The Telecommunications and Other Legislation Amendment Bill is set to be waved through Australian Parliament with a bipartisan report stating that after a number of clarifications, it should become law.
The Bill forces telco carriers and carriage service providers (CSPs) to “do their best” to protect their networks from unauthorised access or interference for the purpose of security, with carriers and CSPs to notify the Attorney-General’s Department (AGD) of any changes to their services, systems, or equipment that could have a “material adverse effect” on their ability to comply with this duty.
The communications access coordinator (CAC) has the power to assess whether those changes bring a risk of exposing the network to unauthorised access or interference, and may suggest changes to a CSP’s security capability plan.
In its report [PDF], the Parliamentary Joint Committee on Intelligence and Security (PJCIS) asks for clarification within the administrative guidelines for when a company is providing an over-the-top service; when telco infrastructure is used but not owned or operated by a company; when a company provides cloud-based services; and when infrastructure is overseas and provides services to, or stores information on, Australians.
The guidelines should also include details and examples of changes the CAC is not interested in, the report said.
As for the wording of the Bill itself, the committee recommended it clarify that broadcasters are not subject to the legislation; allow for carriers to request partial or complete exception for certain changes; make it clear the Bill does not change the operation of existing privacy laws; outline ways for industry to recover costs; and for the Attorney-General to take into account how quickly the CAC responded to a notification before issuing a direction.
It was also recommended the Bill spell out that an annual report on the scheme to Parliament include the number of occasions the information-gathering powers have been exercised, the number of notifications and security plans received, average response timeframes of the CAC, number of occasions the directions-powers have been used, and details of how the government is sharing information with industry.
The Bill provided a “proportionate and escalating framework for addressing national security risks” and gave certainty to industry, the committee said.
“The committee supports a legislative framework approach which establishes the security of Australia’s telecommunications infrastructure as a joint responsibility between government and industry,” it said.
“It continues to allow industry to make its own commercial decisions within the risk assessment framework and with access to security advice. Where necessary, there exists the option for enforcement in order to ensure the protection of telecommunications infrastructure.”
PJCIS also said as part of its review into Australia’s metadata laws, it should be allowed to examine the security of metadata retained and stored overseas.
“The Committee is greatly concerned that existing laws do not provide government with visibility about where and how data is being stored,” the report stated.
During hearings of the committee, AGD said it did not believe the storage of metadata overseas was a security concern.
“That is not true, because we’ve been briefed to the fact that that isn’t, that’s not a true statement,” Labor member of Holt Anthony Byrne said in February. “It was one of the concerns of the committee that if you did offshore it, it did impact the capacity of the agencies and the Attorney-General’s Department to actually protect the data.”