The industry group, representing the bulk of Australia’s $100 billion ICT industry, points to serious problems in the Telecommunication Sector Security Reform (TSSR) legislation, recently introduced to federal parliament, including:
• Vague drafting and regulatory overreach
• The ongoing risk that telecoms service providers could be forced by Government to dismantle or retro-fit existing communications networks
• And the risk to hamper innovation and to place Australian businesses at a competitive disadvantage.
The group includes telecommunications carriers, carriage service providers, vendors and intermediaries and has told the parliamantary committee that the he proposed TSSR regime “may in fact divert scarce resources away from investing directly in addressing cyber security threats, to compliance overhead arising from the regime.”
They also warn that the proposed regime may reduce the ability for the ICT industry and its clients to “proactively monitor and quickly respond to threats and breaches”.
While commending the government for making a number of useful amendments to earlier drafts of the legislation, after receiving advice from industry, they also acknowledged that Australia’s critical infrastructure, including telecommunications services and networks, “remains at risk from espionage, sabotage and foreign interference” – and pointed out that industry players are commercially motivated to invest in hardening and protecting their networks.
The associations warned, however, that the onerous, one-way nature of the notification requirements would act to “hamper the responsiveness of service providers to cyber threats”.
They also called on government to consider more collaborative, effective approaches as are being adopted or contemplated in other countries including the US, UK and Canada.
The associations say that while the proposed legislation establishes a set of obligations for industry, they point to the absence in the legislation of an equivalent requirement for government to brief Industry on emerging threats.
“A further potential impractical provision is a requirement to attempt to protect networks that are ‘used’ by a service provider, even when these networks are not owned or controlled by that provider, and might not be even located in Australia or subject to Australia law,” they say in their submission.
The associations anticipate appearing before the PJCIS on the issues they raised when public hearings are held.
To read the full text of the submission click here.