National Security as a Driver for Telecoms Regulation in the 2020s

Speech to the CommsDay Policy Forum, Sydney, 14 June 2023:

Good afternoon, everyone.

I'm delighted to speak to you today about national security as a driver of telecommunications regulation in the 2020s.  I have no governmental affiliations and these views are my own and not expressed on behalf of any clients.  I’ll share some broad observations and undertake a quick stocktake of current developments and trends.

National security and cybersecurity

In giving this presentation, I’m considering national security through the prism of cybersecurity.  I’ll first consider the state actors and the wider geopolitical arena.  I’ll then consider private actors and the recent publicity over data breaches.  I’ll consider what policy and regulatory initiatives have been taken – and conclude with some predictions as to what we can expect in the coming years.  

I’m a lawyer, so I just can’t resist but to quote from an Explanatory Memorandum.  However, I do promise that this will otherwise be an interesting session.  To quote:

“The security and resilience of telecommunications infrastructure significantly affects the social and economic well-being of the nation. Government and business are increasingly storing and communicating large amounts of information on and across telecommunications networks and facilities. By their nature, telecommunications networks and facilities hold sensitive information... This information presents a rich intelligence target for those who wish to harm Australian interests... For these reasons, the telecommunications networks and facilities of carriers and carriage service providers are attractive targets for espionage, sabotage and foreign interference activity by state and non-state actors."

So with that context, I’ll start by considering state actors in the context of Australia’s national interest in the 2020s.  I’ll then consider non-state actors.

Role of state actors and the wider geopolitical arena

I’ll use the Peoples Republic of China as a case study, partly because CommsDay asked me to address China given its policy importance and recent developments.  Of the various nations that Australia interacts with, China perhaps best illustrates some of the geopolitical complexities, policy tensions and multiple layers of diplomatic nuance that underpin issues of national security in the 2020s, particularly for the telecoms sector.  

As most of you will know, Xi Jinping became the President of the Peoples Republic of China from 2013, so he has now had over a decade in that role.  He tends to be regarded as strong and more authoritarian leader.  Under his leadership, China has taken a more assertive foreign policy stance that has evolved with China’s growing economic power and hence global influence.  More recently, we have seen China increase its military spending while China’s rhetoric over Taiwan has intensified.   A lot has been printed on this, so I say no more, other than to state the obvious, namely that Taiwan is a worrying potential flashpoint for future conflict in the Asia-Pacific region. 

China and the United States are the world’s two largest economies, but their relationship is complex and multifaceted.  Their trade relationship is the most important in the world.  Over the last 7 years, we have seen the Sino-American relationship become strained. The Trump administration took a confrontational approach from 2017. The Biden administration less so, although still with some 'interesting' moments, including shooting down high-altitude balloons.  More importantly, there has been growing a concern within the US that China is eroding the US technological lead. Those concerns were crystallised during the COVID pandemic when supply-chain shortages of semiconductors materially impacted US industry and economic growth. The so-called CHIPS Act of 2022 has been a legislative result, which has sought to boost US competitiveness, innovation, and national security. Relevantly, that Act prohibits government funding recipients from building or expanding semiconductor facilities in China and certain other countries.

This then brings us to Australia and ultimately to telecoms.  Through various initiatives, including ANZUS and Five Eyes, Australia has been traditionally aligned with US strategic interests in the Asia-Pacific. Yet China is also Australia’s largest trading partner, accounting for well over a quarter of our total trade.  Australia’s trade with China is over double that of the United States. As a country, Australia therefore faces interesting tensions. On the one hand, we are concerned by the impact of a more assertive China on Asia-Pacific geopolitics and regional security. On the other hand, China is the number one important trade customer for Australia – and Chinese trade sanctions can have a material adverse impact on Australia’s export trade.  

This then brings us to telecoms. I’ll start with the so-called ‘Huawei ban’ – or more precisely the Australian government’s interpretative announcement in diplomatic legalese that it would disqualify any 5G telecoms vendor that was "likely subject to extrajudicial directions from a foreign government that conflict with Australian law". Australia was reportedly the first country in the world to implement overt restrictions that disqualified certain vendors from 5G deployments.  While this made media headlines, it was subsequently reported that NBN had previously declined to use Huawei as a vendor from as early as 2013. The so-called Huawei ban was reportedly announced as part of Prime Minister Malcolm Turnbull’s unsuccessful attempt to defuse a Liberal party leadership challenge. However, media reports indicate that this matter had been examined in forensic detail within government for many months, if not years, and had been the subject of intense Cabinet debate, including a key concern not to upset Australia’s relationship with China. 

The proposed restrictions were based on national security grounds, namely that certain vendor equipment could allegedly be used for spy craft. While some detail has been reported in the public domain, much of the context remains shrouded in secrecy.  I therefore say no more.  The Australia government’s decision was followed by similar restrictions in other countries, although most shut out Huawei by default rather than declaration. However, as the vocal first mover, Australia attracted China’s ire.  Some speculate that this issue contributed to China ultimately imposing anti-dumping tariffs on Australian barley, wine, and beef.  China also blocked imports of Australian timber, coal, and lobster.

National security - the big picture

So what is happening here?  I’ll take a quick step back and place the Chinese issues in context and consider the big picture.  National security has always played a role in the telecoms sector, so these issues are not new.  Telecoms networks convey valuable communications and information so are inherently critical to national security. The gathering of signals intelligence has been around pretty much since World War I when Britain intercepted German radio messages that revealed Germany’s plan to invade Belgium.  Disrupting information flows has also had strategic value - the first recorded instance of electronic warfare involved a Russian warship disrupting radio signals from a Japanese warship during the Russo-Japanese war in 1905, some 120 years ago.

What is novel in the 2020s is our overwhelming reliance on software to control pretty much everything, as well as the greater ability of third parties to use modern communications networks to access such software.  As a result, our critical infrastructure remains inherently vulnerable to sabotage and foreign interference by state and non-state actors.  As evidenced by Russia’s invasion of Ukraine, modern warfare now inherently includes a cyber-warfare component. Substantial economic damage has the potential to be inflicted by malicious software code if sufficient security precautions are not taken. These threats are troubling and very real.

Role of non-state actors

Before I talk about the policy response in the telecoms sector, I’ll quickly speak to the role of non-state actors, namely hackers. The sophistication of hacking has continued to increase, including the employment of hackers by organised crime. 

Again, I’ll start by saying, hacking isn’t new. For as long as the Internet has existed, cyber-attacks have been a threat. However, in the world of the 2020s, telecoms networks and devices have become the backbone of our economy and now sit at the very core of our lives.  The modern day smartphone contains everything from access to bank accounts through to the most intimate personal information, as well as providing a key means to verify identify and override security controls.  There is a massive financial incentive for criminals to access such information. Telecoms networks provide that ability.  Modern raw computing power and skilful social engineering provide the means to identify security deficiencies and exploit vulnerabilities.

The consequences of a large scale cybersecurity breach can be dramatic. Optus found itself on the front pages with one of the largest data breaches in Australian history, affecting a reputed 10 million customers.  However, data breaches are now a regular, even hourly, occurrence and we have seen far larger data breaches globally.   The Yahoo data breach in 2013 was reputed to impact some 3 billion accounts globally as the world’s largest reported data breach. In the telecoms sector, Syniverse, a company that formed a critical part of the global telecoms infrastructure identified in a SEC filing in 2021 that hackers had gained access to some half a billion records. The leaked information reputedly affected about 235 global telecoms carriers. Furthermore, the company discovered that hackers had likely been accessing its system for many years.

I’m not going to say much more about cybersecurity risks in the telecoms sector. I appreciate that many in this room have lived this experience and do not need a reminder. Suffice to say that cybersecurity is a very real and growing concern that is keeping many of us awake at night. 

Australia's response - regulation of critical infrastructure

I’m now half way through this presentation and it is time for me to move away from the background and into some of the legal and policy detail.  From a telecoms sector policy perspective, the question arises as to what are we doing about it?  What issues and complications are arising as a result?  What can we expect for the future?

Over recent years, the Australian government has been taking a number of policy initiatives to improve cybersecurity in relation to critical infrastructure, particularly telecoms networks.  These developments really do demonstrate how national security issues are impacting on telecoms regulation in the 2020s, consistent with my theme for this presentation.

First, I’ll consider the law, then I’ll look at the policy. In many respects, Australia is leading the way globally in legislative reforms to protect critical infrastructure, amongst an increasingly complex and labyrinthine global cybersecurity regulatory ecosystem.

Our critical infrastructure reforms commenced in the telecoms sector.  Telecoms carriers and carriage service providers were already historically subject to historic security requirements under the Telecommunications Act 1997 (Cth).  In 2017, the Telecommunications Sector Security Reforms or ‘TSSR’ were implemented to create a regulatory framework to better manage national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities. These reforms were controversial given the breadth of the proposed intervention powers to be given to the Minister for Home Affairs.  Ultimately, the Minister was empowered to direct a carrier or carriage service provider to do, or not do, a specified thing that was reasonably necessary to protect networks and facilities from national security risks.  

The TSSR provided the blueprint for broader reforms that were rolled out for all Australian critical infrastructure.  The Security of Critical Infrastructure Act 2018 or ‘SOCI Act’ was enacted into law in 2018 to introduce new reporting obligations on entities responsible for “critical infrastructure assets”. Cyber security incidents affecting critical infrastructure were required to be reported to the Australian Signals Directorate. The aim was to facilitate the development of an aggregated threat picture and promote a more comprehensive understanding of cyber security risks to Australian critical infrastructure, as well as to enable proactive and reactive cyber response options.

In December 2021, the SOCI Act was further amended as part of a further tightening of security obligations in Australia.  Carriers and Carriage Service Providers became subject to even greater security obligations, relevantly including requirements to:

• notify the Australian Signals Directorate if a cyber-security incident that had a relevant impact on a critical infrastructure asset; and
• give the Department of Home Affairs certain information about critical infrastructure assets for inclusion in a national security database.

In order to avoid regulatory duplication and provide clarity for industry, the Government implemented these requirements for the telecoms sector using carrier licence conditions under the Telecommunications Act.

Australia's response - policy initiatives and law reform

That was the law.  Next, I’ll consider the policy. The 2023-2030 Australian Cyber Security Strategy Discussion Paper was released by the Department of Home Affairs in December 2022 and outlines the Australian government's ambitious vision for Australia to be the most cyber secure nation in the world by 2030.  The paper sets out a number of key priorities for the government, including further improving the security of critical infrastructure. An Expert Advisory Board of three members was appointed to advise on the development of that strategy, including one Andrew Penn AO, former CEO of Telstra. Again, Andy’s appointment is a clear indication of the importance of the telecoms sector to the realisation of Australia’s cybersecurity vision.

Unsurprisingly, a key part of that vision is to use Australia’s regulatory system to achieve greater cyber security by 2030. The Discussion Paper comments, for example:

“The Australian regulatory system facilitates innovation and stimulates economic growth and recovery. Australian-made products set the international benchmark for cyber services, created in a way that reflects the values of a democratic society; leading on safety and security while respecting basic rights. Customers expect cyber secure technologies in the same way they expect a car to be sold with a seatbelt.” 

And, at page 17 of the Discussion Paper:

“It is clear that a package of regulatory reform is necessary.”

I won’t go into more detail, but the Discussion Paper indicates that national security will be an important future determinant in the continued evolution of telecoms regulation over the remainder of this decade.

Why isn't the SOCI Act sufficient?

The question then arises, if we already have the SOCI Act, why do we now need further reforms. The answer to that question is partly political and partly pragmatic. The SOCI Act was publicly criticised as inadequate in the context of the Optus and Medibank data breaches during 2022, which were two of the largest cyber-attacks in Australia’s history,

Specifically, in February this year, Home Affairs Minister Claire O’Neill gave a speech identifying that the Optus and Medibank hacks had exposed flaws in Australia's cyber laws. I quote from the Minister, as reported in ABC news - and she really did not hold back: 

"In those events, we were meant to have at our disposal a piece of law that was passed by the former government to help us engage with companies under cyber-attack, That law was bloody useless, not worth the ink printed on the paper when it came to actually using it in a cyber-incident." 

The Minister indicated that the government would look to reform the SOCI Act to possibly include customer data and "systems" in the definition of critical infrastructure, to give government power to intervene in major data breaches.  The key issue here is that the SOCI regime is focussed on regulating security systems, but those systems don’t necessarily include the data that is protected by the systems. As a consequence, the Minister’s powers of intervention were limited in the context of stepping in to address an actual data breach.

The Minister’s comments and the politicisation of the Optus data breach do raise an interesting question whether it is actually appropriate that the Minister has step in rights. Indeed, whether the narrow scope of the Minister’s powers is actually entirely appropriate.  This is obviously a political and policy matter for government and I refrain from expressing any view.

So what happens next?

Submissions to the Discussion Paper closed in April 2023.  The government has been currently processing those submissions, but as of today they have not yet been publicly released.  There has been a clear recognition of the need for further regulatory intervention and perhaps a new Cyber Security Act that would impose new obligations and standards across industry and government. 

What this means for the telecoms sector is unknown – and I suspect there will be some in this room that may well know more than me.

So please watch this space. I'll end this presentation by saying that national security issues are now very much a driver of telecoms regulation in the 2020s. We do indeed live in interesting times.  Thank you.