TSSR: Industry concerns over telco security legislation remain

Although telco industry organisations welcomed the federal government’s attempt at redrafting a bill intended to boost the security of Australia’s telco infrastructure, concerns remain about the second version of the innocuously named Telecommunications and Other Legislation Amendment Bill.

The first exposure draft of the legislation — part of a process dubbed the Telecommunications Sector Security Reforms (TSSR) — was thoroughly unpopular with industry.

The proposed legislation will give the government the power to issue directions to telcos to do (or not do) "things" to boost infrastructure security.

The legislation could potentially see the government overriding a telco’s choice of equipment vendor or network design decisions in the name of national security, and would force carriers to inform government security agencies of significant changes to their networks.

The second exposure draft boosted safeguards on the use of the powers in the bill and increased the threshold that needs to be met for a direction to be issued to a telco.

However, a joint submission by the Australian Industry Group, the Australian Information Industry Association, the Australian Mobile Telecommunications Association and Communications Alliance to the consultation on the reworked bill states that although the revised draft is superior to the government’s initial proposal, the bill will potentially result in the diversion of resources away from ensuring the security of communications infrastructure into compliance with the TSSR regime.

“The draft legislation, Explanatory Memorandum (EM) and the associated Guidelines still fail to answer the fundamental question of what specific failings and/or weaknesses Government is seeking to address,” the submission states.

“It remains unclear how this proposed additional layer of regulation and cost to industry and intrusion into the commercial decision making processes of [carriers/carriage service providers] C/CSPs and carriage service intermediaries can be justified.”

The draft legislation is unnecessary and “still too discretionary and vague,” the submission states.

One particular concern the organisations cite is the potential detrimental impact on innovation in the telco sector. For example, the notification requirement could hold back the adoption of software-defined networking and network function virtualization.

The TSSR should be a “collaborative, outcomes-focused framework”, not a command-and-control regulatory framework, the associations argue.

An approach involving industry-developed security framework, with legislation being the last resort, would potentially offer a better path forward, the submission states.

"We welcome the fact that the government has responded — by way of amendments — to some of the concerns raised by our industries during 2015 in respect of the first exposure draft,” Communications Alliance CEO John Stanton said in a statement.

"We do, however, maintain that further adjustment of the proposed reforms is needed to extend and maintain the security framework for the telecommunications industry in an effective and efficient manner. "We remain especially concerned with the potentially negative consequences of the proposed reforms on businesses and innovation, particularly in the context of the Internet of Things (IoT).”

"We believe that the more collaborative approaches to dealing with cyber threat to communications infrastructure that are being taken or contemplated in major international markets such as the USA, UK and Canada would provide better avenues to improving cyber security,” Stanton said.

"Consequently, we suggest that these less prescriptive strategies be carefully examined in Australia before proceeding down the path currently proposed by government."