Wednesday, 9 November 2016
Telecommunications and Other Legislation Amendment Bill 2016; Second Reading
That this bill be now read a second time.
I seek leave to have the second reading speech incorporated in Hansard.
The speech read as follows—
The Telecommunications and Other Legislation Amendment Bill 2016 will amend the Telecommunications Act 1997 and related legislation to strengthen the security of Australia's telecommunications networks.
National security threats to the telecommunications sector
Australia's telecommunications networks are the critical infrastructure that enables all of us to conduct business and to go about our everyday lives online. Australia's economic prosperity and wellbeing are increasingly dependent on telecommunications networks and the data that flows across them.
Cyber threats to Australia are persistent, whether they arise from sabotage, espionage, serious and organised crime, or other technology-enabled crime. Espionage and clandestine foreign interference activity against Australian interests is extensive.
The Australian Cyber Security Centre's Threat Report 2016 demonstrates the scale of the cyber threat to Australian organisations. Telecommunications networks are a key pathway for unauthorised interference by malicious actors. The Report identifies that diverse state-based adversaries are attempting cyber espionage against Australian systems to satisfy strategic, operational and commercial intelligence requirements. It also acknowledges that the ongoing theft of intellectual property from Australian companies continues to pose significant challenges to the future competitiveness of Australia's economy.
The number, type and sophistication of cyber security threats to Australia and Australians are increasing. Australian businesses and organisations face a range of serious threats, from foreign state-sponsored adversaries to serious and organised criminals.
Compromise is expensive. It can include financial losses, damage to reputation, loss of intellectual property and disruption to business.
Indeed, the former director of the United States National Security Agency, General Keith Alexander, argued that "ongoing cyber-thefts from the networks of public and private organisations…represent the greatest transfer of wealth in human history."
This is why it is so vital that the security and resilience of our telecommunications networks are maintained.
It is also why, after a broad public consultation, the bipartisan Parliamentary Joint Committee on Intelligence and Security recommended in 2013 that the Government create a security framework for the telecommunications sector.
This Committee also recommended establishing this security framework again in 2015 in the context of data retention legislation. The reforms proposed in this Bill will complement the data retention regime by improving the security of networks as a whole and provide an additional layer of protection for retained data.
The reforms are referenced in the Australian Cyber Security Strategy, launched by the Prime Minister in April 2016. This reflects the particular importance of secure telecommunications networks to the functioning and well-being of Australian communities.
This is an issue being considered by a number of governments across the globe. Similar regimes are already in place in the United Kingdom, Germany, Singapore and New Zealand.
Policy objectives of this Bill
This Bill builds on existing obligations in the Telecommunications Act 1997.
These reforms have been subject to extensive consultation processes over the past four years. Industry feedback through these processes has shaped the detail of the proposed reforms. In particular, a number of key amendments have been made to the Bill following the release of two exposure drafts for public consultation in mid and late 2015.
Strong industry-government partnerships are critical to managing these threats and securing our most important systems. This Bill will formalise the relationship between industry and government and ensure consistency, transparency and proper accountability for all parts of the telecommunications industry.
It will provide clarity around government's expectations on how national security risks to telecommunications networks are to be managed and provide more proportionate mechanisms for managing these risks.
The Bill will not introduce a prescriptive legislative approach. Rapid changes in technology and service delivery mean a prescriptive approach would simply not be possible.
Overview of key measures
Amendments to the Telecommunications Act 1997proposed in this Bill will place an obligation on all carriers, carriage service providers and carriage service intermediaries to do their best to protect telecommunications networks and facilities from unauthorised interference and unauthorised access for the purpose of security.
This obligation will encourage companies to consider national security risks, such as espionage, sabotage and foreign interference risks to the confidentiality of information and communications, as well as the availability and integrity of telecommunications networks and facilities.
This obligation will be supported by new notification obligations, which are modelled on the existing notification regime in the Telecommunications (Interception and Access) Act 1979.Carriers and nominated carriage service providers will be required to notify changes to systems and services if the carrier or nominated carriage service provider becomes aware that a proposed change is likely to have a material adverse effect on their ability to meet the security obligation to protect networks and facilities from unauthorised access and interference.
Companies will also be given the opportunity to forecast changes to telecommunications systems in annual security capability plans.
Early notification to security agencies will allow them to provide advice at the planning stage and ensure security considerations are factored into the proposal design as early as possible in a cost effective manner.
In line with the risk-based nature of these reforms, the notification regime includes an exemptions process. This will reduce the regulatory burden on some companies and ensure that the resources of security agencies are targeted.
Establishment of a broader security framework
The regulatory model will be supported by a comprehensive administrative framework. The scheme relies on a 'light touch' approach to regulation to allow for meaningful collaboration and cooperation with industry to manage risks in a way that is satisfactory to both industry and government, without the government being too prescriptive and retaining flexibility for industry.
The Government recognises that telecommunications companies already make significant investments in security and have considerable technical expertise in mitigating and responding to threats.
This administrative framework is premised on a collaborative partnership with industry, involving increased engagement and information sharing with government agencies. Implementation will be based on a regime of industry consultation, advice and guidance.
The reforms recognise that security is a joint responsibility and this is why enhanced engagement between government and industry is at the heart of these reforms.
Safeguards built into the regulatory powers
New information gathering and directions powers provided for in this Bill will only be used as a last resort.
Importantly, a number of safeguards are built into these regulatory powers to ensure their use is reasonably necessary.
For example, the Attorney-General can only issue a direction to a company after he or she has received an adverse security assessment from the Australian Security Intelligence Organisation recommending action and has considered the costs of the direction on the company, as well as broader market and competition effects.
In addition, a direction can only be made after consultation with the affected company and after the Attorney-General is satisfied that reasonable steps have been taken to negotiate an outcome in good faith.
A range of review rights will be available for companies to ensure proper accountability for decision making.
This Bill will ensure that businesses, individuals and the public sector can continue to rely on telecommunications networks to store and transmit their data safely and securely. It will promote informed risk management of national security concerns by providing industry with clarity and certainty of government expectations.
Importantly, it will not be prescriptive. It will allow industry the necessary flexibility to find the best and most innovative solutions. This will ensure the security and resilience of Australia's telecommunications infrastructure, as well as the competitiveness of the sector in a rapidly changing global market.
Ordered that further consideration of the second reading of this bill be adjourned to the first sitting day of the next period of sittings, in accordance with standing order 111.