Under Australia's Telecommunications Sector Security Reforms[1] (TSSR), all carriers and nominated carriage service providers (C/NCSPs) are required to notify the Communications Access Coordinator (CAC) of proposed changes to their telecommunications systems or services if they become aware of any proposed changes that are likely to have a "material adverse effect" on their capacity to comply with security obligations.
As of 30 June 2020, the Department of Home Affairs has received a total of 66 notifications. It told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) the notifications received from carriers to date represented the vast majority of the fixed-line and mobile telecommunications market in Australia.
In its submission[2] [PDF] to the PJCIS, Home Affairs suggested additional types of notices "with more nuanced language" to reflect various levels and types of risk and the urgency of adopting further mitigations.
See also: The disappointment of Australia's new cybersecurity strategy[3]
"Home Affairs notes that there has been some variation among C/NCSPs in their approach to the TSSR notification obligation. The obligation relies on self-determination by C/NCSPs of whether a proposed change warrants a notification, regardless of the guidance provided by Home Affairs," it wrote.
"There have been instances where Home Affairs has engaged with a carrier about a proposed change to their networks and subsequently recommended that the carrier submit a notification as it was Home Affairs' view that the features and characteristics of the proposed change introduced significant risk."
Despite Home Affairs' recommendations to these carriers, the department said they did not proceed to submit a formal notification, as in the carrier's view, the proposed changes to their networks or facilities did not meet the carrier's internal risk assessment thresholds for formal notification.
"In the absence of a notification, government has no