Comms sector teams with business lobby to slam George-Brandis-as-NetAdmin law
Inexpert regulation, scope creep, more metadata stored - what could possibly go wrong?
Australia's telecommunications industry's peak bodies have joined with a broad industry lobby group in the forlorn hope that Australia's Attorney General George Brandis can be persuaded to keep his department out of their networks.
In spite of the telco security reforms being referred to as the “Telecommunications Sector Security Reform” (TSSR), the four-signatory submission reckons it will make networks less secure. Along the way, the TSSR will hamper technologies like Software-Defined Networking (SDN), and slow the pace of product launches.
The joint objection to Brandis' attempt to give his department oversight of telco network security comes from the Australian Industry Group, the Australian Information Industry Association, the Communications Alliance and the Australian Mobile Telephony Association.
The four groups say the the draft laws are so vaguely drafted that carriers and service providers don't know if they'll be allowed to resell overseas services; and as it now stands, the government could instruct telcos to “retrofit or remove existing facilities” on the say-so of the Attorney-General's Department.
The legislation has been grinding its way through the parliamentary process since Prime Minister Malcolm Turnbull was a mere communications minister. It gives the Attorney General's Department sweeping powers to dictate network security arrangements, demand documentation of sensitive network information, and forbid significant changes to network architecture without written permission.
That's worried the industry for years: in the first ten submissions received, not one supported the legislation.
The government has been distracted since then but the legislation is now back on the agenda and a new round of consultations closed on Friday.
Destroy security in order to save it
As well as the concerns listed earlier, the industry groups say the laws won't even achieve their aim of making networks more secure. The compliance requirements in the bill will “hamper the responsiveness of C/CSPs to cyber threats”, they write, and “there is no established strategy” to brief carriers and carriage service providers [the C/CSPs in the submission - Ed] on the threat environment.
The regime, they write, gives government power to intervene in network design; vendor selection (Australia's government has previously blocked Huawei from supplying kit to the country's National Broadband Network); procurement; mergers and acquisitions; service supply obligations; and “use of global or regionally based network or business resources of multinational organisations”.
“In contrast, there is no corresponding obligation on Government to justify its actions, take responsibility for any unintended outcomes, bear the costs or deliver a practical and timely threat advice service. Nor is there any guidance or limitation on regulatory creep of the TSSR framework into services and networks that are non-critical”, the submission states.
As previously warned, the group re-emphasises that software defined networks and network function virtualisation – the two technologies most likely to bring spiralling network costs under control – are incompatible with the legislation.
In response to similar legislation in New Zealand, research network REANNZ moved its SDN test-bed to Australia and the USA, and the submission warns of a similar outcome here:
“As is the case in NZ, it is likely that Australian authorities will take time to get up to speed on very new technologies and their use within networks and this can delay or deny implementation of such technologies as authorities adopt a conservative approach and ‘err on the side of caution’.”
As the laws now stand, the submission warns, even something as straightforward as launching a new product or service could trigger a requirement to secure sign-off from the Attorney-General's Department (AGD).
Who else doesn't like the bill?
The Australian Centre for Cyber Security's (ACCS's) submission points out that satisfying the law could do something that the government didn't manage in its much-disliked data retention regime: demand carriers retain the URLs its users visit, as captured by deep packet inspection (DPI) kit in their networks.
“Not retaining and not analysing session metadata may not qualify as doing your best and exercising competent supervision” over a network, the submission says.
With carriers collecting much deeper metadata under the TSSR, the ACCS warns that spook agencies might go forum-shopping: since they can't get the information they want from the data retention regime, they might instead send the AGD to demand that information under the guise of telecommunications security.
It also notes a lack of oversight for this information, saying the Commonwealth Ombudsman has no powers over data collected under the TSSR.
Macquarie Telecom's submission suggests it isn't as worried as the industry group that the TSSR will limit infrastructure offshoring, but says “the draft legislation still provides for unjustifiably intrusive powers for Government to intervene in telecommunications infrastructure without adequate consultation or protections for industry.”
It adds that telecommunications carriers are probably better placed than the Department to secure networks as the carrier “already has a strong interest and demonstrated expertise in ensuring its networks and services are secure.”
As well as imposing cost burdens, the company concurs with the industry groups that the laws will “potentially impede Macquarie Telecom’s ability to respond quickly with business innovation.”
Optus is more muted, focussing primarily on notification requirements, consultation with industry and the TSSR's transparency and accountability measures.
It notes, however, that the bill appoints the AGD as a kind of super-NetAdmin. The scheme “further elevates” the Attorney-General of the day “to a position of regulator of the communications sector”, but doesn't demand the government's regulator performance framework apply to see if the department or the A-G are competent to oversee the industry.
Foxtel, on the other hand, just wants broadcasters (who operate extensive telecommunications networks to be exempted from the scheme: “where infrastructure and facilities are used solely or principally for the supply of broadcasting services it is not subject to the proposed reforms.” ®