Communications department flags idea of tying telco licences to cyber capability
The Department of Infrastructure, Transport, Regional Development, and Communications has run up the flagpole the idea of inserting security provisions into the Telecommunications Act to require telcos to safeguard their systems as a condition of their licence to operate.
Writing in a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the Telecommunications Sector Security Reforms (TSSR), the department said there are no specific requirements on carriers to protect their networks from cyber intrusions.
“The addition of an object with a specific security focus would support the measures taken by government and industry into the future,” it said.
“It would also mean that the full force of the existing regulatory framework (including codes and standards under Part 6 of the Tel Act [Telecommunications Act], carrier licence conditions and service provider rules) could be available to support security objectives.”
A number of options exist for how that mechanism would work under Part 6, the department said, and it could end up taking the form of licence conditions, service provider rules, or an industry code or standard.
“If these mechanisms are used to achieve security objectives, it is appropriate that the Minister for Home Affairs have the ability to enforce these obligations, consistent with the powers that the Minister for Home Affairs already has in relation to TSSR,” the department said.
As it currently stands under TSSR obligations, telcos need to “do their best” to protect infrastructure, but the department put forward the idea of making it more prescriptive and easier to interpret.
“The creation of a delegated instrument (such as a determination making power), with appropriate Ministerial oversight, could offer a clearer alternative,” it said.
“Additionally, industry and government could create and promulgate security standards using existing mechanisms in Part 6 of the Tel Act which is currently used, for example, to set out emergency call service and mobile number porting identity requirements.”
There was also the opportunity to close gaps, the department pointed out, which included “obvious trigger events” such as a telco being acquired.
“A change in ownership of a carrier, effectively a transfer of carrier licence, could trigger a security check subject to a risk assessment,” it wrote.
The department also said direction powers could be extended to allow for directions to be handed to telcos without the requirement for an adverse finding to be handed to the telco in question, if the security risk lies with a supplier, and not the telco itself.
While it is possible to create a list of carriers with telco licences, the department said no definitive list of carriage service providers (CSP) currently exists.
“A list of a subset of CSPs delivering specific services, such as commercial telephony or broadband services, could be maintained by either regulator (CAC or ACMA) and be used to proactively enforce security, consumer protection and other obligations across the Tel Act,” the submission said.
Earlier in the week, Optus revealed it was responsible for over half of the 66 notifications made under the TSSR regime to June 30.
“Optus has reviewed the TSSR status of well over 150 projects and proposed changes over the last two years and submitted formal TSSR notifications for 36 of them,” it said.
“The time for the resolution of these notifications has varied between 30 days to eight months.”
The telco said this meant the regime was not operating as intended due to telcos each coming up with their own notification thresholds and interpretations. Consequently, the TSSR is simultaneously at risk of under-notification and over-notification
The Singaporean telco further said it had experienced significant impacts due to the TSSR.
The main result of the TSSR thus far has been the banning of Huawei from 5G deployments in Australia. It was a decision that Optus said changed its market position, investment strategy, customer outcomes, and network design and capability.