Oz carriers to Attorney General Brandis: get OUT of our networks
Telcos speak with one voice on telco security 'reforms'
Australia's telecommunications industry has spoken with one voice: George Brandis Attorney-General-as-Sysadmin legislation is a mess.
The Attorney-General's (AG's) department has published the submissions received on the legislation (here), and among the ten industry-written submissions there's not one in support of the Telecommunications and Other Legislation bill.
Seven submissions complain that the procedures by which the AG might decide to issue a direction to a carrier are unclear or lack procedural fairness, and the same number say the laws are too broad.
As pay television operator Foxtel notes, the legislation doesn't even explain how long a carrier might have to comply with an order: “There are no timeframes specified for the Attorney-General’s Secretary to make such assessments”, its submission states.
Since an order might range from “withdraw this service” to “get rid of all kit from Vendor X” to “rewrite your entire route table so traffic does not traverse New Zealand”, not knowing how fast an order might have to be implemented is a serious concern.
Internet service providers iiNet and TPG homed in on the vendor-ban possibilities in the bill. iiNet notes the bill could even allow the A-G to order a carrier “to cease using the equipment or service if it is already using it” (even if the carrier itself was perfectly happy with the equipment.
Optus noted that such idiotic orders could be made with no genuine risk assessment: “It would appear from the Exposure Draft that if a threat or risk merely exists, it provides an adequate basis for a Direction to be issued, without any qualification on the threat or risk assessment”, its submission states.
Telstra agrees, generously allowing that there might exist someone in Australia's Security Intelligence Organisation (ASIO) with a spoonful of clue: “a security assessment from ASIO should be obtained before a direction can be made and a statement of reasons issued alongside any directions”.
That's much more generous than TPG was willing to be: “TPG does not believe the Attorney-General or his secretary is the best placed authority to make decisions about a Telco’s network security. They lack the requisite knowledge of the intricacies of a Telco’s systems and are unlikely to possess the skills to determine the appropriate form and level of network security required”.
TPG also doesn't trust the A-G's department to keep politics out of its decisions, saying that as the law now reads, a direction could include: “Please stop supplying the Internet to people who are not citizens of Australia” or “We direct you to intercept carriage services supplied to this suspected terrorist”.
Trident Submarine Cable plays the industry development card, pondering potential impacts on Australian innovation into the mix: “Trident is also concerned that this power to arbitrarily override procurement decisions may have a detrimental effect on the willingness of the private sector to invest in new systems, processes and services and new businesses in the first place, driving such innovation and development offshore.”
None of the submissions like the idea of handing their network data over to the department without knowing what obligations are on the A-G to secure their data, and the industry also complains there's little indication of the implementation timeframe for the legislation.
There's also no safe harbour or review mechanisms in the bill (one wag went so far as to suggest carriers could appeal to the communications minister), and naturally enough, carriers already burdened by being made to implement copyright filters and metadata-retainers want to know who's going to pay for it all when the AG asks them to buy new kit, or adjust it according to government fiat. ®
Sponsored: Becoming a Pragmatic Security Leader