After the telecommunications industry told him he had gone too far, Attorney-General George Brandis has decided not to try to pass legislation to immediately give him unlimited power over their networks.
The Telecommunications Security Sector Reform (TSSR) legislation, flagged by Brandis in June, would have allowed the secretary of the Attorney-General’s Department to dictate what telcos could and could not install in their mobile and internet networks. The legislation would have also required telcos to hand over any information the secretary wanted, or face fines.
Under the legislation the government would also have had oversight regarding what network gear companies could purchase.
This added oversight would cost the industry $558 million to set up and would cost each telco $184,000 every year in ongoing costs.
Lobby groups the Communications Alliance, the Australian Industry Group and the Australian Mobile Telecommunications Association and Telstra all railed against the proposed legislation, declaring it "regulatory overreach" and saying it would limit new private investment in Australia.
Late on Friday afternoon, Brandis and Communications Minister Mitch Fifield announced an extension to consultation with the industry until January 18 next year, and a revised exposure draft of the legislation.
Under the changes, telcos would still be required to inform the government of planned changes to their networks, but would now get directions from the attorney-general on what they must do with their networks, rather than the secretary of the department.
Essentially, the government wants to be notified when there are changes to sensitive parts of the network that could be vulnerable to hacking or penetration by foreign states. In particular the government has an eye on which companies are allowed to supply Australian telcos. Infamously, Chinese technology giant Huawei has been banned from supplying network technology for the NBN, due to concerns about the company's links with the Chinese government.
It is easy enough for the government to impose a ban for a company (NBN) that it owns, but it is much harder to ask for a similar ban for private companies. To be able to issue a direction to ban, for example, Telstra from using Huawei or any other company's network gear for a 5G mobile network, the attorney-general will first need an adverse security assessment from ASIO and be satisfied that what the telco is trying to do to its network is "prejudicial to security". If the government makes a bad decision, the directions issued will now be reviewable under the Administrative Decisions (Judicial Review) Act.
The government is also extending the amount of time telcos will have to be compliant with the legislation to 12 months instead of six months.
The directions the attorney-general can issue still seem rather vague, however. For example, according to the exposure draft, if there is concern that there is a risk of unauthorised interference with, or access to, a telecommunications network, the attorney-general may give a telco "a written direction requiring the [telco] to do, or to refrain from doing, a specified act or thing within the period specified in the direction".
The industry is slightly more disposed towards the revised proposal. The Communications Alliance said on Friday that it was a "more balanced approach" to meeting the government's objectives, but indicated that it would potentially push for further changes when the legislation is reviewed by the Joint Standing Committee on Intelligence and Security upon introduction to Parliament in 2016.
As there are only four sitting days left in the Parliament for 2015, it was unlikely the legislation was going to be introduced and passed this year, even before the announced delay. Crikey understands the government did not intend for the legislation to be included in the latest tranche of national security legislation announced by former prime minister Tony Abbott now being debated in Parliament. Brandis said in the Senate earlier this year that the government would also introduce legislation to force companies to publicly report any data breaches in their systems, but this legislation is not listed to be introduced this week.
The revised changes to telecommunications national security legislation not the only Friday afternoon news dump from the government last week, with Finance Minister Mathias Cormann announcing the government would not proceed with a proposal to sell off the intra-department fibre network in Canberra. The Intra Government Communications Network is used to connect 88 government agencies in Canberra and is made up of around 160,000 kilometres of fibre. In February, the government announced it had commenced a scoping study for the potential sale of the network, and reports last week suggested Japanese-owned tech company Dimension Data had made an offer that was rejected.
Then on Friday afternoon, Cormann announced that the network would remain in government hands, with a few minor changes.
The decision to privatise its own network would have been an interesting move. The ICON scoping study found only 17 of the 34 agencies running protected networks over the ICON network use encryption, and more would need to add encryption over time. Cormann told the ABC on Friday that given DFAT and others used the network, security did play a role in the government's decision.
The Commonwealth Bank would have been forced to disclose its mammoth data breach if the government had fulfilled its promise of requiring companies to report breaches. But instead the government took three years to do it.