Jenny McAllister (NSW, Australian Labor Party) Share this | Link to this | Hansard source

Australia faces evolving national security threats to our critical infrastructure in an increasingly uncertain international environment. This includes the risk of espionage, sabotage and foreign interference with our telecommunications infrastructure, and this is the subject of this bill.

As stated in the explanatory memorandum, telecommunications networks, systems and facilities are critical infrastructure, and they are vital to the delivery and support of other critical infrastructure and services such as power, water and health. The telecommunications sector also forms the backbone of other sectors such as energy, banking and finance. To quote the explanatory memorandum:

A serious compromise of the telecommunications sector would have a cascading effect on other critical infrastructure sectors and significantly impact the Australian economy.

Our telecommunications companies are already voluntarily working with the government to ensure that Australia's critical infrastructure is safe from foreign interference, threats or espionage. This bill puts a framework around that working relationship to ensure that both government and industry know what is required to keep Australians safe and what is expected of them to ensure that these measures are taken. It also protects against the possibility that such goodwill may not be voluntarily forthcoming from all telecommunication companies at some future point. The explanatory memorandum is explicit about the regulatory approach. The proposed regulatory framework recognises the value of a formal relationship between government and industry but, importantly, it aims to achieve national security outcomes on a cooperative basis rather than through the formal exercise of regulatory powers.

This bill is the result of several years of negotiation and cooperation between the government and the telecommunications industry, arising from a broader review of national security issues by the previous Labor government in 2012. It implements the recommendations of two separate inquiries by the PJCIS in 2013 and 2015. In 2013, the PJCIS examined telecommunications security as part of its inquiry into potential reforms of Australia's national security legislation. It was recommended that the government create a telecommunications security framework in recognition of threats to Australia's national security that can be effected through the telecommunications system. In 2015, as part of its inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill, the PJCIS again supported telecommunications sector security reforms and recommended that the government ensure that a framework be enacted prior to the implementation of the data retention regime. That was in April this year. These reforms were also subject to two rounds of public consultation on exposure draft legislation.

This bill seeks to provide a proportionate and escalating framework for addressing national security risks. It seeks to strengthen existing arrangements, including information sharing between government and industry. It seeks to provide increased visibility to government of national security risks and to provide greater certainty for industry about government expectations with respect to protecting networks and facilities from unauthorised interference and unauthorised access. The key elements of the bill include establishing a security obligation applicable to all carriers and carriage service providers and intermediaries, requiring them to do their best to protect their networks and facilities from unauthorised access and interference. It requires carriers and nominated carriage service providers to notify the communications access coordinator of planned key changes to telecommunications services or systems that could compromise their ability to comply with this security obligation, and notifications may be provided in the form of either an individual notification or an annual security capability plan. It provides the Attorney-General with the power to issue carriers or carriage service providers with a direction requiring them to do, or refrain from doing, a specified thing in order to manage security risks. It empowers the Secretary of the Attorney-General's Department to request information from carriers and carriage service providers to monitor their compliance with the security obligation, and it expands the operation of existing civil enforcement mechanisms in the Telecommunications Act 1997 to address noncompliance with the obligations set out in the bill.

As I noted earlier, the bill is the result of a process that was commenced by the former Labor government in 2012, and Labor has worked consistently with government to ensure our security agencies have the powers they need to keep Australians safe. This bill will provide our security agencies with the powers and tools they need to ensure that our telecommunications networks are protected from malicious actors. We take a bipartisan stance on national security legislation. In this context, we closely scrutinise all national security legislation through the Parliamentary Joint Committee on Intelligence and Security.

The bill was introduced to the Senate on 9 November 2016 and was referred to the PJCIS for scrutiny and review. The committee received eight submissions and four supplementary submissions from industry, government and academia. The PJCIS held two public hearings on 16 February 2017 and one public hearing on 23 March 2017 as well as receiving private briefings from relevant agencies in Canberra. The committee has also recently visited Telstra's Global Operations Centre in Melbourne.

The PJCIS's report on this bill made 12 substantive recommendations for improvements to the bill, to the explanatory memorandum and to the administrative guidelines that accompany the bill. Subject to these 12 recommendations being implemented, the committee recommended that the bill be passed. Labor supports the PJCIS recommendations, as we believe they improve the operation of the bill. We note that the government has also agreed to all of these recommendations.

I'd like to briefly discuss the recommendations and their effect on certain elements of the bill. Under existing legislation, the Attorney-General has the power to direct a carrier or a carriage service provider to cease its services on security grounds. This power has never been exercised. As acknowledged in the bill's explanatory memorandum, the use of this power as presently drafted may have a severe impact on innocent users of non-complying telecommunications companies as well as on Australia's economy and telecommunications infrastructure. Appropriately, this bill increases the safeguards around the use of that power. It adds a requirement that ASIO must have issued an adverse security assessment before it can be exercised and it ensures that a decision to issue a direction can be subject to judicial review.

To provide the possibility of a more proportionate response, the bill also grants the Attorney-General the power to direct a carrier or a carriage service provider to do or to refrain from doing a specified act or thing within a specified period to eliminate or reduce risks that are prejudicial to security. The types of things that the Attorney-General can direct a carrier or a carriage service provider to do must be reasonably necessary to reduce or eliminate the risk of unauthorised access or interference. There are also a number of safeguards around the use of this power. It cannot be exercised without an adverse security assessment, and the Attorney-General must be satisfied before issuing a direction that all reasonable steps have been taken to reach agreement between the government and the provider and to consult the affected carrier or carriage service provider in good faith. At recommendation 8 of its report, the PJCIS recommended that it be made clear that the Attorney-General will take into account whether the Communications Access Coordinator has complied with the applicable statutory time frame prior to issuing a direction. And, as I indicated earlier, the government has accepted that recommendation.

During the PJCIS inquiry, industry stakeholders raised concerns that the bill did not place an obligation on the government to proactively brief industry about possible threats and attacks. In their submission, Optus noticed that it would be challenging for industry to notify the government about possible vulnerabilities in their networks or infrastructure when industry may not be aware of specific threat or risk information. While noting that government already has a range of mechanisms to collaborate with industry, the PJCIS recommended that the Attorney-General's Department work collaboratively with industry to further develop this and to ensure effective and regular information sharing—in particular, sharing threat information with industry.

A key issue that was raised through the PJCIS hearings relates to the security of retained telecommunications data that is stored offshore. The Attorney-General's Department advised that the law does not currently compel telecommunications providers to tell the government where retained data is stored. The draft administrative guidelines for the bill note:

Offshoring raises security concerns because it enables access and control to critical parts of major Australian telecommunications networks outside of Australia, this can facilitate foreign intelligence collection (espionage) and disrupt the network itself (sabotage). Risks arise where control and supervision arrangements have the potential to allow unauthorised actions by third parties, such as theft of customer data or sabotage of the network.

The PJCIS expressed concern in its report on the bill that existing laws do not provide government with visibility about where and how data is being stored and emphasised that it is critical that the Australian community can have confidence in the telecommunications sector, especially the security of stored data. Pleasingly, the government has accepted the associated recommendation, specifically recommendation 10, where the PJCIS recommended that their review of the Telecommunications (Interception and Access) Act be expanded to include consideration of the security of offshore telecommunications data that is retained by a service provider for the purpose of the data-retention regime.

I note also recommendation 11, which recommends the bill be amended to include, in relation to that retained data, a specific obligation within the notification requirement in proposed section 314A to require carriers and carriage service providers to notify the communications access coordinator of any new or amended offshoring arrangements.

During the course of the PJCIS inquiry, the committee heard feedback from stakeholders about the scope and application of the bill, including concerns regarding which provisions, if any, should apply to providers of over-the-top services. At recommendations 1, 2, 4 and 5 of its report, the committee suggested amendments that address these questions around scope and application, including to make clear what a company's security obligations are in circumstances where a company is providing or selling an over-the-top service, where telecommunications infrastructure is used but not necessarily owned or operated by the company, where a company's infrastructure is located in a foreign country and uses its services to carry or store information from Australian customers or where a company provides cloud computing and cloud storage solutions. The recommendations also seek to put in place arrangements to make clear that the bill does not apply to certain broadcasters, to clarify the sorts of changes that require notifications to the communications access coordinator and to outline the application process for exemptions from notification requirements. These have been accepted by the government.

Finally, at recommendation 6, 7, 9 and 12 of its report, the committee recommended a number of accountability measures. These recommendations include making it clear that the bill does not affect the operation of existing legislated privacy; clarifying the reporting requirement to parliament, including those matters which must be addressed in the report; outlining the avenues available for industry to recover reasonable costs in certain circumstances; expanding the scope of PJCIS's review of the data retention regime; and introducing a new requirement that PJCIS review the operation, effectiveness and implications of these reforms within three years. These recommendations, which again have been accepted by the government, supplement the measures already enabled by the bill, including the ability for carriers and carriage service providers to seek merits review before the Administration Appeals Tribunal, where an ASIO adverse security assessment has been made.

Labor is pleased that the government has accepted all the recommendations of the PJCIS for improvements to this bill and commends the bill to the Senate.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

The Greens have been standing firmly against the government's agenda of warrantless, mass surveillance of Australian people for over five years. We have been standing up for basic human rights of Australian citizens—rights like privacy and correspondence without arbitrary or unlawful interference. Throughout this time, both the coalition and Labor governments, locked in zombie lock step, have engaged in a continual barrage of attacks against the rights of the Australian people. Both the establishment parties have stood united in their disregard for human rights, using fearmongering about national security as an excuse to continually strip back the rights of ordinary Australian people. The telecommunications sector security reforms, the TSSR, proposed in Telecommunications and Other Legislation Amendment Bill 2016 require telecommunications carriers and carriage service providers to detect telecommunications infrastructure in the national interest.

The office of the Attorney-General have the power to collect any type of information from telcos and, in turn, share this information with the AFP and third parties. Without clear guidelines as to the types of data that constitute any information, this legislation extends beyond the existing metadata creation, retention and disclosure regime. Even with the addition of clear guidelines, this legislation still represents duplication of the data retention scheme and for the same purpose. The Greens do not support this dragnet surveillance of Australians under either scheme.

A key difference under this new legislation is the government's attempt at having no defined reporting obligations. While the Attorney-General will be able to choose to collect and access private communications metadata under the TSSR, he had no intention of being held accountable to the same checks and balances, such as they are, that are in place for the metadata creation, retention and disclosure regime. Metadata collection under the TSSR does not require authorisation or notification, and the Commonwealth Ombudsman is not granted oversight powers. But, even with the clarifications of these reporting obligations under today's amendments, what guarantee do we have in this place that the Attorney-General will choose to honour them?

Today I was going to give notice of a motion for the Attorney-General to produce the Telecommunications (Interception and Access) Act annual report for 2015-16. This is the report in which the Attorney-General sets out the extent and circumstances in which eligible Commonwealth, state and territory government agencies have used the powers available under TIA Act. This is the report in which the Attorney-General tells us about the government's data retention activities for the first time. So imagine my surprise when this report was tabled this morning—at one minute to midnight: only minutes before the start of this debate in the Senate. I have seen attorneys-general in the Tasmanian parliament and the Commonwealth parliament treat parliaments with contempt on a number of occasions, but I tell you what: this one just about takes the cake. This is a ridiculous and insulting action for the Attorney-General to take, in withholding this report until, as I said, one minute to midnight—just minutes before the start of this debate today. I want to place on the record that the timing of the Attorney-General tabling this report in the Senate this morning was clearly designed to prevent this Senate from having the opportunity to analyse the information and data in that report and use that information and data to inform our position on this legislation and our contributions on this legislation—an utter disgrace from the Attorney-General.

As the new data retention obligations came into effect on October 2015, that report is the first report from the Attorney-General that includes the new obligations under the data retention act. He has deliberately held back on fulfilling his reporting obligations in a timely way, and yet here he is asking for more open-ended, obligation-free access to the private communications of the Australian people. There had been two whole years of telecommunications interception and access with zero reporting and, therefore, zero government accountability until today. The Attorney-General has held back the vital reporting on the new data retention obligations until, as I say, one minute to midnight, in an attempt to ensure that this Senate remains in ignorance about the matters contained in that report.

We have, however, had time to review the Commonwealth Ombudsman's report on monitoring of agency access to stored communications and telecommunications data for 2015-16. And what a concerning picture that report paints. It is a picture of non-compliance in record-keeping provisions and warrant conditions and restrictions from several agencies, the worst being from the Australian Customs and Border Protection Service, as they then were. Customs were found to be non-compliant or were unable to demonstrate compliance across each of the Ombudsman's inspection criteria. Customs did not have processes in place to demonstrate that they were following regulations relating to lawfully accessing, managing and keeping records of access to communications data, and the ombudsman's report indicated that they were not cooperative or frank for the inspection. That is yet another damning indictment of the now Department of Immigration and Border Protection under the bumbling, incompetent minister for immigration, Mr Dutton. Customs did not have processes in place to demonstrate, as I said, that they were lawfully accessing communications data. There were also a number of instances of warrants being exercised by a person who was not authorised across other departments, including the AFP.

This legislation that we are currently debating also gives power to the Attorney-General to direct telcos to do or to not do something to their networks in the name of national security. It is easy to understand why this is making carriers and service providers uncomfortable. The Attorney-General and the coalition government have proven time and time again that they are digitally illiterate. We have seen their ridiculous demands for access to encrypted communications, and when you add that to their long list of spectacular government system failures—the census fail, the robo-debt fail, the Centrelink and Medicare data links fail and, of course, the rollout of a substandard NBN—it paints a very concerning picture about this government's digital literacy. Let's be clear, just about every computer system the government touch turns to hashtag #fail. This government have shown that, without a doubt, they cannot be trusted to keep government networks and systems safe and secure, so why on earth would we in this place give them the power to dictate network security to the private sector as well?

The industry associations are also concerned that they could face very high costs to rebuild existing networks without limitations on the requirement for carriers and service providers to retrofit or remove existing facilities. The legislation also forces telcos to inform the government of changes to their networks. The joint submission from the telecommunications industry associations to the PJCIS warned:

… the onerous nature of the compliance requirements will act to hamper the responsiveness of … cyber threats—

as well as:

… divert scarce resources away from investing directly in addressing cyber security threats …

They also highlight the prescriptive and one-sided nature of this legislation, and point to more collaborative approaches used in places like the US, the UK and Canada. The US's cyber security act creates a framework for the voluntary sharing of cyber threat information between private entities and the federal government, with the goal of exchanging cyber threat information rapidly and responsibly. It also contains measures to protect privacy by ensuring personal information is not unnecessarily divulged. The UK's National Cyber Security Strategy also employs a far more collaborative approach, in which the government shares threat information with industry and provides advice and guidance to industry on managing risks.

The industry associations note:

… policy makers and Government should give considerable weight to the expertise of network providers in designing and safeguarding their networks and the clear commercial incentive that exists in a highly competitive sector to drive security by design in network architecture to ensure operational reliability and customer trust and loyalty.

'Trust' and 'loyalty': these are not terms that can be attributed to customers of the NBN or of online government systems at the moment, due to the government's epic fails in a range of areas that I have pointed out in this speech.

Industry associations describe this legislation as 'onerous', 'excessive' and 'one-sided'. They warn that the TSSR regime will not be adaptable or flexible enough to tackle risks that will emerge. Much like this government, it will not be agile enough to meet the challenges of the 21st century. Much like this government, it is out of step and, at the same time, it is a massive overreach. It places excessive and onerous demands and obligations on telecommunications companies, demands which are likely to put infrastructure at greater risk. It puts Australians in a position where they will have their rights to privacy stripped away without their knowledge and to no benefit in terms of the public good. It does all this with no obligations for the government to share information of threats with companies or to provide transparency of their actions to Australians.

The Australian Greens have been opposing this government's flagrant disregard for human rights to privacy and its agenda of warrantless mass surveillance of Australian citizens for more than five years, and we have been opposing it no matter what the political stripe of the government of the day. As we have done, we will continue to do by opposing this legislation. We oppose the Attorney-General collecting, storing and accessing Australians' private communications information under any scheme. We oppose the Attorney-General having a choice of schemes whereby he can pick or choose the rules and guidelines under which he accesses this private information. We oppose the Attorney-General, who has more than proven his digital illiteracy on a number of occasions, being in a position to tell telcos and ISPs how to make their networks 'more secure', likely, we point out, actually making them less secure in the process. We oppose these privileges being granted to the Attorney-General when he has already been shown to be prepared to deliberately hold back on fulfilling his reporting obligations under the existing metadata creation, retention and disclosure regime.

We oppose the government's onerous, excessive, one-sided plan to put Australian telecommunications infrastructure at risk by further imposing their incompetence on the Australian telecommunications industry. And we once again urge Australians to stand up and protect their rights to privacy as the government has shown it is not prepared to do and, in fact, that the government has demonstrated it has utter disregard for.

Why is the Attorney-General tabling the Telecommunications (Interception and Access) Act 1979 report only minutes prior to this bill being debated? Just as pertinent, when can we expect the report for the year 2016-17 to be tabled? The 2015-16 one was over a year overdue, so when are we going to get the 2016-17 report? How does the government respond to the industry associations' concerns that the underlying approach of this bill is flawed and that it is more likely to make Australian telecommunications networks less secure due to the one-sided, onerous and excessive nature of obligations for carriers and carrier service providers that constitute the massive overreach contained in this legislation? And why is the government seeking to duplicate data retention under this scheme and how will the overlapping and duplicated schemes and data be handled?

In conclusion, we have zero confidence in this government's capacity to oversee the scheme that this legislation proposes to create, because the government has shown, time after time, that they are digitally illiterate, that they treat their reporting requirements to this parliament with utter contempt and that they simply cannot be trusted to run computer systems and networks securely and to protect the private data of Australians in the 21st century.

David Fawcett (SA, Liberal Party) Share this | Link to this | Hansard source

I rise to make a few brief comments about the Telecommunications and Other Legislation Amendment Bill 2016 and I do so as a member of the Parliamentary Joint Committee on Intelligence and Security which considered this bill in detail and, indeed, engaged with not only the industry players that Senator McKim has just referred to but also the government agencies that came before the government highlighting the requirement for this legislation.

The first thing I would like to point out, particularly following Senator McKim's points which go very much to the ideology of the Greens in opposing any attempt by the government to make sure that our community continues to be safe, is his conflation of two issues. He mentions, on a number of occasions, data retention as though this bill is intending to extend or somehow change the data retention requirements. In actual fact, the intent of this bill is to better manage national security risks to the telecommunications networks from espionage, sabotage and foreign interference. What the bill is looking to do is extend the work that Australia has been doing with industry over a number of years on the systems that we rely on, whether it be industry in their own business, the general public, government or security agencies. All of us now are enabled through data, whether it is on your mobile phone or on computer networks in your office. Data and telecommunications are essential, and, if we are to remain both secure economically in terms of espionage and secure from a national security perspective in terms of espionage against the state, as in government information and secrets, then we need to make sure that the system that transports that information is secure. The one reference in this bill to data retention is not about expanding and duplicating the scheme. The intent of it is saying, 'If, in your data retention obligations, you have offshored or you plan to make changes, you need to advise the government of the fact that you're making changes to a regime which is a critical part of our national security infrastructure.' There's a deliberate attempt by the Greens in this debate today to conflate these two issues. This bill is about making sure that the whole network that we all rely on is and remains secure.

In fact, the evidence taken by the PJCIS and consequently our recommendations go to address some of the concerns that have been raised around things like the transparency of information and the degree of communication from government to industry. Our recommendations say: if government becomes aware of a particular threat that industry should be taking cognisance of and where they should be acting to prevent an intrusion or a weakness in our telecommunications system, then government needs to be sharing that information more transparently with industry. In fact, this bill is about increasing the amount of cooperation and transparency between government and industry to make sure that, when we see threats, we work with industry to address them and that, when industry make changes to their networks, to the physical architecture or the contractual arrangements, which might expose Australians' information to threat, they advise government of that so that we can collaboratively work on keeping Australians safe.

My colleague Senator McAllister has stepped through a number of the details of the bill, so I'm not going to repeat all of that. There has been a bipartisan position reached on this. I just want to highlight the fact that there are two key elements where this government has been working, by and large in bipartisan cooperation with the opposition, to make sure that Australians remain safe. That's in terms of national security and countering the terrorist threat in particular but also from the economic perspective. I will start with the latter: Lloyd's, one of the world's largest insurance companies, estimates that the threat to the Australian economy is in the order of $16 billion over the next decade from cyberattack and espionage. We are under constant cyberattack, particularly from international players—and also, potentially, some domestically. Sydney actually ranks 12th of the world's major financial centres in terms of the degree of risk. Around $4.8 billion is the potential loss if cybersecurity is not taken seriously.

Whilst companies can take individual steps, the network upon which data is passed is key in terms of making sure that that data is safe. The particular company can take all the measures they like, but, if the pathways upon which that data is transmitted are not secure, then all the efforts an individual company may have made come to naught. That is why we are focused on making sure from an economic perspective that the networks are secure; hence this bill to increase the security framework of our telecommunications networks. The recommendations made by the committee were particularly to address some of the concerns that were raised by industry during the hearings. The government has chosen to accept all of the recommendations from the committee, and they form the basis of what is before the Senate today.

On the national security side, the integrity of our telecommunications system is important not only to stop intrusion but also for things like the data retention provisions. Data retention has been used for many years in Australia. It doesn't matter whether you are dealing with child pornography, organised crime or, indeed, terrorism, it is one of the most important tools that our law enforcement agencies have. So as we look back and congratulate our agencies on their 13 significant disruptions of plots to conduct terror, as we look at the fact that since 2014 more than 70 people have been charged as a result of 31 counter-terrorism operations around the country, it comes down to the fact that the government, in cooperation with the opposition, has passed eight major tranches of legislation to give our law enforcement agencies the tools they need to respond in a timely manner to a rapidly evolving threat.

You can see that threat evolving globally and even here in Australia. Over the last four or five years, we have gone from a period where terrorist plots were largely a network of people with a coordinated and complex plot that our agencies could engage with over a period of months in terms of surveillance and collecting evidence before acting to what we now see globally and even in Australia, which is that terrorist plots can be very simple, very quick and low-technology. The laws the agencies require to obtain intelligence and also to act to keep Australians safe have changed.

So this government has passed eight significant tranches of legislation, including the Criminal Code Amendment (High Risk Terrorist Offenders) Bill 2016, which was passed to allow the continued detention of high-risk terrorist offenders. A reasonable person in the street would agree that, if somebody has not renounced the ideology that made them a risk in the first place, we would be foolish to be releasing them back onto the streets while they still pose a risk.

The Criminal Code Amendment (War Crimes Act) 2016 was passed to enable the ADF to legally target members of armed groups such as ISIL in Syria and Iraq. We had the situation where some domestic law was preventing the effective engagement and disruption of an enemy that is sworn to Australia's destruction, that has been committing genocide in parts of the world. So we have passed legislation to make it possible for the ADF to be effective.

The Counter-Terrorist Legislation Amendment Bill (No. 1) 2016 lowered to 14 years the age limit on control orders. Why? Because we are seeing people as young as that involved in both the preparation and the actual conduct of terrorist acts and our community rightly expects that we will give our agencies the powers they need to deal with a threat that is evident, that is here today.

The Australian Citizenship Amendment (Allegiance to Australia) Bill was passed, providing for the revocation or renunciation of citizenship of dual nationals convicted of or engaged in terrorism-related conduct. When I go to various functions in the community in Australia probably the most frequent comment I get from men and women is: 'If somebody is engaged in terrorist acts against Australia, why do we allow them back into the country? Why do we keep them here?' This bill made it clear that, where somebody has dual citizenship and has essentially renounced their Australian citizenship by taking terrorist action against Australia, their Australian citizenship will be removed; and that has occurred.

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 is not a new power; there has been data retention for many years. But with the changing commercial environment people no longer needed to retain for billing purposes the kind of information that shows person A picked up a phone and rang for 15 minutes. That is how telcos used to bill. They would look at your telephone record and charge you for the calls you made. Now that the world has moved on—through much more internet based protocols to packages where you buy up front, they have no commercial need to retain much of that information. Yet that information—whether it is child sex offences, organised crime and drugs, or terrorism—is critical to our law enforcement agencies. That bill was not about creating new powers; it was largely about preserving one of the most effective tools that our agency has. In 2014, the Counter-Terrorism Legislation Amendment Bill (No. 1) was passed enabling ASIS to assist the ADF in relation to terrorists and updating and expanding the regime to apply to enablers. Commonsense measures say that if an Australian citizen is overseas and doing something to the detriment of Australia, our interests or our allies then ASIS can help the ADF. And that people here who are enabling and preparing for an act are people we should be able to engage with as opposed to those who are actually in the act of committing a terrorist offence. The Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 was passed to respond to the threat of Australians engaging in and returning from conflicts. And, finally, there is the National Security Legislation Amendment Act (No. 1) 2014.

The reason I have run through those bills is that they have been passed on a bipartisan basis in the parliament in the interests of the Australian public, and I make no apologies for those bills. The government's first priority is keeping Australians safe. This most recent bill, whilst not directly a counterterrorist bill or directly a counterespionage bill, goes to the integrity of our telecommunications and data systems which provide a vulnerability if we do not keep them secure. That vulnerability goes to both terrorism-type offences and national security as well as to our economic security through cyberattacks.

I encourage people who are interested to download the PJCIS report, where we go through both the submissions and the government's submission in detail as to why this bill is required. This piece of legislation is implementing the recommendations of the PJCIS. I particularly want to highlight that the ideological objection of the Greens is misplaced specifically in regard to this bill because it is not about increasing data retention powers. It is about saying that if a telco has an obligation under the data retention regime and they choose to change the nature of their network then they need to advise the Commonwealth so that we can have a sensible discussion about the implications. I am very happy to support this bill and commend it to the Senate.

Nick Xenophon (SA, Nick Xenophon Team) Share this | Link to this | Hansard source

The Telecommunications and Other Legislation Amendment Bill 2016 will amend the Telecommunications Act 1997 and related legislation with the aim of strengthening the security of Australia's telecommunications networks. Australia's telecommunications networks are an absolutely vital part of our national infrastructure, enabling us to conduct business and go about our everyday lives online. Our economic prosperity, our wellbeing and, indeed, our national security are dependent on telecommunications networks and the data that flows across them.

I don't think anyone can question the scale and seriousness of the potential cyberthreats to Australia from serious to highly organised crime, often operating on an industrial scale, to clandestine activity by foreign governments. All the publicly available advice from our security and intelligence agencies suggests— and I quote from the minister's second reading speech:

Espionage and clandestine foreign interference activity against Australian interests is extensive.

This legislation has been developed over a lengthy period of time with extensive consultation with industry and other stakeholders with exposure drafts available for public consultation and, more recently, by an inquiry by the Parliamentary Joint Committee on Intelligence and Security. The bill proposes amendments to the Telecommunications Act 1997 to place an obligation on all carriers, carriage service providers and carriage service intermediaries to do their best to protect telecommunications networks and facilities from unauthorised interference and unauthorised access for the purposes of security. Companies will have to consider national security risks such as espionage, sabotage and foreign interference threats, and the confidentiality of information and communications as well as the availability and integrity of telecommunications network facilities. This obligation will be supported by new notification obligations. Carriers and nominated carriage service providers will be required to notify changes to systems and services if the carrier or the nominated carriage service provider becomes aware that a proposed change is likely to have a materially adverse effect on their ability to meet their security obligations to protect networks and facilities from unauthorised access and interference. Early notification to security agencies should allow those agencies to provide advice at the planning stage and ensure security considerations are factored into the proposed design as early as possible in a cost-effective manner. As the minister put it in introducing the bill:

The scheme relies on a 'light touch' approach to regulation to allow for meaningful collaboration and cooperation with industry to manage risks in a way that is satisfactory to both industry and government, without the government being too prescriptive and retaining flexibility for industry.

Clearly, a close and effective dialogue between our national security agencies—especially ASIO and the Australian Signals Directorate—and industry will be essential if the legislation is to deliver the enhanced security we all seek.

The bill has now been the subject of an extensive inquiry by the Parliamentary Joint Committee on Intelligence and Security, a process that has allowed further comment and input from industry. The joint committee has made a number of recommendations that are broadly reflected in the amendments now proposed by the government. I won't go through all those amendments and recommendations. Suffice to say they all significantly improve the legislation.

I will, however, focus on one matter examined by the joint committee, and that is the question of the location of stored data. This is a very important issue. As the draft administrative guidelines accompanying the bill note, offshore data storage raises significant security issues relating both to the storage of personal information, financial and other sensitive data and, indeed, to national security. The draft administrative guidelines note:

Offshoring raises security concerns because it enables access and control to critical parts of major Australian telecommunications networks outside of Australia, this can facilitate foreign intelligence collection (espionage) and disrupt the network itself (sabotage). Risks arise where control and supervision arrangements have the potential to allow unauthorised actions by third parties, such as theft of customer data or sabotage of the network.

The Attorney-General's Department noted that the bill does not specify where or how data must be stored, but instead supports a risk based approach where companies 'can retain flexibility to support their changing business needs and to minimise any regulatory burden on their ability to conduct business internationally'. The law, as it stands and as is proposed, does not currently compel telecommunications providers to tell the government where data retained is stored. That is something I have concerns about, and I propose to raise them in my usual respected manner with the Attorney because I am concerned about the data being stored overseas. I don't think a risk based approach is adequate here, given the potential for espionage or sabotage.

The joint committee rightly observes:

It is critical that the Australian community can have confidence in the telecommunications sector and especially the security of stored data.

Australia's existing legal framework for the protection of information includes requirements under the Privacy Act and the Telecommunications (Interception and Access) Act, including mandatory encryption for retained telecommunications data as well as a recently introduced mandatory data breach notification scheme. The joint committee notes that the telecommunications sector security framework would apply to carriers and carriage service providers—C/CSPs—irrespective of whether certain parts of a C/CSP's operation are located in Australia or overseas. The location of data is not necessarily determinant of its security, but there are clear risks associated with offshore data storage. The joint committee rightly expressed itself 'greatly concerned that existing laws do not provide government with visibility about where and how data is being stored'. We need that visibility. The notification requirements proposed for the bill will require telecommunications companies to notify the government of any changes they propose to make that are likely to have a material adverse effect on their ability to comply with their security obligations. This requirement must include any decisions to store critical data offshore.

The bill does contain information-gathering powers that could be used, if necessary, to compel companies to provide information that is relevant to assessing compliance with their security obligations. The joint committee has recommended:

… that at the time of the review required to be undertaken by the Parliamentary Joint Committee on Intelligence and Security under section 187N of the Telecommunications (Interception and Access) Act 1979, the scope of the review be expanded to include consideration of the security of off-shored telecommunications data that is retained by a service provider for the purpose of the data retention regime.

The joint committee has further recommended:

… the Bill should be amended to include, in relation to data retained under Part 5-1A of the Telecommunications (Interception and Access) Act 1979, a specific obligation within the notification requirement in proposed section 314A to require—

carriers and nominated carriage service providers to notify the department—

of any new or amended offshoring arrangements.

This seems to be an essential provision, as a minimum, to ensure the security considerations are properly taken into account in any arrangements to store Australians' personal, financial or other sensitive data overseas.

My view is that I don't like it. This, to me, is putting Australians' data at too much risk. Why risk it when we should ensure that the data is stored here, onshore rather than offshore? While recognising the significant costs involved in ensuring adequate data security, I would also raise the likelihood that the so-called light-touch approach of this bill will need to be revisited in the future. Recent revelations in the banking sector suggest that very large and well-resourced companies—yes, Which bank?—can still prove shamefully negligent in failing to comply with regulatory regimes, even those relating to money laundering and terrorist financing. All too often, the pursuit of super profits and directors' bonuses can lead corporations to skate over important regulatory obligations. I suspect that this legislation will be the first in building much stronger measures to ensure the security of our telecommunications infrastructure and the protection of Australians' personal data. For the moment, I and my colleagues will support the bill and the associated proposed amendments, but we do have serious concerns in relation to the offshoring of Australians' data.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

I rise to speak on the Telecommunications and Other Legislation Amendment Bill 2016. The bill purports to improve national security at the cost of more government control over private telecommunications companies. The bill will introduce a new regulatory framework, supposedly to better manage national security risks of espionage, sabotage and foreign interference to Australia's telecommunications networks and facilities.

Specifically, the bill imposes a new security obligation on telecommunication carriers, carriage service providers and intermediaries. They will now be obliged to do their best to manage the risk of unauthorised access and interference, even where such access or interference does not involve committing an offence. They will also have to notify the government of planned changes to their networks and services that could risk unauthorised access and interference, even where the changes do not increase the risk of offences being committed. Of course, they will have to give information to government so compliance with these obligations can be monitored. In fairness, the directions power is limited to instances where ASIO has given an adverse security assessment and the Attorney-General is satisfied that using the power is reasonably necessary to eliminate or reduce a risk to security. Consideration will supposedly be given to the costs and impacts on competition and consumers. However, fundamentally, the greatest weight is required to be given to the ASIO security assessment.

The net effect of this bill is that consumers will get worse service at a higher cost. This is because this bill will (1) increase compliance costs on industry; (2) restrict competition, as only big established companies would put up with the red tape; and (3) distort investment away from what consumers want, as bureaucrats will make directions without knowing the trade-offs between security, cost and other features for each option and without knowing or caring what sort of trade-off consumers prefer. Government can secure its own data just by choosing ICT businesses that offer gold-standard security. With respect to private data, the government, arguably, has a role to prevent crimes—like hacking into a bank—that could hurt more than those directly involved. But the current law covers this, and there is no case to go further.

What there is no doubt about is that this bill increases regulation and costs to telecommunication service providers to the detriment of consumers and to the dubious benefit of central government. It gives ASIO additional telecommunication oversight powers and obliges telecommunication service providers to both maintain enhanced security and report breaches. Is this a vital piece of legislation to enhance our national security? The Liberal Democrats don't think so.

In a free society, intrusions into individual privacy in the interests of national security and law enforcement are based on probable cause. However, more and more we see measures taken by governments which curtail the freedom of all in an effort to monitor and prevent unlawful efforts by a tiny few. Logically, in doing this both Liberal and Labor seem increasingly to think that everyone is equally likely to be a threat. If this were true, then the fundamental basis of a democratic liberal society is called into question, and the first ideological step has been taken towards creating a police state.

We believe the current laws, effectively policed, provide more than enough powers. I will consequently be opposing this bill.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

May I close the second reading debate by thanking honourable senators for their contributions. Let me start with Senator McAllister.

Might I acknowledge and thank the opposition for its support for this bill, the Telecommunications and Other Legislation Amendment Bill 2016. Like all of the tranches of national-security-related legislation that I have introduced into this chamber, this bill has been the subject of extensive consideration by the Parliamentary Joint Committee on Intelligence and Security. The PJCIS has recommended a number of amendments, which the government has agreed to, and I want to thank the opposition both for its support for the bill and for its contribution to the deliberative process through the PJCIS.

Speaking of which, can I also thank Senator Fawcett, who is a member of the PJCIS, for his characteristically thoughtful and well-informed contribution. I also want to acknowledge and thank Senator Xenophon for his thoughtful contribution and his support for the bill.

Senator Leyonhjelm, who has just spoken, has indicated that, effectively on libertarian grounds, he will oppose the bill. This is a position, as we know, that Senator Leyonhjelm characteristically takes. I am glad that on legislation of this kind, where government and opposition—the alternative parties of government in this place—agree that we have a contradictor; that we hear the other side of the argument from a libertarian point of view. If I may say so, there is always a crystalline elegance about Senator Leyonhjelm's contributions to this debate. He is very much a purist. But can I say to you, Senator Leyonhjelm, that in the government's view your concerns on a libertarian basis are misplaced. Your warnings about the creation of a police state are vastly wrongheaded, with respect. And, might I point out, Senator Leyonhjelm, that, if not always, then typically, you have opposed the government's national security legislation reforms.

And, might I point out to you, with respect, Senator Leyonhjelm—through you, Mr Acting Deputy President—that when on Thursday of the week before last the Deputy Commissioner of the Australian Federal Police, Deputy Commissioner Phelan, announced the charging of two people following an alleged attempt to bring down an aircraft in consequence of a plot, which it will be alleged was being conducted on Australian soil, Deputy Commissioner Phelan, who runs the counterterrorism operation, went out of his way to point out that it was because of powers given to the Australian Federal Police by this parliament in the eight tranches of national security legislation which have been introduced by this government over the last three years that the AFP was able to make those arrests and conduct that investigation so successfully, thus saving potentially hundreds and hundreds of lives.

I am not making a debating point, Senator Leyonhjelm; that was the view of the operational officer in charge of Australia's counterterrorism efforts. But it does, I think, make the point that, on occasions and only where there is a clear need to do so, it is sometimes necessary to give the police additional power in order to protect public safety. We have the endorsement of Deputy Commissioner Phelan that that has been the very effect of some of the laws that this Senate has passed after deliberation, including the contributions which you have made.

I can't say that Senator McKim's contribution had the same crystalline elegance as yours, Senator Leyonhjelm. It was a confused contribution because, with respect, Senator McKim confused the bill. He said that this was about mass government surveillance. It has absolutely nothing to do with mass government surveillance whatsoever. As a matter of fact, what this bill is to do with is protecting systems.

Senator McKim interjecting—

I think, Senator McKim—through you, Mr Acting Deputy President—you are thinking of another bill. It's always good counsel, if you participate in these debates, to work out which bill you're talking about.

Nevertheless, let me—having responded to those who contributed—make some closing remarks. I've already thanked the PJCIS for its contribution to the process. May I repeat that since 2014 this government, first under the leadership of Mr Abbott and now under the leadership of Mr Turnbull, has led the most significant program of national security legislation reform in a generation. The bill currently before the chamber is the ninth tranche of significant national security legislation which this government has introduced—which I have introduced—in the past three years.

The bill is a critically important piece of national security legislation, because telecommunications networks form part of Australia's critical infrastructure and also support other critical sectors such as health, finance, transport, water and power. Cyberthreats to Australia are persistent, whether they arise from sabotage, espionage, serious and organised crime or other technology enabled crime. The existing framework for managing these risks in the telecommunications industry is inadequate, and I think that fact is widely acknowledged. It relies on voluntary cooperation and goodwill, which is not always sufficient given the nature of the risks to national security and the gravity of those risks.

So this bill will address that shortcoming in the protection of the telecommunications system at the moment. It will amend the Telecommunications Act to place an obligation on all carriers, carriage service providers and carriage service intermediaries to do their best to protect telecommunications networks and facilities from unauthorised interference and unauthorised access. This obligation will be supported by new notification requirements to encourage early engagement to allow risks to be assessed and mitigated. Carriers and nominated carriage service providers will be required to notify changes to systems and services if a carrier or nominated carriage service provider becomes aware that a proposed change is likely to have a material adverse effect on their ability to meet the security obligation to protect networks and facilities from unauthorised access and interference.

Companies will also be given the opportunity to forecast changes to telecommunications systems in annual security capability plans. In line with the risk based nature of these reforms, the notification regime includes an exemptions process. This will reduce the regulatory burden on some companies and ensure that the resources of security agencies are targeted. The bill also prescribes annual reporting requirements on the operation of the legislation in an effort to improve the transparency of the regime.

Following introduction of the bill on 9 November last year, I referred it to the PJCIS for inquiry under the chairmanship of Mr Andrew Hastie MP. The committee recognised that protecting telecommunications infrastructure requires a joint partnership between government and industry. The recommendations of the committee provide great clarity and certainty for industry, encourage information sharing and enhance the transparency of the regime's operation.

In addition to the committee's inquiries, these reforms have been the subject of extensive industry consultation, beginning as long ago as 2012. Senator Leyonhjelm—through you, Mr Acting Deputy President—your observations about the burden to industry overlook the fact that this proposal has been developed collaboratively with industry through very extensive consultations that took into account industry's views. As a result, a number of changes were made to improve the operation of the proposed legislation in response to that feedback, including providing additional safeguards to govern the use of the proposed regulatory powers, clarifying the intended scope and application of requirements to be imposed on telecommunications providers, and other measures. I want to take this opportunity to thank those from industry who contributed so constructively to what has been, on any view, a very thorough consultation process.

In conclusion: the bill will establish a regulatory framework to better manage national security risks of espionage, sabotage and foreign interference and to better protect networks and the confidentiality of information stored on and carried across them from unauthorised interference and access—not surveillance, Senator McKim, but protection. There will be a set of government amendments to give effect to the recommendations of the PJCIS, subject to the committee stage. I commend the bill to the Senate.

Peter Whish-Wilson (Tasmania, Australian Greens) Share this | Link to this | Hansard source

The question is that the bill be now read a second time.