The telecommunications sector provides critical infrastructure for many countries, enabling the exchange of information across various industries. Due to the widespread use of digital information in teleco, the sector has become a prime target for cyber threats from hackers, state actors, and cyber criminals. In 2023, telecos experienced higher credential stuffing rates than other sections, according to F5.
In 2018, Australia implemented a set of legislative measures called the Telecommunications Sector Security Reforms (TSSR) to protect teleco infrastructure. These reforms address the growing concerns around cyber threats, espionage, and sabotage activities that could compromise Australia’s teleco sector.
The TSSR framework emphasizes collaboration between industry and government to identify and mitigate security risks, ensuring the security and reliability of teleco services for all Australians. In this blog, we’ll explore the TSSR, including key elements of the reforms, strategies for compliance, non-compliance penalties, and benefits of the security framework.
What are the Telecommunications Sector Security Reforms (TSSR)?
The TSSR was an additional amendment to the Telecommunications Act 1997, which was a key piece of Australian legislation outlining regulations for the teleco industry within Australia. The 1997 act focuses on several broader topics, like the responsibilities of telecommunication providers and the defined roles and powers of the Australian Communications and Media Authority (ACMA) and the Australian Competition and Consumer Commission (ACC).
The TSSR specifically focuses on the obligations of teleco carriers, carriage service providers, and other specific entities within the telecommunications supply chain to adopt rigorous security measures. These security measures are designed to reduce national security risks to the teleco networks, which include supply chain risks, espionage, sabotage, and foreign interference.
Key Elements of the TSSR
The TSSR is organized into four key elements. The first two, security obligations and notification requirements, are directed toward carriers, carriage service providers, and carriage service intermediaries. The remaining two, information gathering power and directions power, define updated powers for government officials to support and enforce TSSR compliance.
The key elements of the TSSR are:
- Security obligation: To safeguard networks and facilities against unauthorized access and interference, all carriers, carriage service providers, and carriage service intermediaries must exercise competent supervision and effective control over their teleco networks and facilities. This practice means they are responsible for ensuring their networks and facilities are secure and protected from unauthorized access or interference.
- Notification requirement: Carriers and nominated carriage service providers must notify the Attorney General’s office of any proposed changes that may hinder their ability to comply with security obligations. The TSSR outlines a specific process of notification obligation and examples of notifiable changes.
- Information gathering power: This section of the TSSR gives the Security Department of Home Affairs the authority to request information and documents from carriers, carriage service providers, and carriage service intermediaries to investigate compliance with security obligations.
- Directions power: Following the previous section, this section provides authority to the Home Affairs Minister to direct carriers, carriage service providers, or carriage service intermediaries to implement mitigation measures to protect networks and facilities from national security risks.
These key elements in the TSSR work alongside Australia’s broader strategy to enhance national security, especially within the national teleco infrastructure.
Who Must Comply with the TSSR?
The TSSR applies to various entities within Australia’s teleco sector. Specifically, the following types of organizations must comply with the TSSR:
- Teleco carriers: Entities licensed to operate teleco networks or facilities under Australian law and own the infrastructure that enables telecommunication services. Examples include cable, mobile, and satellite networks.
- Nominated carriage service providers: Operators of nominated facilities critical to the teleco network, including data centers, exchanges, and other key infrastructure necessary to operate teleco services.
- Carriage service providers (CSPs): Companies that provide public services using teleco networks, like internet services, fixed-line telephone services, mobile telephone services, and others. CSPs can own some of their infrastructure but often lease network capacity to carriers to provide their services.
- Carriage service intermediaries: Entities that supply equipment or services to carriers and CSPs. These entities are included since services or equipment could impact teleco infrastructure security. Including intermediaries extends security beyond the service delivery level to the extended supply chain.
The entities covered by the TSSR are obligated to the first two elements: protecting their network and facilities from unauthorized access and interference and notifying the ACMA of any changes to their networks or services that could impact their ability to comply with security obligations. Providers may apply for a full or partial exemption if they meet specific requirements.
Penalties for Non-Compliance
There are no specific penalties outlined in the TSSR for non-compliance. Instead, this regulatory framework focuses on a cooperative approach between the Australian government and telecos to ensure compliance.
The key elements of these reforms include powers given to specific government officials to enforce compliance and manage risks to national security. Should a teleco fail to comply with the security obligations under the TSSR, the government can take several actions, including:
- Rectification directions: Directions issued to carriers and carriage service providers to fix non-compliance issues, like implementing specific cybersecurity measures to secure their networks and facilities against threats.
- Cease operations: Direct orders from the government to a provider to cease specific operations until TSSR compliance is achieved. The Australian government typically only uses these orders in unique cases where a provider’s actions or lack thereof pose a severe risk to national security.
Alongside these listed actions, entities found to be non-compliant with the TSSR can have other adverse effects, such as negative reputational and industry impact, affecting their relationships with customers, partners, and regulators.
How to Comply with the TSSR
Creating a comprehensive security plan is one of the most cohesive ways to maintain compliance with the TSSR. This plan should outline how the entity will meet its TSSR obligations and include risk assessment methodology, security measure implementation, and incident response. Regularly reviewing and updating the plan ensures it remains effective and reflects the current threat landscape.
A comprehensive security plan should include the following:
- Security risk assessments: Entities should regularly assess their security risks within telecos and facilities to identify vulnerabilities and areas of concern.
- Security measure implementation: Based on risk assessments, entities should implement appropriate security measures to protect against identified threats and vulnerabilities. These security controls can include both physical and cybersecurity measures.
- Change notification: Entities should have a process to notify the ACMA of any planned network or facility changes that could affect their capacity to meet security obligations.
- Incident reporting requirements: Entities should develop an incident reporting plan to use in the event of an incident with the potential to impact the telecos.
- Maintaining documentation: To demonstrate compliance with the TSSR, entities should have a detailed record of all risk assessments, annual reports, security measures implemented, ACMA notifications, and other compliance actions.
Compliance with the TSSR might seem challenging, but implementing an external attack surface management tool like UpGuard BreachSight can automate many of these actions. BreachSight’s continuous monitoring and attack surface reduction features keep you informed about the risks impacting your external security posture.
How Does the TSSR Enhance Cybersecurity in the Teleco Sector?
The TSSR is a part of Australia's broader strategy to enhance national security, specifically targeting the resilience and security of the teleco infrastructure. The reforms are designed to mitigate the risk of cyber espionage, sabotage, and interference in Australia's telecos.
Here's how TSSR enhances cybersecurity in the teleco sector:
- Risk Management and mitigation: TSSR requires telecos to implement appropriate security measures to manage unauthorized access and interference risks in their networks and facilities, protecting against cyber threats.
- Notification requirements: Providers must notify the service providers and inform ACMA of any network or system changes that could affect their security obligations.
- Collaboration with government agencies: The teleco sector and government security agencies now work closer together to share threat intelligence and cybersecurity best practices.
- Clear legal framework: TSSR provides a clear legal framework outlining telecos' network security responsibilities and ensuring compliance.
- Enforcement powers: The government now has powers to enforce compliance, including issuing directions to providers that pose a risk to national security. This ensures that necessary steps are taken to rectify any vulnerabilities.
- Encouraging proactive measures: By setting clear security standards that align with Australia’s security frameworks, telecos are encouraged to safeguard their networks against cyber threats with proactive measures.
- Vendor risk management: TSSR highlights the need to manage risks related to suppliers and service providers. Telecos should carefully examine their supply chains for potential vulnerabilities and ensure their partners comply with high cybersecurity standards.
Although the teleco industry is a high-risk target for cybercrime, the TSSR considerably improves the cybersecurity of this sector, thus enhancing Australia's overall national security and well-being.
Enhance Your Organization’s Cybersecurity Posture with UpGuard
is an all-in-one attack surface management platform that provides organizations visibility across their external attack surface, revealing valuable insights that build cyber resilience and information security.
UpGuard BreachSight platform helps your organization stay TTSR compliant by revealing the risks impacting your security posture and ensuring your external assets are constantly monitored and protected. View your organization’s cybersecurity at a glance with our user-friendly platform and communicate internally about risks, vulnerabilities, or current security incidents. Other features include:
- Data leak detection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches.
- Continuous monitoring: Get real-time information and manage exposures, including domains, IPs, and employee credentials.
- Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting.
- Workflows and waivers: Simplify and accelerate how you remediate issues, evaluate risks, and respond to security queries.
- Reporting and insights: Access tailor-made reports for stakeholders and view information about your external attack surface.
