Submission to the Cyber and Identity Security Policy
Branch, Attorney-General’s Department
Telecommunications Sector Security Reforms
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) |
FINAL|31 JULY 2015
PAGE 1/6
Submission –Telecommunications Sector Security Reforms
EXECUTIVE SUMMARY
Telstra welcomes the opportunity to provide this submission on the exposure draft of the
Telecommunications and Other Legislation Amendment Bill 2015 (Bill).
Protecting national security is a fundamental role for the state. As Australian consumers and businesses
increasingly embrace digital technologies and the security threat environment changes accordingly, it
makes sense that the Government would take steps to improve standards and access to information
around managing the security risks faced by telecommunications networks.
As more of our physical world turns to digital, all parts of society need to think strategically about how we
make sure we have appropriate levels of control to protect public safety in the same way that we do in a
physical world. To this end, we agree with the principle underpinning this Bill that as part of protecting
Australia’s national security the Government needs to have appropriate mechanisms in place so they
can be confident telecommunications networks are secure and sensitive data is protected.
As Australia’s leading telecommunications company, we have a clear commercial incentive to protect
our networks and customer information against unauthorised access or interference. To this end, we
have invested in implementing a best practice data and network security regime. However, in the
modern technological environment one company alone cannot successfully protect against all major
security risks. For example, we require expert input on the latest threats from government, we need all
major carriers in the national industry to share a commitment to security and our customers too need to
take steps to secure their devices and systems.
We support reforms that progress this integrated approach to security. Today, information sharing
between industry and government already occurs, for example Carriers and Carriage Service Providers
(C/CSPs) receive advice from the Australian Signals Directorate, the AG’s National Information
Exchange and forums such as the Prime Minister’s recent Cyber Security Summit. There are some
important opportunities to build on and formalise the existing information flows between industry and
government through this Bill.
The modern telecommunications environment can be highly complex. As a result, there is a risk that
security decisions made in isolation by an outsider about a telecommunications network or particular
technology may have unintended consequences, including adding complexity to procurement practices,
reducing the diversity of technology suppliers, changing incentives around investment, or imposing
additional costs. This risk is potentially heightened in circumstances where government is granted very
broad powers to make decisions with commercial and operational impacts.
To help avoid such unintended consequences from eventuating, our submission proposes some
suggestions for improving the interaction between government and industry through this Bill, drawing on
our practical experience in building and operating networks and managing security risks in the process.
Our submission recommends the following:
1. The Bill should clearly define any direction-making powers and we suggest that consideration
should be given to limiting these powers solely to the Attorney General.
2. Information gathering powers should also be clearly defined.
3. Statutory immunity should be extended so that C/CSPs are protected in the event they are in
breach of other legal obligations.
4. So that C/CSPs understand the reasons behind a security determination, a security assessment
from ASIO should be obtained before a direction can be made and a statement of reasons
issued alongside any directions.
5. Industry should be provided with an implementation period of 12 months for these new reforms.
6. We recommend consideration be given to creating a safe harbour mechanism for C/CSPs
whose ‘Network Security Plan’ is approved by the Attorney-General’s Secretary (Secretary).
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556)
PAGE 2/6
Submission –Telecommunications Sector Security Reforms
We are confident these adjustments to the Bill would go a long way to ensuring the reforms can be
implemented and the Government’s objectives achieved without impacting investment and innovation in
new products and services and without imposing new unnecessary costs on industry and our customers.
The rest of this submission will cover our recommendations in more detail.
TELSTRA RECOMMENDATIONS
PROPOSAL 1: DEFINE BOUNDARIES OF DIRECTION-MAKING POWER
Under the Telecommunications Act, the Attorney General already has the power (after consulting with
the Prime Minister and the Minister for Communications) to direct C/CSPs not to use or supply, or to
cease using or supplying, particular carriage services. This existing power is an extreme measure for
managing the most significant national security risks, which is reflected by the fact that this directionmaking power has never been used.
The Bill would introduce new direction-making powers for the Secretary in addition to these existing
powers with a lower threshold for when they can be used. We are concerned that if and when they are
exercised these powers could have negative consequences in practice. For example, if the Secretary
makes a direction prohibiting a C/CSP from acquiring equipment from vendors in a particular country
then this may require very significant and expensive re-engineering of the C/CSP’s network design.
To help avoid such a scenario, we believe the Secretary’s discretion to issue a direction should be
balanced against the potential consequences of a direction, and the Secretary’s decision should be
based on objective criteria that need to be satisfied before a direction can be issued. As such, we
suggest the Bill be amended to:
a) Require the direction-making power to be exercised by the Attorney General personally
Given the potential scope and implications of the new direction-making power, we suggest that this
power should only be exercisable by the Attorney General personally, consistent with the existing
directions-making powers under the Telecommunications Act, rather than by the Secretary or
another delegate. This would give C/CSPs greater confidence that directions would only be issued
as a measure of last resort.
b) Only allow directions in response to a material security risk
There is general agreement among industry and government that in this context direct state
intervention in commercial operations should only occur where there is a material threat to national
security. This is reflected in the Explanatory Memorandum for the Bill that states the directions
power is intended to be used as a last resort.
As the Bill is currently drafted, to issue a direction the relevant decision maker must be “satisfied”
there is a “risk” of unauthorised interference or access to telecommunications networks or facilities.
Given the potentially significant disruption to C/CSPs and telecommunications services that may
result from a direction, we would recommend more detail be added to the Bill to describe how the
decision maker can be satisfied that a risk warrants intervention.
For example, the relevant decision maker should only act following an adverse security assessment
from ASIO. That assessment should be provided to a senior officer with the appropriate security
clearance at the impacted company or companies so that C/CSPs can understand why the direction
has been issued.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556)
PAGE 3/6
Submission –Telecommunications Sector Security Reforms
c) Require that the relevant decision maker consult with C/CSPs prior to issuing a direction
and to act reasonably
Government intervention in commercial operations is almost always made effective and less
disruptive if it occurs based on consultation with the impacted entity. To formalise this requirement
for consultation, the Bill should be amended so that before making a direction the relevant decision
maker must: (1) consult with the C/CSPs that will be the subject of the direction; (2) provide all the
relevant material used to form the decision maker’s opinion that the direction is necessary (including
the ASIO security assessment) to the C/CSP; and (3) take into account the costs and other potential
negative consequences for those C/CSPs of having to comply with the direction.
The Bill should be amended so that the relevant decision maker may only make a direction that is
“reasonably necessary” for the purpose of eliminating or reducing the relevant security risk. As part
of acting reasonably, the decision-maker should provide an appropriate compliance period for each
direction taking into account the steps that may be required to comply.
d) Ensure directions apply fairly to all industry participants
The industry would benefit if any directions issued under the Bill applied the principle of competitive
neutrality as this helps ensure Australia can maintain a competitive market which continues to
deliver investment and innovation. Directions should not discriminate based on market share or
number of customers, and wherever possible should focus on a particular type of equipment or
service, rather than a particular vendor or service suppliers. Directions that impact whole vendors
could impact the diversity of supply for the C/CSPs in Australia. The industry currently relies on a
relatively narrow pool of potential vendors and any reduction in the number or type of suppliers could
result in a loss of competitive tension.
PROPOSAL 2: DEFINE BOUNDARIES ON INFORMATION GATHERING POWERS
The Bill gives the Secretary broad new powers to gather information from C/CSPs and share it. The
proposed section 315C gives the Secretary power to require a C/CSP to provide any information or
document that they have reason to believe is “relevant” to the new network security duties under section
313(1A). Under this power, C/CSPs could be required to provide confidential and commercially sensitive
information, including information about networks, procurement arrangements, tender documentation,
contracts, expansion plans, and information about proposed mergers and acquisitions.
We are confident the Government appreciates the commercial value and legal sensitivity of the
information that a C/CSP may be required to provide to the Secretary, but believe the Bill would be
improved if this was reflected through controls on how information is provided and what can be done with
it. In particular, we are concerned it would be time consuming and difficult to provide useful information
in response to an open-ended request, particularly for a C/CSP which operates across many countries,
such as Telstra.
We suggest that section 315C be amended so the Secretary is required to provide the C/CSP with a
draft request for information on which to comment to help the Secretary to appropriately target the scope
of the request. It should also specify that the Secretary may only require the disclosure of information
where it is reasonably necessary for the purposes of assessing the relevant C/CSP’s compliance with its
security duties or investigating, assessing, reducing or eliminating a relevant security risk.
This would be strengthened by amendments to section 315H so that a person who has received
information may only share it on the basis it is to be kept confidential and only used for the purposes of
investigating, or reducing a relevant security risk, and may not disclose the information to anyone other
than another Australian or foreign government agency. Also information must be returned or destroyed
when it is no longer required for a relevant permitted purpose.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556)
PAGE 4/6
Submission –Telecommunications Sector Security Reforms
PROPOSAL 3: EXTEND STATUTORY IMMUNITY
The Explanatory Memorandum states the new information gathering powers proposed are not intended
to replace existing practices of information exchange between the Government and C/CSPs, but instead
are intended to be exercised in circumstances where a C/CSP considers it is restrained from sharing
information for contractual or other legal reasons. The information gathering power is intended to operate
to override these reasons for non-disclosure.
In light of this, Telstra proposes that an appropriate statutory immunity be introduced to protect C/CSPs if
they are required to provide information in circumstances that might otherwise be in breach of other legal
obligations. For example, a C/CSP may be required to disclose information about a supplier or other
third party that it has received on a commercial-in-confidence basis and could be exposed to civil liability
in relation to the disclosure.
It is important for it to be clear that C/CSPs will have immunity from any civil or criminal liability in the
event that they are required to disclose information in response to a direction made under the Bill so that
C/CSPs are not forced into a position of deciding which of their legal obligations they should comply with.
PROPOSAL 4: IMPROVE TRANSPARENCY OF DECISION MAKING
Directions made by the Secretary under the Bill will not be subject to review under the Administrative
Decisions (Judicial Review) Act 1977 (Cth). We acknowledge that this is consistent with other legislation
relating to national security issues, but there is a risk that the residual option for a C/CSP to apply for
judicial review of a direction made by the Secretary will not serve as an adequate check on the broad
powers propsed under the Bill.
Consequently, we believe the Bill would be improved if it was amended to include a requirement for the
relevant decision maker to issue a statement of reasons when issuing a direction. Providing this level of
transparency will encourage quality decision making by requiring the Secretary to ensure that his or her
decisions are appropriate and proportionate in the circumstances, and educate C/CSPs about the basis
for the decision, which will inform their management of risk going forward.
PROPOSAL 5: EXTEND IMPLEMENTATION PERIOD
We think that it is appropriate for industry to be given a reasonabe period to understand the scope of the
changes proposed and to implement an compliance strategy. This is particularly important given the
Government has passed a number of pieces of legislation recently that impact C/CSPs, including
introducing the data retention regime. We suggest that the Bill should have a guaranteed
implementation period of no less than 12 months.
PROPOSAL 6: CONSIDER CREATING A SAFE HARBOUR MECHANISM
We recommend the introduction of a safe harbour mechanism that enables a C/CSP to obtain an
exemption from the directions and information-gathering powers where they have had a ‘Network
Security Plan’ accepted by the Secretary. This would involve the Secretary, in consultation with national
security agencies, preparing guidance criteria for a National Security Plan to be accepted. We
appreciate that this would involve confidential engagement with the Secretary by security cleared officers
of the relevant C/CSPs. We anticipate that some C/CSPs would be in a position to provide such a plan
and report against it annually, and would prefer this as an alternative to the proposed regime. Such a
scheme may also have efficiency and cost benefits for government.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556)
PAGE 5/6
Submission –Telecommunications Sector Security Reforms
CONCLUSION
We appreciate the Australian Government’s commitment to enhancing telecommunications security in
line with the growing importance of networks and services. Many Australian C/CSPs, like Telstra, are
already successfully assessing and managing security risks, including through proactive engagement
with relevant government agencies. We see this as a strong base for industry and government to work
collaboratively to achieve the public good of national security.
As with any government intervention in the commercial operations of large and complex industries,
legislation needs to be carefully crafted in order to avoid regulatory uncertainty and high compliance
costs. There is the risk that the Bill in its current form, with the broad-ranging powers it confers to the
Secretary to issue directions and gather information from C/CSPs and its potential impact on C/CSP
procurement, investment and technological innovation plans, could have negative consequences in
practice for our industry, and consequently Australian consumers and businesses that rely on
communications services.
To assist government in meeting its important national security objectives we have put forward a number
of recommendations that we believe would improve the Bill by reducing the risk of imposing uncertainty
on industry and minimising the costs associated with the reforms on industry and government. We
would welcome further engagement with the Government on these recommendations.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556)
PAGE 6/6