PJCIS concerned TSSR’s ‘do your best’ requirements are not enough anymore
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is looking to formalise the relationship between government and the nation’s telco providers as it says reliance on the current voluntary processes is insufficient.
As it currently stands, under the Telecommunications Sector Security Reforms (TSSR), carriers need to “do their best” to protect their networks from unauthorised access or interference for the purpose of security, with carriers to notify the government of any changes to their services, systems, or equipment that could have a “material adverse effect” on their ability to comply with this duty.
Although the committee said in its report that the highly regulated telcos are in a better position to handle security obligations from the critical infrastructure framework, formalisation was needed.
“The regulatory concept of providers ‘doing their best’ to secure their networks in the national interest has served the Telco Act and the TSSR up until now, but the committee can not be assured that a reliance on industry alone to counter threats is sustainable, nor that the Telco Act as a whole can continue to uphold the security requirements for the industry,” the report said.
The main result of the TSSR thus far has been the banning of Huawei from 5G deployments in Australia, which the committee said showed the government was able to step in when needed but only occurred when a threat was “overwhelmingly evident”.
“In considering the evidence provided, the committee formed the view that, in many instances, the onus was on industry to carry the burden of information sharing and communication with government — in part due to the TSSR regime’s inherent reliance on voluntary engagement. While there are certainly circumstances of these arrangements being adequate, it is the committee’s view that it is insufficient to rely on voluntary practices, and dialogue, notifications, threat and information sharing between industry and government should be formalised,” it said.
To boost these efforts, the PJCIS has recommended the Department of Infrastructure, Transport, Regional Development and Communications work with the Cyber and Infrastructure Security Centre within Home Affairs to determine “industry best practice risk identification, management, and mitigation”.
In an attempt to prevent telcos from having different interpretations of when notifications are needed — as demonstrated by Optus making up over half of all notifications — the committee wants a telecommunications security working group created that consists of representatives from the Communications department, Home Affairs, the telcos, Australian Security Intelligence Organisation, and Australian Signals Directorate.
“This working group could set agreed standards and best practice principles to inform the work of the Cyber and Infrastructure Security Centre’s advice and resources,” the committee said.
“The Committee recommends that the working group … be tasked with scoping agreed carrier licence conditions, service provider rules, and codes and standards for security of networks and systems.
“These can then be used to guide the resources to be produced by that group and inform directions or information gathering powers exercisable by the Minister for Home Affairs under the existing provisions of Part 14 of the Telecommunications Act 1997.”
The working group would also be consulted on any duplicate obligations that arise from the interaction of TSSR and the amended Security of Critical Infrastructure Act 2018 (SOCI Act) prior to any activation of obligations.
“If agreed, and once activated, the duplicated obligations or other mechanisms in Part 14 of the Telecommunications Act 1997 should be repealed, or deactivated by relevant mechanisms, so as to avoid regulatory duplication on telecommunications entities,” the report said.
In its report, the committee said, as it conducted its review, it became clear its review had “significant crossovers” with the critical infrastructure review that was simultaneously taking place.
“Calls for repeal of the TSSR or deactivation of duplicated obligations are reasonable from those affected, but the committee does not want to recommend repeal of any mechanisms that are in place and working to secure telecommunications in Australia. The importance of the sector to the nation is too strong to act in such a way without full consideration,” it said.
“The committee trusts the assertions from government that any potential SOCI obligations will only be ‘switched on’ if the existing TSSR obligations are assessed as being unsuitable. However, the committee believes that this decision should be made in consultation with the potentially affected entities and is recommending that that occur through the working group.”
Additionally, the committee recommended the Telco Act be amended to state that security is an object of the Act, and a “dedicated telecommunications security threat sharing forum” be created to allow ASIO and ASD to brief the telcos on threats to “the maximum classified level possible”.
Although Huawei filed a submission to the review claiming Australia was isolating itself from “world’s best technology and innovation”, the Chinese tech giant declined an invitation to appear before the committee.