Telecommunications network security obligations get tougher in Australia

Australia is ramping up its network security rules for the telecommunications industry. The Telecommunications and Other Legislation Amendment Bill 2016 was introduced to Parliament on November 9 and has gone through a second reading. If passed, the Bill will amend the Telecommunications Act 1997, create new network security obligations on carriers and carriage service providers and provide the Attorney-General with more scrutiny over these obligations.

Ian McGill

According to the Australian Cyber Security Centre’s 2016 threat report, 1,095 cyber security incidents that were considered serious enough for operational responses occurred in 2016 on government systems . The figure for those affecting Australian businesses was 14,804 incidents. “Network security vulnerability is an extreme concern,” says Ian McGill, partner at Allens. “There are significant concerns around state based espionage and threats to Australia’s competitiveness.”

Amendments to the existing Act

The updated legislation will require carriers and carriage service providers to notify the government of changes to their services or networks that are likely to have a material adverse effect on their ability to meet security obligations.

“The amendment will likely come into effect around mid-2017 after the industry submissions are reviewed,” says James North, partner at Corrs Chambers Westgarth. “Industry will have 12 months for implementation so changes won’t take place until 2018.”

The Bill has gone through changes after two consultation periods with industry and exposure draft bills. “There was uncertainty around the scope of what may be required to meet the new security requirements, as well as in relation to the broad powers for government to intervene on national security issues without necessarily considering the commercial impact,” says Michael Swinson, partner at King & Wood Mallesons. “The original exposure draft version of the Bill allowed significant powers to be exercised by the Attorney General without judicial oversight. Industry was worried that the Bill could allow a disproportionate response to a perceived security risk, with no recourse to challenge that response.”

“In the current version of the Bill, the Attorney General has an obligation to engage and consult with affected telco companies on issues such as the cost of compliance, which offers some comfort for affected companies,” says Swinson.

Some of the ways that the telco industry will be affected include the reporting of offshoring or outsourcing critical services, significant equipment purchases and changes to the way the network is managed. Companies may choose to make individual disclosures or submit the information altogether through security capability plans.

Effects on industry

Michael Swinson

The telecommunications industry will need to be vigilant of the effects of the Bill. “It will add administrative overhead,” says Swinson. “Companies will need to address internal decision making and reporting processes to ensure that national security considerations are addressed and taken into account when making material business decisions on network management.”

“Existing contracts will need to be audited and checked against the new standards and there will be a cost to carriers,” says McGill. “But this cost is worth incurring if a security breach will come at an even greater cost. The incremental cost of factoring in obligations into the design of new service offerings will outweigh the vulnerability of a breach.”

“The Bill will affect supply chains,” says Swinson. “The draft explanatory memorandum of the Bill calls out specifically that there may be a need for stricter governance mechanisms in subcontracts and for security related obligations to be flowed down to subcontractors. As a consequence, telco companies may become stricter with suppliers by imposing more stringent security requirements, including in relation to reporting and audits.”

“There are about 200 licensed carriers in Australia, but it is a fairly concentrated market,” says McGill. “Offshore service providers such as telephone call centres and cloud service providers will be affected.”

Australia’s forthcoming legislation is a trend towards stricter network security laws around the world, such as those in the UK, US, New Zealand, Singapore and China. “Telcos will need to revisit their offshoring policies and consider laws in other jurisdictions to understand their rights to access information stored outside Australia,” says Swinson.

In anticipation of the new regulations, those in the telecoms supply chain will need to consider how they will be affected. “In light of this legislation, Australia telcos may need to proceed in a more conservative fashion when looking to outsource material network functions and to ensure that they retain strong in-house capability to maintain technical and operational control over their networks. As a consequence, opportunities for some outsource service suppliers may be reduced,” says Swinson. “There will be more stringent outsourcing and supply contracts with stricter contract terms.”

James North

“The government is conservative in adopting new technologies and if the government is not careful this legislation could impact innovation in the industry,” says North. “In my view, it is best left to industry to decide on best network security practice.”

Narrow focus

While some jurisdictions have increased network security measures across multiple industries, the stricter rules only apply to the telecommunications industry in Australia, at least for the time being. “The telecoms industry is quite sophisticated so it was a bit of a surprise to see the restrictions apply only to the sector,” says North. “In the EU, all operators of essential services such as gas pipelines, electricity operators and airports, will be subject to network security restrictions.”

Ensuring compliance with the new regulations will add to the administrative and financial burden of telco businesses, though this is being looked on as something worth bearing to avoid network security breaches. The stricter stance on network security will also filter down to suppliers in the supply chain, so those supplying equipment to network carriers should prepare for potential contract changes.