A group representing the telco industry has described as “disturbing” guidance on the use of offshore cloud services presented at a stakeholder meeting on the Telecommunications Sector Security Reforms. The meeting was hosted by the government’s Critical Infrastructure Centre (CIC).
The parliament in September passed legislation implementing the TSSR regime, which imposes formal obligations on network operators to protect their infrastructure from threats such as sabotage.
There are a range of associated obligations including that telcos inform the government of planned changes to infrastructure that could affect security.
Under the TSSR legislation, the government is also empowered in certain circumstances to step in and issue directions to telcos — including potentially to not use a certain supplier due to ostensible national security concerns. (There have been rumours, for example, that the government might seek to bar Huawei from participation in the roll out of 5G services.)
Communications Alliance in a letter to the CIC, which now sits under the Department of Home Affairs, claimed that a slide used during the 20 March presentation said “that third party cloud services and/or service providers or facilities based outside Australia can be used provided that the information and networks using those services or facilities will be protected to at least the same standard as if those services were provided from within Australia”.
“As foreign governments typically have incursive powers to access information or facilities, it is by definition not possible to fulfil the security obligation to the same standard that could be applied in Australia,” the letter states.
“Even where offshore or cloud providers have been certified by the relevant Australian authorities, it is not possible to guarantee the same standard of protection.”
The telco group said that the slide contradicted comments previously made by the government.
At a 23 March, 2017, hearing of the Parliamentary Joint Committee on Intelligence and Security’s inquiry into the TSSR legislation, Sarah Chidgey — at the time first assistant secretary for the Attorney-General's Department Cyber and Infrastructure Security Division (she has since moved into a deputy secretary role) — said that telcos’ security obligations “relate only to their networks and facilities to the extent that they have access and control”.
“Where a communication is transmitted across infrastructure of an Australian provider and then on to a foreign provider, the obligation would extend just so far as the Australian provider's infrastructure and the gateway and not beyond that,” Chidgey said.
Chidgey later added that the government “certainly would expect them to be compliant with foreign law and I guess in terms of making decisions originally about offshoring their facility”.
“Clearly with international communication there is going to be part of service or infrastructure that is international,” she added. “The obligation would only extend so far as they have the ability to control. If they choose to place some of their facilities in an offshore environment then this framework is designed to have a conversation about the risk of the particular arrangement they propose before it proceeds.”
“The PJCIS framed its recommendations to Government based on the testimony it received from AGD – particularly as it relates to this point,” the Communications Alliance letter states.
“The most recent guidance contradicts the assurances that AGD gave to the Australian Parliament. It appears that the guidance attempts to ‘shift the goal post’ into a territory of protection that is nearly impossible or completely impossible to achieve.”
The group called for the CIC to change its guidance “to reflect the original intention of the law and as explained by the AGD during the hearing on 23 March 2017”.
The TSSR regime takes effect in September.