A push to force telcos to inform the federal government of changes to their networks as well as their procurement intentions has been given the green light by a parliamentary committee despite industry backlash.
The federal government first flagged its so-called telecommunications sector security reforms (TSSR) in 2015, in an effort to turn previously informal arrangements into a legalised set of obligations.
The proposed laws were a response to concerns about the threat posed by suppliers of equipment and managed services located in foreign countries, like Chinese networking giant Huawei; the government claimed it wanted to better protect telco infrastrucure and systems from attack.
A slightly reworked exposure draft was published last November following industry outrage at the "broad and intrusive" plans.
The bill imposes a requirement that telcos "do their best" to protect the networks and facilities they "own, operate or use" from "unauthorised access and interference". It gives the Attorney-General power to order a telco to take a particular course of action if there appears to be a risk to national security.
Telcos would similarly need to inform the department about any changes - like outsourcing, offshoring, or purchases involving sensitive parts of their network - they plan to make that could have a "material adverse impact" on their obligation to secure their networks.
After being introduced into the senate last November, the bill was immediately referred to the parliamentary joint committee on intelligence and security for review.
In its report on the bill, released today [pdf], the PJCIS gave its support to the legislation, pending a few changes.
Notably, it recommended the bill be tweaked to give the Attorney-General's Department insight into how much of the metadata telcos are required to retain under data retention laws is stored offshore.
The department recently admitted it had no idea how much of the retained data was located outside Australia.
The committee agreed with industry's concerns about the bill's unclear wording, and said the government needed to clarify what was expected of telcos in the areas of cloud computing, over-the-top services, offshore arrangements, and shared facilities.
The committee also said the AGD should create a list of the sorts of changes telcos won't need to notify the department about, as well as provide more detail on they changes that would require notification.
The AGD should report annually on the scheme to parliament, it said, and make sure there is a threat-sharing arrangement in place to ensure telcos receive "timely and tailored threat information to aid compliance".
Overall it recommended the bill be passed, should its recommendations be accepted by the government. The PJCIS suggested it be tasked with reviewing the scheme within three years.
Telco industry groups the Communications Alliance, the Australian Information Industries Association (AIIA), and the Australian Mobile Telecommunications Association (AMTA) congratulated the committee for 'highlighting the weaknesses' in the legislation.
The groups called on the government to implement the recommendations.
The obligation for telcos to "do their best" to protect networks will apply to all carriage service providers in the country, while the notification provision will only apply to those nominated under the TIA Act.
The government has estimated it will cost $1.6 million each year for AGD and ASIO to administer the scheme, and around around $184,000 annually per telco to comply.
