Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Wednesday, 13 September 2017
Page: 10394

Mr BRIAN MITCHELL (Lyons) (17:24): I rise to give my support to this bill, the Telecommunications and Other Legislation Amendment Bill, which strengthens and amends the Telecommunications Act and related legislation in order to better manage the national security risks of interference with and access to telecommunications networks and facilities. The Parliamentary Joint Committee on Intelligence and Security has handed down two reports from inquiries in 2013 and 2015, and this bill is the result of a lengthy process of negotiation and cooperation between the government and the telecommunications industry which began with the former Labor government's broad review of national security issues in 2012.

In 2013 the Joint Committee on Intelligence and Security recommended that government create a telecommunications framework in recognition of threats to our national security that can be made through the telecommunications system. In a further report from the committee in 2015, telecommunications sector security reform was again supported. The bill was first introduced in November last year and was referred to the joint committee for scrutiny. The committee held two public hearings in February this year and another in March. The committee also had private briefings from relevant agencies in Canberra. The committee process of scrutiny of this bill has been rigorous and comprehensive. This is a great example of how our parliamentary system should operate and work effectively.

Before I go on about the joint committee, I just refer to this: I have just seen this on a website about the troubles affecting Equifax, which is one of the largest consumer credit companies in the US. It's in all sorts of trouble over cybersecurity. It has access to the social security details of 143 million Americans, plus a whole bunch of Poms and Canadians. They actually had passwords for their employees that were literally 'admin/admin'—just about the single worst password you could think of. This is a major consumer credit company with very private details of 143 million Americans. This is the exactly the sort of thing we want to avoid in this country, and one that I hope this process would help us to avoid in Australia.

The joint committee has made 12 recommendations, including making clear what a company's security obligations are in circumstances where telecommunications infrastructure is used but not necessarily owned or operated by a company. A company's infrastructure may be located in a foreign country and used to provide services and carry or store information from Australian customers—I'm not sure that we could recommend Equifax as a foreign company—and where a company provides cloud computing and cloud storage solutions. With our society becoming more mobile, with people accessing information from different locations and devices, the security of files and information is paramount. Gone are the days when we had a PC at home and another at work, and files were saved to floppy disks—for the young people in the gallery, they were funny little things with I think 56 kilobytes of information. Then along came CDs and USB drives, but all of them were physical media, to be transported physically from one computer to another.

That has all gone. We now live with the cloud. There is a T-shirt doing the rounds that states, 'There is no cloud—it's just somebody else's computer.' That always tickles my funny bone, because it's absolutely right—there is no cloud. The cloud, of course, is really a server, somewhere, connected to your device or devices via the internet. The server is most likely one of hundreds of thousands in a massive facility locked down in some bunker somewhere overseas. These days you will generally save your material to your cloud service, which enables you to retrieve and work on your files from whatever device you choose to log in with. You might start writing a letter at home on the PC. You will save it to the cloud. Then on the bus you might log in and edit the file on your mobile. You will save it again. Then you might get to work and log in via your work PC and finish it off and email it.

Major companies are moving their services to the cloud. Adobe, which owns publishing software like InDesign and Photoshop, now offers all its applications via cloud-based services and has stopped providing software via physical media. It doesn't even offer an online downloadable subscription. The parliament, which does offer InDesign and Photoshop as a work software to members, has to have a special deal with Adobe to get a service that is not cloud-based because of the security issues. Most customers are required to have ongoing cloud-based subscriptions. The cloud is where the world is moving to. In making this change, Adobe is counting on the fact that its customer base—in the main designers, artists and journalists—are comfortable working in an internet environment. That's probably a good assumption to make. Most people are comfortable in that environment, and I would guess that many more companies are going to be offering exactly the same sort of application. We need to get used to the fact that the internet, the cloud, is where services are going to be. That's exactly why we need better cybersecurity and more formal arrangements in place.

While universal availability, dependent on decent internet—let's not talk about the NBN—helps to make our lives easier, it does raise questions. First, it can be impossible to switch off from work, when you can work at home at all hours. Second, and more relevant to this bill, ensuring security of data in a cloud based environment is vital. When working inside the cloud or with remote servers your security is only as good as the company that hosts your data. Sure, you might have file passwords, but you still don't want unauthorised third parties to be able to even get near your encrypted data.

My electorate of Lyons is pretty big and I'm often in my car, along with my iPad and my mobile phone, and that is pretty much my office for much of the week in my electorate. Using the parliament's cumbersome and frankly archaic log-in security services, I can access the remote parliamentary server and edit files as necessary, when I can get on, when I can get decent internet, just as I can from the office PC. The proviso is that the remote server is very slow, even over pretty good internet, and it is a pretty clunky setup. Hopefully there will be some changes in the near future.

What I can't argue with is the need for the security. I accept that. The last thing I want to do is log on remotely while on the road and have someone able to hack into my signal and gain access to my office data, much of which can contain personal information on staff and constituents. I'm not a fan of overbeating the egg on national security. I am generally of the view that we should not dismantle our freedoms in order to protect them, but I do accept we need to take cybersecurity very seriously. It is a huge part of both our national security and our corporate security effort. Frankly, we all need to think a bit more seriously about cybersecurity and, at a personal level, we should ensure that whatever cloud service we use is reputable.

Personal information provided to cloud services includes names, addresses, passwords and billing information, so I would hazard a guess that perhaps people should try to avoid Russian based internet cloud services that they don't know about. Let's make sure we are not handing the information to crooks. What happens to all our information and files if the cloud server is compromised in some way? Is data and information safe? What are the risks? These are the questions we must ask.

Many of the cloud services people use are hosted internationally. It is reassuring to know this bill also includes measures to consider the security of offshore information for Australian providers and carriers. This bill places an obligation on carriers and carriage service providers to notify the government of any changes to offshore arrangements. The last thing we want is a cloud server shifting from Nebraska to North Korea, without anyone knowing about it—though, of course, that would be illegal.

While there will always be an element of risk in relation to the storage of information and data by telcos, this bill goes some way to mitigating this risk and providing confidence that there are measures in place to help keep our telecommunications systems safe. A little shout-out here to Google, Amazon, Apple and others: Tasmania is the ideal place to house your servers. We have a cool, relatively dry climate, we are geologically sound and we have a fairly stable political system. We also have lots of regional, affordable land. We are well worth a visit—come on down.

While on the issue of security, all of us also put a lot of information out there, on social media especially, and thieves like to harvest it. For example, receiving birthday wishes on Facebook can give cyber crooks access to your birthday, one of the questions often used as a security question. We all put the names of our pets and our kids and spouse on social media. All this seemingly innocent material can be harvested by crooks and used to forge false identities with banks and other authorities. Reclaiming a false identity is no easy matter.

This legislation is not just about protecting personal information and files. It is about protecting the wider communications network across the country. Advances in technology like cloud systems and the ways in which we work, communicate and store information have opened vulnerabilities within our systems, risking unauthorised access to networks, with the potential to cause major disruption and potentially disable critical networks. If there were a breach in one area of our telecommunications network, it could have catastrophic consequences and ramifications for the country as a whole. A compromised telecommunications system during an emergency could have wide-reaching implications, particularly in terms of our first responders and security agencies being able to act and to provide the necessary support and action in a timely manner. We have been given a warning of this. There is no better example than Die Hard 4.0Live Free or Die Hard. John McClane is tasked with bringing in a hacker because the villain, played by Timothy Olyphant, is threatening a 'fire sale', a term that means everything must go—energy, telecommunications, finance, transport systems, national security—because it's all wired and it's all connected. Fiction, you say? We'll see.

The bill also puts measures in place that require carriage service providers and carriers to protect their networks and facilities from unauthorised access and interference. While we may think about security of our telecommunications system in terms of the data and information that telcos might hold, security in this instance also refers to the physical assets of the carriers and service providers. So, expect a few more cameras and security patrols around infrastructure.

The security and resilience of our telecommunications infrastructure is vital to the social and economic wellbeing of the nation as a whole. Perhaps they should have a big ugly fence go around them—but that may be a bit controversial. This security and resilience is particularly important in regional areas, such as my electorate of Lyons, where many small communities rely on a secure service in order to stay in touch with family and friends, stay healthy and be successful in business. This bill will give the people of my electorate security in the knowledge that their communications and data are as safe as we can make them. The question of reliability of service and connection is something that can be debated on another day in this place—I'm still talking about the NBN.

Telecommunication companies hold vast quantities of sensitive data, such as billing and other information. If this material is unlawfully accessed it poses great risk, not only to the country but to individuals. Personal security of individuals can be put at risk if sensitive information, such as addresses, is obtained by nefarious characters. Currently, telecommunications companies work voluntarily with government to keep our critical infrastructure safe from foreign and other threats. This bill formalises this constructive relationship between government and telcos. While the current environment and relationship is one that operates on goodwill between telcos and governments, this bill puts measures in place to ensure there is a regulatory framework should that goodwill cool in the future.

Security agencies currently work with telcos to help them manage vulnerabilities in their networks. Increasingly, there are new players in the industry who may not have established those relationships over time. The current cooperative and voluntary arrangement works well, but it does so only with the goodwill of all parties involved. We need something a bit more formal, and that is what this bill hopes to achieve. We cannot take those relationships for granted, so it is important that we have that regulatory framework in place to ensure that current arrangements carry over to all carriers and service providers.

Labor has consistently worked with the government to make sure our security agencies have the powers they need to help keep Australia safe. Labor is pleased the government has adopted all the recommendations from the Joint Committee on Intelligence and Security, and we commend the committee for its rigorous investigation into the government's proposals.