Connect with us


Australian telco sector looking down the barrel of a prescribed security standard

Home Affairs will be looking to co-design a cyber standard with Australian telcos should the Critical Infrastructure Bill be passed.



telco-server-rack-gettyimages.jpg Image: Getty Images

The Department of Home Affairs has brushed aside industry concerns that the Security of Critical Infrastructure Act (SoCI Act) duplicates obligations found in the Telecommunications Sector Security Reforms (TSSR).

As far as the department is concerned, rather than overlapping regimes, there would be “one continuum” of regulation where the Telecommunications Act is paramount, but parts of the SoCI Act would be “activated” to fill in gaps.

“The explanatory memorandum for the Security of Critical Infrastructure Act amendments very clearly states that, where primary legislation exists that regulates the activities of a critical infrastructure sector, that primary legislation remains operant,” Home Affairs deputy secretary for national resilience and cybersecurity Marc Ablong told the Parliamentary Joint Committee on Intelligence and Security on Thursday.

“To the degree that we need to look at amendments to that act — minor in nature — to ensure that it is consistent with the positive security obligations that are set out in the [SoCI] Bill, we would do that to the Telco Act.”

Two such gaps in the Telco Act that Ablong identified were the ability of government to assist companies facing a significant cyber attack and the enhanced cybersecurity obligations.

“We don’t consider them to be rival regulatory regimes but parts of the one continuum that starts with companies very much recognising that they have a unique position as telcos. To the degree that the existing regulatory regime set out in part 14 can suffice, it will suffice,” he said.

“To the degree that it can’t suffice, that’s when the Security of Critical Infrastructure Act amendments will apply. But we don’t intend this to come as any surprise to the industry.”

One area where the TSSR is ambiguous is its requirement for carriage service providers to “do their best” to protect telecommunication networks and facilities, and both telcos and the department believe it needs clarification.

“We’d suggest that a higher standard than just doing your best might be required,” Ablong said. “To the degree that the language in the TSSR says, ‘Do your best,’ we might replace it with, ‘You are required to meet standard X,’ whatever the standard is that we and the industry come to a common view on in the co-design process.”

How the positive security obligation looks for each sector will be a co-design process with industry of looking at primary legislation and working out what needs to be added, the deputy secretary said.

“The obligation for the telco sector would be different to that for the banking sector, for instance,” Ablong said.

“The process of co-designing with industry and providing them with information about, ‘Here are the threats we think your industry will face over the foreseeable future; this is where we think your primary legislation requires you, or obliges you, to meet a certain security requirement; and this is what more we think you could add to your ability to meet an obligation under the Critical Infrastructure Act,’ is very much a co-design process.”

In the end, Ablong said the solution could be to replace the “Do their best” wording with a standard, whether it is the Essential Eight from the ACSC, or a standard from NIST or the UK’s National Cyber Security Centre.

“Ultimately, in the conversations that we have been having with industry … the first question is: To what standard do you hold yourself as an industry? Then you would ask: What are the measures that you’re using to assure yourself that, against the risks which we’ve talked about, you are able to deal with those risks?,” he said.

“If somebody says to me, ‘I use the NIST standards’ and another industry says, ‘I use the NCSC standards from the UK’, both of those are suitably robust that, for most intents and purposes, we would probably say, ‘That’s good enough’.”

Earlier in the day, Telstra and Optus raised concerns that the Critical Infrastructure Centre needed to provide more proactive advice to telcos, rather than just responding to alerts from telcos when changes to services, systems, or equipment could have a “material adverse effect” on their ability to meet TSSR obligations.

“Currently we get really good and detailed advice, but it has to be triggered by us putting in a notification or providing a briefing, and then that advice will come back,” Telstra national cybersecurity principal Jennifer Stockwell said.

“It will be very detailed and will help us to understand the risk for that particular project, but it would be very helpful to have more upfront, because then, when I’m working day to day with our network engineers and operational staff, I can provide them with the guardrails to start with, and that really helps decision-making and speeds up projects.”

In December, Optus revealed it was responsible for over half of TSSR notifications.

“Optus has reviewed the TSSR status of well over 150 projects and proposed changes over the last two years and submitted formal TSSR notifications for 36 of them,” it said at the time.

“The time for the resolution of these notifications has varied between 30 days to eight months.”

On Thursday, Telstra regulatory principal John Laughlin said Australia’s largest telco took a different approach.

“We have deliberately taken an approach where we notify on mitigated risk,” he said.

“We only lodge a notification after all the systems and controls are in place, where we still believe that there’s a material adverse effect to our ability to meet the security obligation.”

Stockwell added that Telstra only notifies on the end solution.

“The unmitigated risk is a risk that is not going to be realised, provided we have the adequate mitigating controls in place,” she said.

“It’s really important to mention that early engagement with the critical infrastructure centre and the ability to have that early engagement is critical to inform those controls so that we put all the appropriate mitigations in place, taking into account the full understanding of the threat landscape.”

Whether through bad preparation or obfuscation, Laughlin was unable to provide the committee with the number of notifications Telstra had provided, except to say it was “substantially less” than Optus.

The differences in notification thresholds is one of the reasons Home Affairs wants to have a “conversation” with telcos in the co-design phase to see if the government and private sector have different views on risk.

“If they have been thinking about it purely from the perspective of, for instance, somebody’s ability to cut the trunk cables and therefore their inability to provide a service to a portion of Australia, we would be equally concerned about the ability of somebody to hack in or intercept communications carried over their networks, but if they don’t consider that to be a material risk, then they’re not going to notify us or report about those sorts of things,” Ablong said.

The deputy secretary added the Critical Infrastructure Bill was necessary in light of the recent Colonial Pipeline incident.

“The critical infrastructure amendments … very much cover what is required in order for Australia to have greater assurance that the sorts of things that we saw with the Colonial Pipeline, for instance, in the United States are less likely to happen here, that we have taken all necessary measures to protect our critical infrastructure and for the entities involved in those sectors of the economy that might be considered critical infrastructure to have protected themselves.”

On the other side of the fence is the Communications Alliance, which has put forward a proposal to either repeal the TSSR notification obligations or exempt telcos that fall under the Critical Infrastructure Bill.

“We would very much prefer the certainty that comes with repealing provisions that could create duplication, as opposed to relying on the goodwill and best endeavours of agencies over time to avoid that through positive decisions of their own,” Comms Alliance CEO John Stanton said.

“Time moves on, people move on, and it would be preferable from our point of view if the requirements and obligations were clear and in legislation rather than subject to executive decision-making.”

Related Coverage

“We don’t consider them to be rival regulatory regimes but parts of the one continuum that starts with companies very much recognising that they have a unique position as telcos. To the degree that the existing regulatory regime set out in part 14 can suffice, it will suffice,” he said.




Comcast gave me good, precise news. The truth was precisely the opposite

Many companies believe that technology is perfect for customer service communication. Often, though, it just isn’t.




Please be infinitely accurate, Comcast.

These things happen.

Yes, all too often they happen at very awkward times.

But we’ve allowed ourselves to be at the mercy of technology these days, so who are we to complain.

There I was on a recent Friday afternoon, writing several things and watching something on TV. This was my form of dedicated multitasking.

Suddenly, my tasks ground to a halt: All of my Comcast systems went down.

No TV, no internet, no life. (Schopenhauer was the first to say that.)

At least my iPhone was working, so I went to the Xfinity website to see what had happened and when it might unhappen.

The engineers were working on the outage, I was told. Would I like to sign up for texted updates? Of course I would.

Precision Is A Wonderful Thing.

So I sat, waited, and watched.

The first texted offering was that the outage would be fixed by 5:54 p.m. I sat, waited, and remembered I had an Xfinity app on my phone. I tried opening that too, just in case there was more immediate news.

I tried reading a book, but I had those things to do. They were quite urgent, so I became somewhat itchy.

5:53 p.m. came along. It had been more than three hours. But, when you’re told such a precise time, you believe that the texting entity is very sure that the outage is fixable by that time.

At 5:54 p.m. came the bad news. It would be precisely 9:54 p.m. Oh dear. This evening wasn’t going well.

My wife and I cooked. We sat at the dining table, facing each other. We talked. You see, there’s something marvelous about a Comcast outage. It eliminates the temptation of a TV dinner. Instead, you chat about how annoying it is that there’s a Comcast outage.

But I needed to get those things done that night. Because I did. We had plans for the weekend and we wanted to stick to them.

After Midnight. You Can’t Let It All Hang Out.

Next came a new update. The outage wouldn’t be fixed at all that day. Instead, it was now going to be 12:10 a.m. the next day. Precisely.

Please forgive me if, by this stage, I was getting a touch annoyed with this useless precision. Why be so exact when all you’re doing is exacting my nerve ends?

I can appreciate that some things are harder to fix than others. Yet if you’re giving customers such precise information, shouldn’t they expect to trust that information?

And when they discover that the information is precisely useless, won’t you be driving them precisely bonkers?

As the evening began to concede that night was approaching, I kept refreshing my Xfinity app. I feared the next update would say “in three days time, at precisely 3:43 p.m.” I feared I may not even get a text to confirm it, as the texting machines hadn’t been in touch.

Somewhere near 10 p.m., the app refreshed and there was suddenly no mention of an outage.

I tried turning on the TV. It worked. The internet chugged back up. I could do the things I had to do, through yawns of joy.

Curiously, though, I hadn’t received a text to say that everything was working again. Which, lest you forget, was the reason I signed up for the texted updates in the first place.

Of course I could forgive Comcast. It’s compulsory. The company has become somewhat more customer-oriented over the last couple of years. I know it’s been trying.

Oh, but then came Saturday. I could watch Premier League football (saacker) from the very earliest hours. I could watch golf. I could ignore college football.

Good News. Really Good, Imprecise Late News.

Later we went out, sticking to our plans. It was a lovely afternoon. We were in Safeway buying soup and chicken.

Suddenly, a text. Yes, from the Xfinity out there, also known as Comcast.

It began: “Good news.”

I was going to get a rebate for the complete lack of services that lasted seven hours?

Hope is the mansion with non-existent foundations.

Instead, Comcast texted me: “The outage has been resolved at approximately 3:28 p.m. PDT.”

Please imagine the depths of my pained chuckle. Comcast wanted me to know that it had just fixed the outage that it had fixed the previous evening.

So who had I been receiving Comcast services from the previous night and that morning? From the Xfinity Space Station?

And please note the utter deliciousness of the word approximately. Having been so definitive about the time of fixing, now I was only offered an approximation.

The text didn’t stop there, though.

It added: “Thanks for your patience. Your services should be back up and running. Let me know if you’re still experiencing service issues.”

Should be back up and running? But you told me precisely that the outage was resolved.

Naturally, this all caused me to worry.

As with my abject text-based experience with FedEx a couple of weeks before, I fear that companies have no control over the texts they send to customers.

If you’re going to do it, please be accurate. If you’re going to use such technology, make sure it’s not dribbling finger-in-the-air precision that can only frustrate your customers more.

It’s fine to apologize. It’s less fine to offer the wrong information.

If you can’t make the system work, don’t have the system.

Oh, what am I saying? Technology is customer service these days.



Continue Reading


Even computer experts think ending human oversight of AI is a very bad idea

The UK government is thinking of scrapping the right to ask for a human to review decisions made entirely by AI systems, but some experts are warning that it is not the right way to go.




The right to a human review will become impractical and disproportionate in many cases as AI applications grow in the next few years, said a consultation from the UK government.

Image: iStock / Getty Images Plus

While the world’s largest economies are working on new laws to keep AI under control to avoid the technology creating unintended harms, the UK seems to be pushing for a rather different approach. The government has recently proposed to get rid of some of the rules that exist already to put breaks on the use of algorithms – and experts are now warning that this is a dangerous way to go.

In a consultation that was launched earlier this year, the Department for Digital, Culture, Media and Sport (DCMS) invited experts to submit their thoughts on some new proposals designed to reform the UK’s data protection regime.

Among those featured was a bid to remove a legal provision that currently enables citizens to challenge a decision that was made about them by an automated decision-making technology, and to request a human review of the decision.

SEE: Report finds startling disinterest in ethical, responsible use of AI among business leaders

The consultation determined that this rule will become impractical and disproportionate in many cases as AI applications grow in the next few years, and planning for the need to always maintain the capability to provide human review becomes unworkable.

But experts from the BCS, the UK’s chartered institute for IT, have warned against the proposed move to scrap the law.

“This rule is basically about attempting to create some kind of transparency and protection for the individuals in the decision making by fully automated processes that could have significant harms on someone,” Sam De Silva, partner at law firm, CMS and the chair of BCS’s law specialist group, tells ZDNet. “There needs to be some protection rather than rely on a complete black box.”

Behind the UK’s attempt to change the country’s data protection regulation lies a desire to break free from its previous obligation to commit to the EU’s General Data Protection Regulation (GDPR).

The “right to a human review”, in effect, constitutes the 22nd article of the EU’s GDPR, and as such has been duly incorporated into the UK’s own domestic GDPR, which until recently had to comply with the laws in place in the bloc.

Since the country left the EU, however, the government has been keen to highlight its newly found independence – and in particular, the UK’s ability to make its own rules when it comes to data protection.

“Outside of the EU, the UK can reshape its approach to regulation and seize opportunities with its new regulatory freedoms, helping to drive growth, innovation and competition across the country,” starts DCMS’s consultation on data protection.

Article 22 of the GDPR was deemed unsuitable for such future-proof regulation. The consultation recognizes that the safeguards provided under the law might be necessary in a select number of high-risk use cases – but the report concludes that as automated decision making is expected to grow across industries in the coming years, it is now necessary to assess whether the safeguard is needed.

A few months before the consultation was launched, a separate government taskforce came up with a similar recommendation, arguing that the requirements of article 22 are burdensome and costly, because they mean that organizations have to come up with an alternative manual process even when they are automating routine operations.

The taskforce recommended that article 22 be removed entirely from UK law, and DCMS confirmed in the consultation that the government is now considering this proposal.

According to De Silva, the motivation behind the move is economic. “The government’s argument is that they think article 22 could be stifling innovation,” says De Silva. “That appears to be their rationale for suggesting its removal.”

The consultation effectively puts forward the need to create data legislation that benefits businesses. DCMS pitched a “pro-growth” and “innovation-friendly” set of laws that will unlock more research and innovation, while easing the cost of compliance for businesses, and said that it expects new regulations to generate significant monetary benefits.

For De Silva, however, the risk of de-regulating the technology is too great. From recruitment to finance, automated decisions have the potential to impact citizens’ lives in very deep ways, and getting rid of protective laws too soon could come with dangerous consequences.

SEE: Programming languages: Python just took a big jump forward

That is not to say that the provisions laid out in the GDPR are enough. Some of the grievances that are described in DCMS’s consultation against article 22 are legitimate, says De Silva: for example, the law lacks certainty, stating that citizens have a right to request human review when the decision is solely based on automated processing, without specifying at which point it can be considered that a human was involved.

“I agree that it’s not entirely clear, and it’s not a really well drafted provision as it is,” says De Silva. “My view is that we do need to look at it further, but I don’t think scrapping it is the solution. Removing it is probably the least preferable option.”

If anything, says De Silva, the existing rules should be changed to go even further. Article 22 is only one clause within a wide-ranging regulation that focuses on personal data – when the topic could probably do with its own piece of legislation.

This lack of scope can also explain why the provision lacks clarity, and highlights the need for laws that are more substantial.

“Article 22 is in the GDPR, so it is only about dealing with personal data,” says De Silva. “If we want to make it wider than that, then we need to be looking at whether we regulate AI in general. That’s a bigger question.”

A question likely to be on UK regulators’ minds, too. The next few months will reveal what answers they might have found, if any.

The consultation determined that this rule will become impractical and disproportionate in many cases as AI applications grow in the next few years, and planning for the need to always maintain the capability to provide human review becomes unworkable.



Continue Reading


National Australia Bank keeping staff connected with Google Pixel rollout

More than 2,000 Google Pixel devices were issued to NAB’s customer contact teams to enable them to support customers remotely.



15664-android-nab-blog-v2-max-1000x1000.png Image: Google

When National Australia Bank (NAB) recently revised its device strategy to look at new ways it could support the mobility of its employees and reduce the time and cost of support legacy devices across multiple platforms, the big bank partnered with Google to issue more than 2,000 Pixel devices to its customer contact teams.

Each device, managed with Android enterprise, was rolled out by Vodafone using “zero-touch” enrolment to set up the devices and configure each one with the necessary applications.

“With zero-touch enrolment, each Pixel setup was 20 minutes faster than our previous device enrolments, saving our IT team and colleagues over 500 hours during the initiative. With our communication and collaboration apps available right out of the box, our teams could get to work right away to help customers,” NAB Mobility manager Simon Thoday said.

Another consideration of the rollout was how customer data was going to remain secure, with Thoday pointing out that using Android Enterprise provided the solution to that question.

“Pixel security updates from Google provide a reliable cadence of ongoing protection as threats evolve, and the work profile hits the right balance between security and privacy for our teams,” Thoday said.

“Our contact centre teams use Pixel devices that are fully managed, which allows us to provide the necessary security controls, and wipe and re-enroll them when transferred to a new employee,” he said.

“Branch managers use Pixels with the work profile, separating work and personal applications. This gives employees the ability to use the device in a personal capacity while our IT team manages and ensures data security over the work profile.”

Additionally, with managed Google Play, NAB can assign the apps that are necessary on its managed devices.

“Providing our teams the flexibility to assign apps to the right teams is a major time saver and ensures everyone has the resources they need,” Thoday said.

“Branch managers can look up customer service records or answer a ping more quickly from their Pixel, instead of returning back to their desk and logging back on to their desktop computer. Android Enterprise has been a catalyst in a more mobile and responsive environment for our various teams.”

Earlier this month, the red and black bank completed its transition to TPG to deliver fixed and mobile network services across the bank.

The transition follows a deal struck between the two companies in September for the newly merged telecommunications giant to deliver fixed network services across NAB’s corporate offices, business banking centres, and branches, as well as providing mobile connectivity to the majority of the NAB workforce.

Vodafone delivered the solution to more than 80% of NAB’s mobile fleet across corporate offices and branches in metro and major regional areas. The company said Vodafone, alongside Google, would also be providing those who opt for a company phone with the Pixel 4a.

Related Coverage

Another consideration of the rollout was how customer data was going to remain secure, with Thoday pointing out that using Android Enterprise provided the solution to that question.



Continue Reading


Reuters18 hours ago

Eco-friendly sneaker maker Allbirds aims for $2 bln valuation in U.S. IPO

Eco-friendly sneaker maker Allbirds Inc said on Monday it aims to be valued at over $2 billion in its New...

ZDNET2 days ago

Comcast gave me good, precise news. The truth was precisely the opposite

Many companies believe that technology is perfect for customer service communication. Often, though, it just isn't.

Bioengineer5 days ago

Sex differences in COVID-19 outcomes

Credit: Mary Ann Liebert, Inc., publishers In a study of more than 10,600 adult patients hospitalized with COVID-19, women had

Techcrunch6 days ago

Resistant AI scores $16.6M for its anti-fraud fintech tools – TechCrunch

Resistant AI, which uses artificial intelligence to help financial services companies combat fraud and financial crime — selling tools to...

Techcrunch6 days ago

Facebook reportedly plans to change its name to focus on the metaverse – TechCrunch

Facebook is planning to rebrand the company with a new name to focus on building the metaverse, according to a...

Bioengineer1 week ago

UTHSC awarded $1.5 million HRSA grant for sexual assault nurse examiner training

Credit: UTHSC Memphis, Tenn. (June 16, 2021) - The University of Tennessee Health Science Center's College of Nursing has received

Techcrunch1 week ago

Does the NFT craze actually matter? – TechCrunch

Hello friends, and welcome back to Week in Review! Last week, we talked about Apple’s subscription addiction. This week, I’m...

CNBC2 weeks ago


Corporate Company Earnings, Find Earnings Per Share and Earnings History Online

ZDNET2 weeks ago

Even computer experts think ending human oversight of AI is a very bad idea

The UK government is thinking of scrapping the right to ask for a human to review decisions made entirely by...

Crunchbase2 weeks ago

The Briefing: Hailo Lands $136M Series C

Crunchbase News' top picks of the news to stay current in the VC and startup world.


    Select language