Submission to the Attorney-General’s Department on the Exposure Draft Telecommunications and Other Legislation Amendment Bill 2015 (Telecommunications Sector Security Reforms) 4 August 2015 Page 2 INTRODUCTION Optus appreciates the opportunity to comment on the Exposure Draft Telecommunications and Other Legislation Amendment Bill 2015 (“the Exposure Draft”). Optus acknowledges that the Government’s intent in introducing the Telecommunications Sector Security Reforms (“TSSR”) is to provide for a more effective and formalised framework for managing national security risks associated with unauthorised access and interference with telecommunications networks. Optus has previously provided in-principle support for a scheme of this nature. In its opening statement to the Parliamentary Joint Committee on Intelligence and Security 2012 inquiry into potential reforms of National Security Legislation, Optus provided cautious support for a structured scheme. The caution arose from the challenge of correctly calibrating the practical design of such a scheme. The international nature of the communications industry supply chain, the global origin of threats and the Government’s unique position to obtain intelligence not available to commercial players, means that the success of such a scheme will require an open and transparent exchange of information between agencies, carriers and carriage service providers on risks and threat assessments. Such a dialogue is consistent with themes discussed at the Prime Minister’s recent Cyber Security Summit with business leaders, where it was agreed that the Government and business should foster further ways to work together to improve cyber threat sharing. One of the key outcomes Optus seeks from any scheme is a high level of certainty and investment confidence. That is, the scheme should allow carriers to demonstrate their credentials and get a reasonable level of surety about the acceptance of their processes and procedures, providing the confidence to undertake substantial investment decisions without fear of later revision. While Optus does not object to the overall intent of the TSSR, this submission highlights several deficiencies with the structure proposed in the Exposure Draft, each of which is open to remedy. In particular, Optus is concerned with the decision-making processes introduced by the Exposure Draft (proposed new Division 4 of Part 14), and deficiencies around procedural fairness and the lack of appropriate appeals mechanisms for the process and merit of Directions which can be issued to telecommunications providers. Optus also believes that additional clarification is needed around the new regulatory role that will exist for the Attorney-General’s Department and the framework in which it will operate. In addition, Optus sees a need for a formal consultative mechanism to be introduced, underpinned by the legislation, for the purpose of sharing information on risks and threat assessments. Optus is a member of Communications Alliance, the Australian Mobile Telecommunications Association and the Australian Information Industry Association, and notes that these Associations, in conjunction with the Australian Industry Group, have jointly made a substantial submission on this matter. Optus’ individual submission highlights the areas of its prime concern. DECISION-MAKING CRITERIA Optus is concerned that much of the decision-making process is set out only in the Explanatory Memorandum to the Exposure Draft (“the EM”) and not in the legislation itself. As an example, according to the EM (paragraph 40) a Direction under s315B would normally only be issued “[w]here there is disagreement [between a provider and ASIO] about the need to implement mitigation measures, or an actual failure to implement ASIO recommended mitigation measures, or a C/CSP seeks a more formal request to empower its Board of Executives, the Secretary can issue a direction compelling the C/CSP to implement the mitigation measures”. No such prerequisites are required by the legislation – only that the Attorney-General’s Secretary is satisfied that “there is a risk of unauthorised interference with, or unauthorised access to, telecommunications networks or facilities, and as a result, there is a risk to security.” This is a very low decision-making threshold. It would appear from the Exposure Draft that if a threat or risk merely exists, it provides an adequate basis for a Direction to be issued, without any qualification on the threat or risk assessment. Optus suggests that additional rigour is required in the legislation to ensure that such directive powers are Page 3 only used where the seriousness, pervasiveness, immediacy and likelihood of the identified risks or threats have been appropriately considered. That is, the risk or threat must exhibit characteristics such as being imminent, substantial, likely, known or having a severe impact for the directive powers to be used. The risk assessment also needs to consider the impact on the C/CSP and their customers (including downstream providers and their end users where wholesale relationships exist), and the precedent this action will set for industry. Finally, it should aim to balance the security risk with the other objects of the Telecommunications Act, including the long-term interests of end users, the efficiency and international competitiveness of the Australian telecommunications industry, and promoting the supply of diverse and innovative carriage services and content services. Without making the benchmark for directive action higher or more rigorous, then the Attorney-General and the Attorney-General’s Secretary (or their delegate) have virtually unfettered discretion because every deployment or business process will have some level of identifiable risk or vulnerability. These risks will be able to be related to “security” as there will inevitably be some relationship to live network traffic or customer information which can be extrapolated and deemed sensitive. APPEALS PROCESS The other key item of concern to Optus is that once an adverse decision is mooted or enacted there is very limited opportunity for challenge or appeal, leaving the recipient of a Direction from either the Attorney-General or the Attorney-General’s Secretary (or their delegate) with very limited access to further avenues of review. Procedural fairness would ordinarily dictate that the intended recipient of an adverse finding or action (such as a Direction) would be notified in advance and have an opportunity to provide final argument to the decision-maker. Further, once a decision had been reached, there should be at least some avenue for review of the merits and/or decision-making process. The Exposure Draft provides none of these opportunities or avenues. (The EM (paragraph 41) does indicate that it is expected that ASIO will engage with the provider first and “would contemplate furnishing a security assessment”, but this is not required by the Exposure Draft.) The Exposure Draft does set out a merits review process for the ASIO security assessment, via the Administrative Appeals Tribunal. It is interesting to note, however, that this would appear to have no bearing on the issuing of a Direction, as there is nothing in the legislation which requires a subsequent review by the Attorney-General, the Attorney-General’s Secretary or their delegate of a Direction issued as a result of that ASIO assessment. Further, there is no avenue of appeal for a Direction issued by the Attorney-General, the AttorneyGeneral’s Secretary or their delegate. The usual avenue of appeal for such decisions from other Government agencies would be via the courts under the Administrative Decisions (Judicial Review) Act 1977, yet the Exposure Draft will amend this Act to list these decisions as decisions to which the Act does not apply, leaving little if any avenue for appeal. Given the potential impacts of the TSSR to telecommunications networks and residential and business communications services, as well as the commercial impacts to providers, it is vital that providers have the ability to engage in robust discussion and disagreement (if necessary) with ASIO on its assessment, without it having the leverage of requesting that the Attorney-General or AttorneyGeneral’s Secretary (or their delegate) issue an “unchallengeable” Direction. CONSULTATIVE FORUM One of the items that is not currently contemplated by the Exposure Draft is a formal consultative mechanism for information sharing between Government and industry. Given that the EM (in paragraph 13) advises that “The security framework seeks to formalise the relationship between Australian Government agencies and C/CSPs to achieve more effective collaboration on the management of national security risks”, Optus recommends that the Government Page 4 consider implementing a formal, ongoing consultation process by which it can engage with industry for this purpose. Such a consultation mechanism should be recognised formally within the legislation, and would be over and above the current bilateral discussions between Government and individual providers. A broader consultative process would encourage information sharing by industry and Government, and would assist in achieving the regulatory objective of the TSSR “..to achieve national security outcomes on a cooperative basis” and “facilitate the early identification of potential national security risks” (paragraph 13 of the EM). The early identification of potential threats and the ability to consider these in light of technological developments would also assist industry to better manage their capital and network planning processes, minimising the risk of retrospective applications of the TSSR for existing network components, which could be highly disruptive to the provision of communications services to Australian residents and businesses. REGULATOR FRAMEWORK Paragraph 12 of the EM advises that the Secretary of the Attorney-General’s Department will be the regulator for the purpose of administering and enforcing compliance with the new security obligation. There is little else described in the EM or the Exposure Draft on this regulatory role. Generally, a regulator’s functions, powers, liabilities, decision-making processes, reporting requirements and other such matters would be clearly set out in legislation. This is not the case for this new regulatory role for the Attorney-General’s Secretary, as there is little detail in the Exposure Draft on such matters. It is also not clear, for example, whether they will be subject to the Government’s Regulator Performance Framework. Optus believes that it is important for the Government to clarify and provide more detail on the framework in which the Attorney-General’s Secretary will operate in its regulatory capacity. CONCLUSION Whilst Optus supports the Government’s intent in attempting to protect Australian telecommunications networks from interference, it believes the current Exposure Draft does not provide the necessary rigour for such a new security assessment framework to operate practically. Further work is needed to establish clear decision-making criteria before a Direction can be issued to providers, and an appeals mechanism for these Directions must be made available. Optus believes that the establishment of a formal consultative forum, for the purpose of sharing information on potential threats and risks, would serve to better assist both industry and Government in managing the impacts of the TSSR and being able to appropriately plan their capital and network investments. Some clarity on the new regulatory role for the Attorney-General’s Secretary would also be beneficial to ensure the new framework functions as intended by the Government, with appropriate levels of transparency and accountability. Optus remains committed to working with the Government to develop an appropriately robust framework for the Telecommunications Sector Security Reforms. End.