Through its peaks and troughs, the Abbott government has always been able to point to national security as an area of relative strength.
The current government has certainly spent a significant amount of legislative effort on bolstering its national security powers, and in particular those affecting the telecommunications industry.
Hot on the heels of new mandatory data retention laws, the government on June 25 announced its latest proposal in this space in the form of an exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015.
If passed, the bill will do three things:
- Impose a new duty on carriers and carriage service providers to ‘do their best’ to protect their networks from unauthorised access and interference.
- Require these companies to notify the government of any change likely to have a material adverse effect on their ability to meet their new network security obligations.
- Give the government enhanced direction-making and information-gathering powers to manage national security risks affecting telecommunications networks.
While the period for making submissions on the bill has only just closed, a number of industry representatives have already voiced their concerns.
Most notably, a joint public submission by a number of significant industry groups, including the Australian Information Industry Association, the Australian Mobile Telecommunications Association and the Communications Alliance, bluntly described the bill as “regulatory over-reach.”
These groups said it “hands unjustifiably significant additional and intrusive powers to government and places regulatory burdens on industry that will undermine its ability to protect against and respond to cyber attacks.”
So what exactly is it about the bill that has prompted such a strong and united critical response?
Expansive new direction-making power
The bill will give the government broad new powers to direct carriers to do, or refrain from doing, certain acts that may be prejudicial to national security.
This aspect of the bill builds on existing powers of Federal Attorney-General, George Brandis, to require carriers to stop using or supplying a carriage service where doing so may be prejudicial to national security.
However, the expansion proposed by the bill is significant and creates scope for many different types of directions that could interfere with the way that telecommunications companies operate their businesses.
The draft explanatory memorandum (EM) for the bill indicates that the new powers would still be intended to serve as a last resort.
Unfortunately, there is nothing in the bill to reflect this. For example, there is no requirement to obtain a risk assessment from any national security agency or to consult with industry on alternative approaches before exercising the direction-making powers, and there is no requirement for directions to be proportionate to the risk they are intended to address.
The net effect of this is that the proposed new powers would create a high degree of uncertainty for industry. One concern is that they could be used to target specific equipment vendors, which could have significant impact given the narrow range of major vendors on which the industry currently relies.
Clearly a telecommunications service provider could suffer major disruption to its business if one of its key vendors is effectively ‘blacklisted’ as the result of a government direction.
The draft EM specifically indicates that the bill is “not about preventing the use of particular equipment vendors or service suppliers”.
However, this may be seen as somewhat cold comfort given that the government has form in this area, having previously prohibited Chinese vendor Huawei from supplying equipment for the NBN project.
Broad and unrestricted new information-gathering powers
In addition to the expanded direction-making powers, the bill would also give government new powers to require service providers to provide information that is relevant to their new security duties. They would need to provide this information within a timeframe set by the government.
Again, these powers would be broad and relatively unconstrained, with few limits on how the government may use any information that is provided.
For example, the bill would allow the information to be shared with third parties for risk assessment or other security purposes. This could allow information provided by a service provider to be shared with foreign government security agencies and also with other companies that may be confronted with a similar security threat.
This would obviously be a concern to the extent that the information contains commercially sensitive details about a particular service provider’s network design or procurement practices.
The proposed information-gathering regime may also raise practical compliance risks for service providers, such as if the government sets an unreasonable timeframe for providing complex technical information. The bill offers little protection against these risks.
Increasing complexity and deterring innovation
The procurement departments of major telco companies operate in a very complex environment where they often need to manage hundreds of separate procurement projects at any one time.
Any additional layer of regulation will inevitably increase the time and cost associated with procuring new technology, particularly where the impact of the additional regulation is uncertain and subject to change.
If the bill is passed, Australian telcos will need to factor in new security considerations into each procurement exercise they undertake. They will also need to make potentially difficult decisions about whether it will result in any change from a security perspective that needs to be notified to government.
If a change does need to be notified, then there will be time and money spent on preparing the notification and waiting on a response from government.
This will slow down the procurement process, potentially making Australian telcos less agile and slower to introduce technical innovations compared to their international peers.
Anecdotal evidence from other jurisdictions, is that there have already seen the introduction of similar laws deter technology innovators to prefer to focus their energies on jurisdictions with lower risk of government interference.
For example, a Google sponsored research project on software defined networks relocated to Australia and the US in in order to avoid the regulatory uncertainty created by the introduction of the laws in New Zealand.
It is too early to say how the government will respond to the strong push-back it has received so far in response to the bill. However, early indications suggest that we could expect some significant amendments to the bill, with the Attorney-General Brandis saying “we will be considering carefully the observations that the industry has made in finalising the legislation.”
Federal communications minister, Malcolm Turnbull indicated that there will be changes and modifications to reflect the feedback received.
Only time will tell whether the government will be able to effectively allay everyone’s concerns.
Michael Swinson is a partner at global law firm King & Wood Mallesons. He specialises in commercial legal matters with a focus on technology, intellectual property and data protection.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.