Australia ignores cyber security at its peril

National security is vital for the nations future and it is critical that moves to improve the security of telecommunications infrastructure be supported. In Business Spectator the Telecommunications Sector Security Reforms are discussed and why we need to support the development of good legislation.

Read the full article below

Critical national telecommunications infrastructure is at risk from cyber-attack by hackers, criminals and unfriendly nations. The government has taken the first step to plug this gaping hole in the nation’s defences but for this initiative to be successful it is vital for the telecommunications industry to get behind reforms that are designed to strengthen national security, economic prosperity and social wellbeing.

In early 2016, a power outage in western Ukraine has been blamed on Russian hackers who launched a targeted attack on a Ukraine power station using email transmitted malware. In 2014, a hacker gained access to the control systems in a German steel milland prevented the blast furnace from being shut down causing massive damage to the steel works. In late 2007 or early 2008, it has been alleged that the US and Israel carried out a sophisticated cyber-attack on an Iranian uranium enrichment plant using the Stuxnet worm to infect the control systems in a uranium enrichment plant causing many of the centrifuges to fail.

Closer to home, a spate of hoax bomb threats at schools in early 2016 were traced to an elite Victorian high school where the telecommunications system had been hacked into by a group of criminal hackers known as the Evacuation Squad. For a fee the Evacuation Squad would place hoax bomb threats at specified or random targets.

After the hoax bomb threats emerged government organisations and businesses right across the country have been scrambling to secure internet connected telecommunication systems that had previously been left unsecured or with default passwords like “12345”.

The first draft of the proposed Telecommunications Sector Security Reforms (TSSR) were met with outright opposition by the telecommunications industry and other business representatives.

On 27 November 2015, the Attorney-General George Brandis and the Minister for Communications and the Arts Mitch Fifield released a second draft of the Telecommunications and Other Legislation Amendment Bill 2015 for public comment. The key elements of the Bill include:

• establishing a security obligation, applicable to all telecommunications carriers and carriage service providers (C/CSPs) requiring them to do their best to protect their networks from unauthorised access and interference
• requiring carriers and some carriage service providers to notify security agencies of planned key changes to networks and services that could compromise their ability to comply with the security obligation
• empowering the Secretary of the Attorney-General’s Department to request information from C/CSPs to monitor compliance with the security obligation
• providing the Attorney-General with a power to issue a C/CSP a direction requiring them to do or refrain from doing a specified thing to manage security risks
• expanding the operation of existing civil enforcement mechanisms in the Telecommunications Act to address noncompliance with the security obligation, notification requirement, information requests and directions.

In a joint submission the Australian Industry Group, the Australian Information Industry Association, the Australian Mobile Telecommunications Association and Communications Alliance, the peak body for the telecommunications industry, welcomed amendments made to the draft Telecommunications and Other Legislation Amendment Bill 2015 but stopped short of actually supporting any reforms to telecommunications sector security.

The submission made by the associations detailed areas of concern including:

• the purpose of the proposed reform remains unclear;
• the onerous nature of the compliance requirements will act to hamper the responsiveness of C/CSPs to cyber threats;
• there remain several areas of vague drafting in the exposure draft, including uncertainty as to the status of resale of overseas services and as to the ability of intermediaries to comply with the legislation; and
• the guideline information concerning the potential requirement for C/CSPs to retrofit or remove existing facilities is internally inconsistent, leaving open the risk that industry could face very high costs to rebuild existing networks.

The associations have argued that the hefty bill for improved telecommunications sector security is unwarranted and pointed to major international markets such as the US and Canada where it is argued that less onerous and less prescriptive strategies are being employed.

The Australian government has been first off the blocks with the TSSR and it isn’t too difficult to see that the associations are really arguing that Australia should do nothing as the cost of improved telecommunications security will reduce the association members’ bottom line.

But can Australia sit on its hands while cyber-attacks become even more brazen and frequent? Even the threat of an attack can have serious consequences. If your children were threatened during the recent spate of hoax bomb threats would you be happy for the associations to sit back and do nothing?

The associations conclude the submission with the statement that “as evidenced in this submission, the associations believe that the draft legislation is unnecessary and in its current form still too discretionary and vague.”

It is a concern that the associations are asking government to withdraw this important national security legislation and appear to be stating that they believe a nationally co-ordinated approach to prevent cyber-attacks is unwarranted.

The associations argue that the government should accept an industry developed security framework, but as Australians are all too aware, national security is the responsibility of government and the idea of national security being “self-regulated” by industry is nothing short of a farcical suggestion.

In the digital era, the threat of cyber-attack is something that a nation ignores at its peril. It is the responsibility of industry to take national security seriously, not fob it off as unnecessary and an unwanted cost.