The Federal Government’s Telecommunications (Interception and Access) Amendment Bill 2009 has passed the Senate, widening the range of options for private entities to protect their IT networks from cyber attack.
Prior to the amendment, existing telecommunications interception legislation only allowed national security and law enforcement agencies to protect their networks from malicious software
The changes mean private computer networks may now be lawfully protected also.
Private network protection activities will only remain lawful, however, if they are carried out for a legitimate network protection function, according to the Federal Attorney-General, Robert McClelland.
“In this way, the Government is seeking to balance the need for network integrity with an individual’s right to privacy,” McClelland said in a statement.
James Turner, an advisor at analyst firm IBRS, said how the definition of ‘protecting’ a network evolved over time would be an important factor in the effectiveness of the bill.
“I can imagine that the legal counsel of an ISP could take the view that it is entitled to protect its network from activities which expose the ISP to being taken to court, as recently happened with iiNet,” Turner said.
“From this perspective, it would seem feasible that an ISP could monitor and block a wide range of customer activities, particularly those which involve copyrighted material. The customer may not actually be doing anything harmful, for instance transmitting malware, but the ISP may consider that the information being transferred expands its risk profile. So, I think this will be a classic case of ‘we'll see what it means when it gets tested in court’.”
The Greens raised similar concerns in November, calling for greater clarification around "network protection duties" and "disciplinary actions" of the Amendment. The political party also sought tighter requirements around destroying copies of intercepted communications.
The Bill is part of a wider cyber security initiative, which includes the January opening of the Cyber Security Operations Centre (CSOC), which was announced as part of the Defence White Paper released in 2009.