In a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) published today, the group pointed to serious problems in the Telecommunication Sector Security Reform (TSSR) legislation, recently introduced to Federal Parliament.
These included vague drafting, regulatory overreach, the ongoing risk that telecoms service providers could be forced by Government to dismantle or retro-fit existing communications networks and the risk to hamper innovation and to place Australian businesses at a competitive disadvantage.
The coalition of industry associations includes the Australian Industry Group (Ai Group), the Australian Information Industry Association (AIIA), the Australian Mobile Telecommunications Association (AMTA) and Communications Alliance, which collectively represent the bulk of Australia’s $100 billion ICT industry, including telecommunications carriers, carriage service providers, vendors and intermediaries.
The Associations did commend the Government for making a number of useful amendments to earlier drafts of the legislation, after receiving advice from Industry.
They also acknowledged that Australia’s critical infrastructure, including telecommunications services and networks, remains at risk from espionage, sabotage and foreign interference, and pointed out that industry players are commercially motivated to invest in hardening and protecting their networks.
The Associations warned, however, that the onerous, one-way nature of the notification requirements will act to hamper the responsiveness of service providers to cyber threats. They called on Government to consider more collaborative, effective approaches, as are being adopted or contemplated in other countries including the US, UK and Canada.
The proposed TSSR regime "may in fact divert scarce resources away from investing directly in addressing cyber security threats, to compliance overhead arising from the regime. It may reduce the ability for the ICT industry and its clients to proactively monitor and quickly respond to threats and breaches," the submission states.
While the proposed legislation establishes a set of obligations for Industry, the Associations pointed to the absence in the legislation of an equivalent requirement for Government to brief Industry on emerging threats.
A further potential impractical provision, they said, is a requirement to attempt to protect networks that are ‘used’ by a service provider, even when these networks are not owned or controlled by that provider, and might not be even located in Australia or subject to Australia law.
The Associations anticipate appearing before the PJCIS on these issues when public hearings are held.
The full text of the submission can be found here.
Media enquiries (Ai Group): Tony Melville 0419 190 347