in proposed section 314A to require carriers and carriage service providers to notify the Communications Access Coordinator of any new or amended offshoring arrangements.

Labor is pleased that the government has accepted all of the recommendations of the Parliamentary Joint Committee on Intelligence and Security for improvements to this bill and commends the bill and the amendments to the bill to the House.

Debate adjourned.