Optus [DOC 138KB] - Attorney

advertisement
Submission to the
Attorney-General’s Department on the
Exposure Draft Telecommunications and
Other Legislation Amendment Bill 2015
(Telecommunications Sector Security
Reforms)
4 August 2015
Page 2
INTRODUCTION
Optus appreciates the opportunity to comment on the Exposure Draft Telecommunications and Other
Legislation Amendment Bill 2015 (“the Exposure Draft”). Optus acknowledges that the Government’s
intent in introducing the Telecommunications Sector Security Reforms (“TSSR”) is to provide for a
more effective and formalised framework for managing national security risks associated with
unauthorised access and interference with telecommunications networks.
Optus has previously provided in-principle support for a scheme of this nature. In its opening
statement to the Parliamentary Joint Committee on Intelligence and Security 2012 inquiry into
potential reforms of National Security Legislation, Optus provided cautious support for a structured
scheme. The caution arose from the challenge of correctly calibrating the practical design of such a
scheme.
The international nature of the communications industry supply chain, the global origin of threats and
the Government’s unique position to obtain intelligence not available to commercial players, means
that the success of such a scheme will require an open and transparent exchange of information
between agencies, carriers and carriage service providers on risks and threat assessments. Such a
dialogue is consistent with themes discussed at the Prime Minister’s recent Cyber Security Summit
with business leaders, where it was agreed that the Government and business should foster further
ways to work together to improve cyber threat sharing.
One of the key outcomes Optus seeks from any scheme is a high level of certainty and investment
confidence. That is, the scheme should allow carriers to demonstrate their credentials and get a
reasonable level of surety about the acceptance of their processes and procedures, providing the
confidence to undertake substantial investment decisions without fear of later revision.
While Optus does not object to the overall intent of the TSSR, this submission highlights several
deficiencies with the structure proposed in the Exposure Draft, each of which is open to remedy.
In particular, Optus is concerned with the decision-making processes introduced by the Exposure
Draft (proposed new Division 4 of Part 14), and deficiencies around procedural fairness and the lack
of appropriate appeals mechanisms for the process and merit of Directions which can be issued to
telecommunications providers. Optus also believes that additional clarification is needed around the
new regulatory role that will exist for the Attorney-General’s Department and the framework in which it
will operate. In addition, Optus sees a need for a formal consultative mechanism to be introduced,
underpinned by the legislation, for the purpose of sharing information on risks and threat
assessments.
Optus is a member of Communications Alliance, the Australian Mobile Telecommunications
Association and the Australian Information Industry Association, and notes that these Associations, in
conjunction with the Australian Industry Group, have jointly made a substantial submission on this
matter. Optus’ individual submission highlights the areas of its prime concern.
DECISION-MAKING CRITERIA
Optus is concerned that much of the decision-making process is set out only in the Explanatory
Memorandum to the Exposure Draft (“the EM”) and not in the legislation itself.
As an example, according to the EM (paragraph 40) a Direction under s315B would normally only be
issued “[w]here there is disagreement [between a provider and ASIO] about the need to implement
mitigation measures, or an actual failure to implement ASIO recommended mitigation measures, or a
C/CSP seeks a more formal request to empower its Board of Executives, the Secretary can issue a
direction compelling the C/CSP to implement the mitigation measures”. No such prerequisites are
required by the legislation – only that the Attorney-General’s Secretary is satisfied that “there is a risk
of unauthorised interference with, or unauthorised access to, telecommunications networks or
facilities, and as a result, there is a risk to security.” This is a very low decision-making threshold.
It would appear from the Exposure Draft that if a threat or risk merely exists, it provides an adequate
basis for a Direction to be issued, without any qualification on the threat or risk assessment. Optus
suggests that additional rigour is required in the legislation to ensure that such directive powers are
Page 3
only used where the seriousness, pervasiveness, immediacy and likelihood of the identified risks or
threats have been appropriately considered. That is, the risk or threat must exhibit characteristics
such as being imminent, substantial, likely, known or having a severe impact for the directive powers
to be used.
The risk assessment also needs to consider the impact on the C/CSP and their customers (including
downstream providers and their end users where wholesale relationships exist), and the precedent
this action will set for industry. Finally, it should aim to balance the security risk with the other objects
of the Telecommunications Act, including the long-term interests of end users, the efficiency and
international competitiveness of the Australian telecommunications industry, and promoting the supply
of diverse and innovative carriage services and content services.
Without making the benchmark for directive action higher or more rigorous, then the Attorney-General
and the Attorney-General’s Secretary (or their delegate) have virtually unfettered discretion because
every deployment or business process will have some level of identifiable risk or vulnerability. These
risks will be able to be related to “security” as there will inevitably be some relationship to live network
traffic or customer information which can be extrapolated and deemed sensitive.
APPEALS PROCESS
The other key item of concern to Optus is that once an adverse decision is mooted or enacted there is
very limited opportunity for challenge or appeal, leaving the recipient of a Direction from either the
Attorney-General or the Attorney-General’s Secretary (or their delegate) with very limited access to
further avenues of review.
Procedural fairness would ordinarily dictate that the intended recipient of an adverse finding or action
(such as a Direction) would be notified in advance and have an opportunity to provide final argument
to the decision-maker. Further, once a decision had been reached, there should be at least some
avenue for review of the merits and/or decision-making process. The Exposure Draft provides none
of these opportunities or avenues. (The EM (paragraph 41) does indicate that it is expected that
ASIO will engage with the provider first and “would contemplate furnishing a security assessment”,
but this is not required by the Exposure Draft.)
The Exposure Draft does set out a merits review process for the ASIO security assessment, via the
Administrative Appeals Tribunal. It is interesting to note, however, that this would appear to have no
bearing on the issuing of a Direction, as there is nothing in the legislation which requires a
subsequent review by the Attorney-General, the Attorney-General’s Secretary or their delegate of a
Direction issued as a result of that ASIO assessment.
Further, there is no avenue of appeal for a Direction issued by the Attorney-General, the AttorneyGeneral’s Secretary or their delegate. The usual avenue of appeal for such decisions from other
Government agencies would be via the courts under the Administrative Decisions (Judicial Review)
Act 1977, yet the Exposure Draft will amend this Act to list these decisions as decisions to which the
Act does not apply, leaving little if any avenue for appeal.
Given the potential impacts of the TSSR to telecommunications networks and residential and
business communications services, as well as the commercial impacts to providers, it is vital that
providers have the ability to engage in robust discussion and disagreement (if necessary) with ASIO
on its assessment, without it having the leverage of requesting that the Attorney-General or AttorneyGeneral’s Secretary (or their delegate) issue an “unchallengeable” Direction.
CONSULTATIVE FORUM
One of the items that is not currently contemplated by the Exposure Draft is a formal consultative
mechanism for information sharing between Government and industry.
Given that the EM (in paragraph 13) advises that “The security framework seeks to formalise the
relationship between Australian Government agencies and C/CSPs to achieve more effective
collaboration on the management of national security risks”, Optus recommends that the Government
Page 4
consider implementing a formal, ongoing consultation process by which it can engage with industry
for this purpose.
Such a consultation mechanism should be recognised formally within the legislation, and would be
over and above the current bilateral discussions between Government and individual providers. A
broader consultative process would encourage information sharing by industry and Government, and
would assist in achieving the regulatory objective of the TSSR “..to achieve national security
outcomes on a cooperative basis” and “facilitate the early identification of potential national security
risks” (paragraph 13 of the EM).
The early identification of potential threats and the ability to consider these in light of technological
developments would also assist industry to better manage their capital and network planning
processes, minimising the risk of retrospective applications of the TSSR for existing network
components, which could be highly disruptive to the provision of communications services to
Australian residents and businesses.
REGULATOR FRAMEWORK
Paragraph 12 of the EM advises that the Secretary of the Attorney-General’s Department will be the
regulator for the purpose of administering and enforcing compliance with the new security obligation.
There is little else described in the EM or the Exposure Draft on this regulatory role.
Generally, a regulator’s functions, powers, liabilities, decision-making processes, reporting
requirements and other such matters would be clearly set out in legislation. This is not the case for
this new regulatory role for the Attorney-General’s Secretary, as there is little detail in the Exposure
Draft on such matters. It is also not clear, for example, whether they will be subject to the
Government’s Regulator Performance Framework.
Optus believes that it is important for the Government to clarify and provide more detail on the
framework in which the Attorney-General’s Secretary will operate in its regulatory capacity.
CONCLUSION
Whilst Optus supports the Government’s intent in attempting to protect Australian telecommunications
networks from interference, it believes the current Exposure Draft does not provide the necessary
rigour for such a new security assessment framework to operate practically. Further work is needed to
establish clear decision-making criteria before a Direction can be issued to providers, and an appeals
mechanism for these Directions must be made available.
Optus believes that the establishment of a formal consultative forum, for the purpose of sharing
information on potential threats and risks, would serve to better assist both industry and Government
in managing the impacts of the TSSR and being able to appropriately plan their capital and network
investments.
Some clarity on the new regulatory role for the Attorney-General’s Secretary would also be beneficial
to ensure the new framework functions as intended by the Government, with appropriate levels of
transparency and accountability.
Optus remains committed to working with the Government to develop an appropriately robust
framework for the Telecommunications Sector Security Reforms.
End.
Download