After our recent article looking at the TICS (Telecommunications Interception Capability & Security Bill), we were contacted by Brad Ward, the Programme Manager of the Telecommunication Review at the Ministry of Business, Innovation and Employment (MoBIE).
He had some issues with what we wrote, and in particular he rejected our claim that the bill gave the GCSB sweeping new powers of oversight and control over NZ telecommunictions networks, writing that (emphasis added):
The new formal framework for network security does not give “sweeping powers of oversight and control” to the GCSB, and it does not give the GCSB “final control of network design and operation.”
The GCSB already works in partnership with network operators on network security issues, to agree on measures that are proportionate and risk-based. The Bill will formalise and build on this existing approach.
The Bill emphasises that network operators and the GCSB are to work cooperatively and collaboratively on identifying and addressing network security risks.
In the event that the network operator and the GCSB are unable to agree, the Bill establishes a Ministerial direction power that can be used where significant national security concerns are involved, and as a last resort. This Ministerial power relates to network security issues.
The GCSB would apply to the Minister responsible for the GCSB to direct a network operator to take specific steps to prevent, mitigate or remove the security risk.
The Minister can receive any submissions on this directly from the network operator, and is required to consult with the Minister for Communications and Information Technology and the Minister of Trade.
When exercising the direction power, the Minister is required to take into account the principle that the direction should be proportionate to the network security risk. This means considering whether costs would be higher than reasonably required to address the risk, and whether there would be undue harm to competition or innovation in telecommunications markets.
Looking at the law
Firstly, while it is nice that the Bill suggests that network operators should work in partnership with the GCSB over security, the reality is that there is no choice. Let's quote section 45(1):
A network operator must engage with the Director as soon as practicable after becoming aware of any network security risk, or proposed decision, course of action, or change that may raise a network security risk.
A network security risk is defined as: "any actual or potential security risk arising from (a) the design, build, or operation of a public telecommunications network; or (b) any interconnection to or between public telecommunications networks in New Zealand or with telecommunications networks overseas".
Further more in section 47(1) (edited for clarity/length), "a network operator must notify the Director of any proposed decision, course of action, or change made by or on behalf of the network operator regarding procurement of..., changes to..., and ownership control... of anything that falls within an area of specified security interest."
This applies to areas of specified security interest which are defined in section 45(1) as (slightly edited for clarity) "network operations centres, lawful intercept equipment, any part of a public telecommunications network that manages or stores aggregated customer information or administration authentication credentials, and any place in a network where data aggregates in large volumes being either data in transit or stored data".
The compliance process
So, what happens after this engagement/notification if the GCSB thinks it would raise a network security risk? Sections 49 to 54 have the process:
- Director of the GCSB notifies the network operator and then again in writing in s49(1)(a) and s49(2)
- Network operator must immediately stop work. s49(1)(b)
- Network operator can propose an alternative. a49(3)
- GCSB considers the network operator's proposed alternative and possibly accepts it. s50(1) and s50(2)
- Network operator must implement the response. s51
- If the GCSB is not happy with the proposal it may refer the matter to the Minister (the Prime Minister normally has responsibility for the GCSB) to make a direction. s52
- Network operator may choose to make a submission to the Minister. s53(2)(b)
- The Minister must consult with the Minister for Communications & Information technology and the Minister of Trade. s54(3)
- The Minister may direct the network operator to either cease/refrain from an activity or make changes to or remove any system or operation on the network. s54(2)
- If the network operator refuses to comply with an s54 Ministerial direction, this is treated as serious non-compliance. s82(b)
- The GCSB can servce an enforcement notice on the network operator. s85(2)
- The GCSB can apply to the High Court for a court order. s86(1)
- The High Court can make an order (subject to normal apeals). s87
- The High Court can make the network operator pay a fine of up to $500,000 and/or $50,000 per day of continuing non-compliance. s92 and s93
In other words, the Bill may suggest that the GCSB and network operators should cooperate, but the content of the law and the procedure I have just outlined makes it very clear to everyone involved where the power really lies. Indeed, the expectation that network operators will do what they're told is so clear that we wouldn't expect any fines to be issued because there won't be a lot of point fighting any directions from the GCSB.
But it's only security issues!
Now one might claim as Brad Ward has that "This Ministerial power relates to network security issues."
However when it comes to network design and operation, everything has an impact on network security. What you buy, what systems they run, who you buy them from, how they get delivered to you, where they're installed, how they're configured, who you've employed, how well they're trained, etc, etc, etc - network security is not one attribute but is a product of the system as whole.
We stand by our original statement that the TICS Bill as written will give the GCSB sweeping powers of oversight and control over New Zealand telecommunications networks.
One final point of interest is - why is a government bureaucrat trying to deny this is the case? Does the Bill as written not reflect the intention of the people who wrote it, or is this a case of the government trying to pull the wool over people's eyes?