Proposed laws could take IT procurement decisions away from telcos

Attorney-General, George Brandis

The federal government has introduced new draft legislation that could see certain IT procurement decisions taken out of the hands of the country’s telecommunications providers.

The Telecommunications and Other Legislation Amendment Bill 2016 was introduced into the senate on 9 November, and would amend the Telecommunications Act 1997.

Its aim is to introduce a regulatory framework to “better manage national security risks of espionage, sabotage, and foreign interference, and better protect networks and the confidentiality of information stored on, and carried across them, from unauthorised interference and access”.

“Government and business are increasingly storing and communicating large amounts of information on and across telecommunications networks and facilities. By their nature, telecommunications networks and facilities hold sensitive information,” the bill’s explanatory memorandum stated.

“For these reasons, the telecommunications networks and facilities of carriers, carriage service providers and carriage service intermediaries (C/CSPs) are attractive targets for espionage, sabotage and foreign interference activity by state and non-state actors,” it said.

The bill is an updated version of an exposure draft of the legislation published by the Attorney-General’s Department last year, incorporating feedback from industry during a consultation period, following pushback from some industry stakeholders.

In its current form, the proposed laws would give the Attorney-General additional powers to direct a telecommunications carrier and carriage service provider to alter a procurement decision if it has been assessed that the technology in question could give rise to a security risk.

However, the power to dictate how a telco makes a technology investment decision can only be granted if the Australian Security Intelligence Organisation (ASIO) has provided an adverse security assessment of the procurement in question.

The bill would also impose a security obligation on telecommunications providers requiring them to “do their best” to manage the risk of unauthorised access and interference to networks and facilities they own, operate, or use.

Additionally, the legislation would place a requirement on telcos to notify the government of planned changes to systems and services that are “likely to make the network or facility vulnerable to unauthorised access and interference”.

The bill would also give the Attorney-General’s Department information-gathering power to keep an eye on compliance and among the country’s telcos.

The introduction of the legislation follows moves by the government in 2012 to ban Chinese vendor, Huawei from tendering for work on the National Broadband Network (NBN) due to concerns at the time over cyber attacks reportedly “originating in China”.

However, the government claims that the proposed security framework in the legislation is “not intended to prevent the use of particular equipment vendors or service providers”.

The ongoing costs of resourcing and administering the scheme by ASIO and AGD are estimated to be $1.6 million annually. The estimated ongoing annual cost of compliance for affected organisations would be $184,317.