Jenny McAllister (NSW, Australian Labor Party) Share this | Hansard source

Australia faces evolving national security threats to our critical infrastructure in an increasingly uncertain international environment. This includes the risk of espionage, sabotage and foreign interference with our telecommunications infrastructure, and this is the subject of this bill.

As stated in the explanatory memorandum, telecommunications networks, systems and facilities are critical infrastructure, and they are vital to the delivery and support of other critical infrastructure and services such as power, water and health. The telecommunications sector also forms the backbone of other sectors such as energy, banking and finance. To quote the explanatory memorandum:

A serious compromise of the telecommunications sector would have a cascading effect on other critical infrastructure sectors and significantly impact the Australian economy.

Our telecommunications companies are already voluntarily working with the government to ensure that Australia's critical infrastructure is safe from foreign interference, threats or espionage. This bill puts a framework around that working relationship to ensure that both government and industry know what is required to keep Australians safe and what is expected of them to ensure that these measures are taken. It also protects against the possibility that such goodwill may not be voluntarily forthcoming from all telecommunication companies at some future point. The explanatory memorandum is explicit about the regulatory approach. The proposed regulatory framework recognises the value of a formal relationship between government and industry but, importantly, it aims to achieve national security outcomes on a cooperative basis rather than through the formal exercise of regulatory powers.

This bill is the result of several years of negotiation and cooperation between the government and the telecommunications industry, arising from a broader review of national security issues by the previous Labor government in 2012. It implements the recommendations of two separate inquiries by the PJCIS in 2013 and 2015. In 2013, the PJCIS examined telecommunications security as part of its inquiry into potential reforms of Australia's national security legislation. It was recommended that the government create a telecommunications security framework in recognition of threats to Australia's national security that can be effected through the telecommunications system. In 2015, as part of its inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill, the PJCIS again supported telecommunications sector security reforms and recommended that the government ensure that a framework be enacted prior to the implementation of the data retention regime. That was in April this year. These reforms were also subject to two rounds of public consultation on exposure draft legislation.

This bill seeks to provide a proportionate and escalating framework for addressing national security risks. It seeks to strengthen existing arrangements, including information sharing between government and industry. It seeks to provide increased visibility to government of national security risks and to provide greater certainty for industry about government expectations with respect to protecting networks and facilities from unauthorised interference and unauthorised access. The key elements of the bill include establishing a security obligation applicable to all carriers and carriage service providers and intermediaries, requiring them to do their best to protect their networks and facilities from unauthorised access and interference. It requires carriers and nominated carriage service providers to notify the communications access coordinator of planned key changes to telecommunications services or systems that could compromise their ability to comply with this security obligation, and notifications may be provided in the form of either an individual notification or an annual security capability plan. It provides the Attorney-General with the power to issue carriers or carriage service providers with a direction requiring them to do, or refrain from doing, a specified thing in order to manage security risks. It empowers the Secretary of the Attorney-General's Department to request information from carriers and carriage service providers to monitor their compliance with the security obligation, and it expands the operation of existing civil enforcement mechanisms in the Telecommunications Act 1997 to address noncompliance with the obligations set out in the bill.

As I noted earlier, the bill is the result of a process that was commenced by the former Labor government in 2012, and Labor has worked consistently with government to ensure our security agencies have the powers they need to keep Australians safe. This bill will provide our security agencies with the powers and tools they need to ensure that our telecommunications networks are protected from malicious actors. We take a bipartisan stance on national security legislation. In this context, we closely scrutinise all national security legislation through the Parliamentary Joint Committee on Intelligence and Security.

The bill was introduced to the Senate on 9 November 2016 and was referred to the PJCIS for scrutiny and review. The committee received eight submissions and four supplementary submissions from industry, government and academia. The PJCIS held two public hearings on 16 February 2017 and one public hearing on 23 March 2017 as well as receiving private briefings from relevant agencies in Canberra. The committee has also recently visited Telstra's Global Operations Centre in Melbourne.

The PJCIS's report on this bill made 12 substantive recommendations for improvements to the bill, to the explanatory memorandum and to the administrative guidelines that accompany the bill. Subject to these 12 recommendations being implemented, the committee recommended that the bill be passed. Labor supports the PJCIS recommendations, as we believe they improve the operation of the bill. We note that the government has also agreed to all of these recommendations.

I'd like to briefly discuss the recommendations and their effect on certain elements of the bill. Under existing legislation, the Attorney-General has the power to direct a carrier or a carriage service provider to cease its services on security grounds. This power has never been exercised. As acknowledged in the bill's explanatory memorandum, the use of this power as presently drafted may have a severe impact on innocent users of non-complying telecommunications companies as well as on Australia's economy and telecommunications infrastructure. Appropriately, this bill increases the safeguards around the use of that power. It adds a requirement that ASIO must have issued an adverse security assessment before it can be exercised and it ensures that a decision to issue a direction can be subject to judicial review.

To provide the possibility of a more proportionate response, the bill also grants the Attorney-General the power to direct a carrier or a carriage service provider to do or to refrain from doing a specified act or thing within a specified period to eliminate or reduce risks that are prejudicial to security. The types of things that the Attorney-General can direct a carrier or a carriage service provider to do must be reasonably necessary to reduce or eliminate the risk of unauthorised access or interference. There are also a number of safeguards around the use of this power. It cannot be exercised without an adverse security assessment, and the Attorney-General must be satisfied before issuing a direction that all reasonable steps have been taken to reach agreement between the government and the provider and to consult the affected carrier or carriage service provider in good faith. At recommendation 8 of its report, the PJCIS recommended that it be made clear that the Attorney-General will take into account whether the Communications Access Coordinator has complied with the applicable statutory time frame prior to issuing a direction. And, as I indicated earlier, the government has accepted that recommendation.

During the PJCIS inquiry, industry stakeholders raised concerns that the bill did not place an obligation on the government to proactively brief industry about possible threats and attacks. In their submission, Optus noticed that it would be challenging for industry to notify the government about possible vulnerabilities in their networks or infrastructure when industry may not be aware of specific threat or risk information. While noting that government already has a range of mechanisms to collaborate with industry, the PJCIS recommended that the Attorney-General's Department work collaboratively with industry to further develop this and to ensure effective and regular information sharing—in particular, sharing threat information with industry.

A key issue that was raised through the PJCIS hearings relates to the security of retained telecommunications data that is stored offshore. The Attorney-General's Department advised that the law does not currently compel telecommunications providers to tell the government where retained data is stored. The draft administrative guidelines for the bill note:

Offshoring raises security concerns because it enables access and control to critical parts of major Australian telecommunications networks outside of Australia, this can facilitate foreign intelligence collection (espionage) and disrupt the network itself (sabotage). Risks arise where control and supervision arrangements have the potential to allow unauthorised actions by third parties, such as theft of customer data or sabotage of the network.

The PJCIS expressed concern in its report on the bill that existing laws do not provide government with visibility about where and how data is being stored and emphasised that it is critical that the Australian community can have confidence in the telecommunications sector, especially the security of stored data. Pleasingly, the government has accepted the associated recommendation, specifically recommendation 10, where the PJCIS recommended that their review of the Telecommunications (Interception and Access) Act be expanded to include consideration of the security of offshore telecommunications data that is retained by a service provider for the purpose of the data-retention regime.

I note also recommendation 11, which recommends the bill be amended to include, in relation to that retained data, a specific obligation within the notification requirement in proposed section 314A to require carriers and carriage service providers to notify the communications access coordinator of any new or amended offshoring arrangements.

During the course of the PJCIS inquiry, the committee heard feedback from stakeholders about the scope and application of the bill, including concerns regarding which provisions, if any, should apply to providers of over-the-top services. At recommendations 1, 2, 4 and 5 of its report, the committee suggested amendments that address these questions around scope and application, including to make clear what a company's security obligations are in circumstances where a company is providing or selling an over-the-top service, where telecommunications infrastructure is used but not necessarily owned or operated by the company, where a company's infrastructure is located in a foreign country and uses its services to carry or store information from Australian customers or where a company provides cloud computing and cloud storage solutions. The recommendations also seek to put in place arrangements to make clear that the bill does not apply to certain broadcasters, to clarify the sorts of changes that require notifications to the communications access coordinator and to outline the application process for exemptions from notification requirements. These have been accepted by the government.

Finally, at recommendation 6, 7, 9 and 12 of its report, the committee recommended a number of accountability measures. These recommendations include making it clear that the bill does not affect the operation of existing legislated privacy; clarifying the reporting requirement to parliament, including those matters which must be addressed in the report; outlining the avenues available for industry to recover reasonable costs in certain circumstances; expanding the scope of PJCIS's review of the data retention regime; and introducing a new requirement that PJCIS review the operation, effectiveness and implications of these reforms within three years. These recommendations, which again have been accepted by the government, supplement the measures already enabled by the bill, including the ability for carriers and carriage service providers to seek merits review before the Administration Appeals Tribunal, where an ASIO adverse security assessment has been made.

Labor is pleased that the government has accepted all the recommendations of the PJCIS for improvements to this bill and commends the bill to the Senate.