This article was written by Capucine Hague.
With the Australian Government's Critical Infrastructure Centre poised to announce its security policies for electricity, ports and water, we look at recent security reforms in the telecommunications sector to see what hints they provide on the Government's approach to other critical infrastructure.
Last week, the Telecommunications and Other Legislation Amendment Act 2017, containing the government's Telecommunications Sector Security Reforms (TSSR), became law. The TSSR, which will take effect after a 12 month transition period, are a series of reforms aimed at monitoring and managing changes to telecommunications networks and facilities that are likely to have a material adverse effect on security.
The Attorney-General's Department is responsible for administering the TSSR, and assigned that responsibility to its newly launched Critical Infrastructure Centre (CIC). The CIC was launched earlier this year to manage national security risks to Australia's critical infrastructure, with a focus on telecommunications, electricity, water and ports.
Overview of the TSSR
The TSSR impose two key obligations on carriers and carriage service providers (CSPs):
- a general obligation to do their best to protect their networks and facilities from unauthorised interference or access, for the purposes of security; and
- a specific obligation to report to the Attorney-General on changes to the carrier or CSP's networks and facilities (and how they manage them) which are likely to have a material adverse effect on their ability to meet their general obligation (either on an ad hoc basis or by submitting an annual Security Capability Plan). The Attorney-General's Department has issued guidelines which outline the types of changes which are likely to trigger the notification requirement, including procuring or changing the location of telecommunications or network management equipment, entering into outsourcing arrangements to have all or part of telecommunication services provided or managed by a third party, or entering arrangements which would allow telecommunications data to be accessed by persons outside Australia. These guidelines will be updated again before the end of the transition period.
The Attorney-General is also granted broad 'last resort' powers to issue directions (following consultation with relevant ministers and the Prime Minister) and gather information. Directions may:
- prevent all carriers and CSPs from using or supplying a certain carriage service, where an adverse security assessment has been made (so long as the direction is not expressed as only applying to a particular person or class of persons); or
- prevent a particular carrier or CSP from doing something or require them to do something, where the Attorney-General is satisfied that there is a risk of unauthorised interference or access that would be prejudicial to security.
There is no requirement that directions follow from information submitted by carriers or CSPs, although the Attorney-General may only issue a direction where there has been an adverse security assessment.
Relevance to other critical infrastructure sectors
The way that the TSSR have been reflected in the new legislation may indicate the way that regulation will be imposed on other sectors. In particular:
- The TSSR legislation applies to all telecommunications networks and facilities – not simply to particular networks or facilities that have been identified as critical national infrastructure. In guidelines issued earlier this year, the Attorney-General's Department explained that the tests imposed by the legislation are less likely to apply to certain types of infrastructure – however this does still mean that telcos need to consider those tests in relation to their entire network infrastructure, and that the Attorney-General's direction powers are broader.
- The CIC focuses on addressing the potential for a malicious foreign actor to gain access and control of Australia's critical infrastructure via ownership, offshoring, outsourcing and supply chain arrangements. The TSSR is broader than this – for example the Attorney-General could also direct a telco to implement security measures which reduce vulnerability to cyber-attacks from within Australia. The Attorney-General's Department's guidelines list engaging a new billing provider, deploying LTE technology (ie appointing a new equipment supplier or managed service provider), upgrading core routing equipment and renewing contracts not previously notified to the government as examples of changes that may need to be notified in accordance with the legislation.
- The Attorney-General's Department has said that the measures it will introduce in relation to other industries will grant the relevant Minister a 'last resort' power to direct specific risk mitigation actions, where all other risk management avenues have been exhausted - whereas the TSSR direction powers are not expressed in the legislation as being 'last resort' powers, although the Attorney-General may only exercise them once it has received an adverse security assessment and (depending on the change) consulted with the Prime Minister and Minister for Communications, and negotiated in good faith with the carrier or CSP.
- Telcos are not excused from providing information to the Attorney-General's Department on request on the basis that this information might incriminate them or expose them to a penalty. The Attorney-General's Department may share information it receives with other persons for the purpose of assessing the risk of unauthorised interference or access to facilities or networks, or to security.
We have been tracking the progress of critical infrastructure security reforms since they were first announced in 2015. The following articles contain further background information: