On 7 July 2022, Australia’s Minister for Communications, Michelle Rowland, made two legislative instruments aimed at protecting against threats to and strengthening the resilience of assets in the telecommunications sector.
The Telecommunications (Carrier License Conditions – Security Information) Declaration and Telecommunications (Carriage Service Provider – Security Information) Determination 2022 (the “Instruments”), made under sections 63 and 99 of the Telecommunications Act 1997 (Cth) (“Telco Act”) respectively, create new carrier licence conditions and service provider rules which together impose positive security obligations on carriers and eligible carriage service providers (“CSPs”). Specifically, the Instruments require carriers and CSPs to:
- 1notify the Australian Signals Directorate of cyber security incidents; and
- 2report operational and control information to the Secretary of Home Affairs.
The obligations within the Instruments broadly mirror those set out in the Security of Critical Infrastructure Act 2018 (Cth) (SOCI) and bring the telecommunications industry into line with other critical infrastructure sectors.
Background
The introduction of the Instruments has occurred against the backdrop of significant amendments to SOCI over the previous 12 months, in line with the Australian Government’s Cyber Security Strategy 2020.
Among other changes, the classes of assets subject to the SOCI were expanded in late 2021. ‘Critical telecommunications assets’ were among those newly added asset classes brought within SOCI’s scope.
Obligations contained in SOCI, which broadly parallel those set out in the Instruments, were subsequently ‘switched on’ in relation to most classes of critical assets by the Security of Critical Infrastructure (Application) Rules which took effect 8 April 2022. However, critical telecommunications assets were not included in the Rules and as such, the SOCI obligations were not activated in respect of these assets.
By bringing asset security obligations under the Telco Act, the Instruments build on a foundation set by the 2018 Telecommunications Sector Security Reforms, which were aimed at strengthening Australia’s protection against threats to the telecommunications sector and managing national security risks associated with unauthorised access to and interference with telecommunications networks.
Security obligations
The obligations contained in the Instruments apply in respect of all tangible assets (excluding customer premises equipment) that are owned or operated by a carrier or eligible CSP and used to supply a carriage service.
1. Cyber security incident reporting
Carriers and CSPs are now required to notify the Australian Signals Directorate (“ASD”) of two types of cyber security incident:
- ‘Critical’ cyber security incidents must be reported to the ASD within 12 hours of the carrier or CSP becoming aware of an incident which has had, or is having, a ‘significant impact’ on the availability of an asset.
- ‘Other’ cyber security incidents must be reported to the ASD within 72 hours of the carrier or CSP becoming aware that an incident has occurred, is occurring or is imminent and has had, is having or is likely to have a ‘relevant impact’.
2. Operational and control information reporting
From 7 October 2022, Carriers and CSPs will have an ongoing obligation to provide the Secretary of Home Affairs with ‘operational information’ about each of their assets.
They must also provide ‘interest and control information’. That is, certain information about any entity that holds a direct interest of 10% or more in an asset.
Key takeaways
Given the broad definition of ‘asset’ contained in the Instruments, carriers and CSPs should give careful consideration to which of their assets might be subject to these new obligations.
It is also important that carriers and CSPs act quickly to implement arrangements to ensure compliance. While the Cyber and Infrastructure Security Centre (a part of ASD) has indicated that the first 12 months from July 2022 will be a learning phase, the Telco Act provides for substantial pecuniary penalties for contraventions.
For further information, please contact:
Patrick Cordwell, Bird & Bird
patrick.cordwell@twobirds.com