House debates
Wednesday, 13 September 2017
Bills
Telecommunications and Other Legislation Amendment Bill 2017; Second Reading
11:08 am
Michael Keenan (Stirling, Liberal Party, Minister for Justice) Share this | Hansard source
I move:
That this bill be now read a second time.
The Telecommunications and Other Legislation Amendment Bill 2016 will amend the Telecommunications Act 1997 and related legislation to strengthen the security of Australia's telecommunications networks.
National security threats to the telecommunications sector
Australia's telecommunications networks are the critical infrastructure that enables all of us to conduct business and to go about our everyday lives online. Australia's economic prosperity and wellbeing are increasingly dependent on telecommunications networks and the data that flows across them.
Cyber threats to Australia are persistent, whether they arise from sabotage, espionage, serious and organised crime, or other technology-enabled crime. Espionage and clandestine foreign interference activity against Australian interests is extensive.
The Australian Cyber Security Centre's Threat Report 2016 demonstrates the scale of the cyberthreat to Australian organisations. Telecommunications networks are a key pathway for unauthorised interference by malicious actors. The report identifies that diverse state-based adversaries are attempting cyberespionage against Australian systems to satisfy strategic, operational and commercial intelligence requirements. It also acknowledges that the ongoing theft of intellectual property from Australian companies continues to pose significant challenges to the future competitiveness of Australia's economy.
The number, type and sophistication of cybersecurity threats to Australia and Australians are increasing. Australian businesses and organisations face a range of serious threats, from foreign state-sponsored adversaries to serious and organised criminals.
Compromise is expensive. It can include financial losses, damage to reputation, loss of intellectual property and disruption to business.
This is why it is so vital that the security and resilience of our telecommunications networks are maintained.
It is also why, after a broad public consultation, the bipartisan Parliamentary Joint Committee on Intelligence and Security recommended in 2013 that the government create a security framework for the telecommunications sector.
This committee also recommended establishing this security framework again in 2015 in the context of data-retention legislation. The reforms proposed in this bill will complement the data-retention regime by improving the security of networks as a whole and provide an additional layer of protection for retained data.
The reforms set out in the bill form part of the Australian Cyber Security Strategy, launched by the Prime Minister in April 2016. This reflects the particular importance of secure telecommunications networks to the functioning and wellbeing of Australian communities.
In June 2017, under the chairmanship of Andrew Hastie, the committee recommended that the bill be passed, subject to its recommendations being accepted. The committee's recommendations aim to provide greater clarity and certainty for industry, encouraging information sharing, and enhancing the transparency of the regime's operation.
Policy objectives of this bill
This bill builds on existing obligations in the Telecommunications Act 1997.
These reforms have been subject to extensive consultation over the past four years. Industry feedback through this process has shaped the detail of the proposed reforms. In particular, a number of key amendments have been made to the bill following the release of two exposure drafts for public consultation in mid and late 2015.
Strong industry government partnerships are critical to managing these threats and securing our most important systems. This bill will formalise the relationship between industry and government and ensure consistency, transparency and proper accountability for all parts of the telecommunications industry.
It will provide clarity around government's expectations on how national security risks to telecommunications networks are to be managed, and will provide more proportionate mechanisms for managing these risks.
The bill will not introduce a prescriptive legislative approach. Rapid changes in technology and service delivery mean a prescriptive approach would simply not be possible.
Overview of key measures
Amendments to the Telecommunications Act 1997 proposed in this bill will place an obligation on all carriers, carriage service providers and carriage service intermediaries to do their best to protect telecommunications networks and facilities from unauthorised interference and unauthorised access for the purpose of security.
This obligation will encourage companies to consider national security risks, such as espionage, sabotage and foreign interference risks to the confidentiality of information and communications, as well as the availability and integrity of telecommunications networks and facilities.
This obligation will be supported by new notification obligations, which are modelled on the existing notification regime in the Telecommunications (Interception and Access) Act 1979. Carriers and nominated carriage service providers will be required to notify changes to systems and services if the carrier or nominated carriage service provider becomes aware that a proposed change is likely to have a material adverse impact on their ability to meet the security obligations to protect networks and facilities from unauthorised access and interference.
Companies will also be given the opportunity to forecast changes to telecommunications systems in annual security capability plans.
Early notification to security agencies will allow them to provide advice at the planning stage and ensure security considerations are factored into the proposed design as early as possible in a cost-effective manner.
In line with the risk-based nature of these reforms, the notification regime includes an exemptions process. Following recommendations of the committee, the bill has been amended to include an application process for exemptions. This will reduce the regulatory burden on some companies and ensure that the resources of security agencies are targeted.
Establishment of a broader security framework
The regulatory model will be supported by a comprehensive administrative framework. The scheme relies on a 'light touch' approach to regulation and allows for meaningful collaboration and cooperation with industry to manage risks in a way that is satisfactory to both industry and government, without the government being too prescriptive and retaining flexibility for industry.
We recognise that telecommunications companies already make significant investments in security and have considerable technical expertise in mitigating and responding to threats.
This administrative framework is premised on a collaborative partnership with industry, involving increased engagement and information sharing with government agencies. Implementation will be based on a regime of industry consultation, advice and guidance.
The reforms recognise that security is a joint responsibility and this is why enhanced engagement between government and industry is at the heart of these reforms.
Safeguards built into the regulatory powers
New information gathering and directions powers provided for in this bill will only be used as a last resort.
Importantly, a number of safeguards are built into these regulatory powers to ensure their use is reasonably necessary.
For example, the Attorney-General can only issue a direction to a company after he or she has received an adverse security assessment from the Australian Security Intelligence Organisation recommending action and has considered the costs of the direction on the company, as well as broader market and competition effects.
In addition, a direction can only be made after consultation with the affected company and after the Attorney-General is satisfied that reasonable steps have been taken to negotiate an outcome in good faith.
A range of review rights will be available for companies to ensure proper accountability for decision-making.
Conclusion
This bill will ensure that businesses, individuals and the public sector can continue to rely on telecommunications networks to store and transmit their data safely and securely. It will promote informed risk management of national security concerns by providing industry with clarity and certainty of government expectations.
Importantly, it will not be prescriptive. It will allow industry the necessary flexibility to find the best and most innovative solutions. This will ensure the security and resilience of Australia's telecommunications infrastructure, as well as the competitiveness of the sector in a rapidly changing global market.
No comments