australia's national broadband network – a cybersecure critical infrastructure?
TRANSCRIPT
ww.sciencedirect.com
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9
Available online at w
ScienceDirect
www.compseconl ine.com/publ icat ions/prodclaw.htm
Australia's National Broadband Network e Acybersecure critical infrastructure?
Nigel Wilson*
University of Adelaide Law School, South Australia; Barrister, Bar Chambers, Adelaide, South Australia, Australia
Keywords:
Australia
Critical infrastructure
Cybersecurity
Freedom of information
National Broadband Network
* University of Adelaide Law School, NorthUniversity, Perth, Western Australia.
E-mail address: [email protected]
http://dx.doi.org/10.1016/j.clsr.2014.09.0030267-3649/© 2014 Nigel Wilson. Published by
a b s t r a c t
In 2009 the Australian National Broadband Network (NBN) began to be rolled out across
Australia. The Australian NBN is the largest infrastructure project in Australia's history
since the Snowy Mountains Hydro-Electric Scheme from 1949 to 1972 and it has a projected
cost of between AU$37 billion and AU$43 billion. Its purposes are to provide high speed
broadband connectivity to 93% of Australia's homes and businesses, to enhance produc-
tivity, to improve the delivery of education, tele-medicine and regional connectivity and to
form the basis of the Australian telecommunications network for the 21st Century. How-
ever, the project does not have bi-partisan support and has been affected by high-level
management changes and anticipated cost over-runs.
The legal implications of the Australian NBN are as vast as the project itself. Its imple-
mentation has involved the enactment of a suite of Commonwealth legislation and will
involve considerable competition law and long-term access issues which have already been
much critiqued. However, despite information technology being in the top five critical in-
frastructures internationally, a critical infrastructureanalysis of theNBNhashad littlepublic
attention. Similarly, due to the confidential nature of much of the NBN's operations, the
cybersecurity aspects of the project have only been lightly scrutinised. Paradoxically, it is
contended that greater scrutiny andpublic access tovital informationwill provideenhanced,
not less, security for both the network itself and for Australian users andwill also provide for
amore secure and reliable engagementwithAustralia's international tradingpartners. Given
the need for a high level of trust in, and the immense reliance upon, the Australian NBN,
consumer andbusiness confidence canonly be enhanced by greater awareness of the critical
infrastructure implications of the Australian NBN for Australia's future.
© 2014 Nigel Wilson. Published by Elsevier Ltd. All rights reserved.
1. The Australian National BroadbandNetwork e is it?
The arrival of the Internet in Australia in the 1990s heralded
global online connectivity for Australia's economy and for
Australians. The early adopters of the Internet initially utilised
Terrace, Adelaide, South
u.au.
Elsevier Ltd. All rights re
“dial-up” technology to connect to it through existing tele-
communications technology. As the High Court of Australia
has noted, Australia's “telephone service could once be used only
for transmitting sounds. Now, the PSTN and the local loops as part of
that network can be used to carry not only telephone communica-
tions but also data communications including internet access
Australia, 5005, Australia; Adjunct Senior Lecturer, Edith Cowan
served.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9700
services.”1 Similarly, Justice Kirby stated in the Dow Jones case2
that the “internet is accessible in virtually all places on Earth where
access can be obtained either by wire connection or by wireless
(including satellite) links”3 provided that the user has a
connection to it and the basic hardware to do so. Unsurpris-
ingly, over time information and telecommunications tech-
nologies (ICTs) have improved both in Australia and globally
and the speed at which access to the Internet is able to be
obtained has become faster and the volume of data which is
capable of being transmitted has increased.
By the turn of the 21st Century in Australia, momentum
grew for a national approach to harnessing the benefits of the
new and improved ICTs and in January 2003 the Broadband
Advisory Group recommended that the Commonwealth
Government collaborate both with other State and Territory
governments and also with industry partners to implement a
national broadband network.4 Over the course of the first
decade of the 21st Century and through various changes in
Federal Governments and buffeted by the impacts of the
Global Financial Crisis in 2007/2008, the NBN Co was eventu-
ally established on 9 April 2009 and the National Broadband
Network Companies Act 2011 (Commonwealth) and related
legislation was enacted on 28 March 2011.
By definition, there should be three essential elements in a
National Broadband Network (NBN). It should be (i) national in
its operation (ii) broadband in nature and (iii) a network or
infrastructure. However, Australia's National Broadband
Network, whilst described as such, strictly does not fulfil each
of these criteria.
As to its national operation, the extent to which the
Australian NBN will be national is limited to those mainland
sites (together with sites on the island of Tasmania) which
have the capacity to deliver the necessary telecommunica-
tions systems which support it. Mainland Australia is to be
serviced by NBN Co Ltd and the State of Tasmania is to be
serviced by a subsidiary of NBN Co Ltd, NBN Tasmania Ltd.
However, significant sections of mainland Australia do not
have the capacity for broadband technology and, as Justice
Kirby noted in the Dow Jones case in 2002, only satellite (not
wireless or cable) communications can achieve such
coverage.5 Those parts of Australia will be the subject of sat-
ellite and mobile technologies within the NBN framework.
The extent of the broadband aspect of the Australian NBN
is a comparative concept in any event as, expressed non-
technically, broadband technology is an Internet-based
connection which is faster than the pre-existing dial-up
technology. As the High Court of Australia stated in Bayside
City Council v Telstra Corporation Ltd,6 broadband technology
1 Telstra Corporation Ltd v The Commonwealth (2008) 234 CLR 210, [5].2 Dow Jones and Co Inc v Gutnick (2002) 210 CLR 575.3 Above n 2, [80]. The role of wireless technology has been
described as “disruptive, and [as having] the potential to displacefibre as an essential future broadband technology.” CatherineMiddleton and Jock Given, ‘The Next Broadband Challenge:Wireless’, (2011) 1 Journal of Information Policy 36, 37.
4 Broadband Advisory Group's Report to Government (22January 2003, Minister for Communications, Information Tech-nology and the Arts, Commonwealth of Australia).
5 Above n 2, [80].6 (2004) 216 CLR 595, [3].
“uses a wider frequency band than is necessary to transfer speech
telephonically.”However, it can be seen that “broadband”, as an
expression, neither defines the actual speed nor the nature of
the service. From 2001 the speed required for “broadband”
technology has been recognised by the OECD as transmission
equal to or faster than 256 kbits/second for a connection
downstream (i.e. to the user) and equal to or greater than
64 kbits/second for an upstream connection (i.e. from the
user).7 There are many types of broadband-based technolo-
gies but digital subscriber line (known commonly as DSL
which involves digital data being transmitted at higher fre-
quency bands than traditional telephone transmission but
simultaneously with it) and cable are the most common in
Australia.8
In relation to the network aspect, the NBN technology
infrastructure is to be linked, ornetworked, toprovidea greater
participation between users. However, the Australian NBN is
incomplete in its coverage and not all Australians will be able
to access it. Many small towns, islands and remote commu-
nitieswill not be part of the AustralianNBNbut, in some cases,
will be offered wireless internet services instead. Those com-
munities comprise approximately 7% of the Australian popu-
lation. Further, like the Internet itself, the Australian NBN is in
fact a cluster of networks and technologies e a “network of
networks”.9 This combination of networks together with the
sheer size of the total Australian NBN infrastructure is poten-
tially highly valuable and valued. Indeed, based on network
theory which provides that the value of the network grows
with the square of the number of users,10 the Australian NBN
has the potential to be immensely valuable. The Australian
NBN, as a network itself (or combination of networks), there-
fore has an intrinsic value, as with other industrial in-
frastructures.11 However, the network also has a value to its
users which is increased by the number of users in the tele-
communications environment. Whilst increased usage or
“traffic”may in some network situations create bottlenecks or
contested demand for resources, one benefit of the scale and
nature of the telecommunications technologies which under-
pin broadband technologies is that this should be a rare
occurrence. However, more problematic issues will arise from
interruptions, such as power blackouts or power surges, or
from cybersecurity attacks, whether malicious or negligent.
Thereforewhilst it is described as such, the AustralianNBN
at the outset has had shortcomings even in relation to its
central components and purpose. One further shortcoming,
which this Article will seek to address, is the level of scrutiny
which has been given to whether the Australian NBN is a
7 OECD, The development of broadband access in OECD countries,(Paris: Head of Publications Service, OECD, 2001).
8 See Rob Ayre, Kerry Hinton, Brad Gathercole and Kate Cor-nick, ‘A Guide to Broadband Technologies’ (2010) 43 (2) TheAustralian Economic Review 200.
9 Rohan Kariyawasm, International Economic Law and the DigitalDivide: A New Silk Road, (Edward Elgar, 2007), 19.10 Metcalfe's Law, see Carl Shapiro and Hal Varian, Information
Rules, (Harvard Business Press, 1999).11 John Cannadi and Brian Dollery, ‘An Evaluation of Private
Sector Provision of Public Infrastructure in Australian LocalGovernment’ (2005) 64(3) Australian Journal of Public Administration112.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9 701
cybersecure, critical infrastructure. This Article will seek to
address this critical issue by commencing with an analysis of
Australia's reliance on networks, critically analysing the pur-
poses of the NBN and then addressing the key, but somewhat
overlooked and under-scrutinised, cybersecurity critical
infrastructure dimensions in light of the current state of
disclosure of information about these topics regarding the
Australian NBN. The conclusion which will be drawn is that
the cybersecurity aspects of the NBN have only been lightly
scrutinised to date and information requests under Australia'sFreedom of Information legislation in relation to the diverse
operations of the Australian NBN have produced limited in-
formation or been refused and none have related to cyberse-
curity aspects of the project. It is contended that greater,
ongoing scrutiny will provide enhanced security for both the
Australian NBN itself and for Australian users. The sheer scale
of the public investment in the Australian NBN alone de-
mands transparency through the life of the project and con-
sumer and business confidence will only be enhanced by
more, not less, awareness of the state of the cybersecurity of
this new, potentially highly valuable, critical infrastructure.
2. Australia's reliance on networks
Internationally, forecasts relating to the prospective value of
the financial and social benefits of broadband networks have
been impressive, to say the least.12 Highly positive projections
have also been made for the Australian NBN when fully
implemented.13 Australia, due to its geography, population
and market economy, has historically relied heavily upon
diverse networks e rail, road, shipping, aviation, energy,
water, postal, telecommunications and media networks, to
name a few. Across the globe, governments have played a
significant role in infrastructure networks both in funding
12 Robert Crandall and Charles Jackson, The $500 billion opportu-nity: The potential economic benefit of widespread diffusion of broad-band Internet access, (2001, Criterion Economics, L.L.C); DharmaDailey et al., Broadband Adoption in Low Income Communities, SocialScience Research Council, (2010, Brooklyn); Christine Qiang & ors,Information and Communications for Development 2009: ExtendingReach and Increasing Impact, (2009, World Bank, New York); Desireevan Welsum, Broadband and the Economy (2007, OECD, Paris);Berkman Center for Internet & Society at Harvard University, NextGeneration Connectivity: A review of broadband Internet transitions andpolicy from around the world (Final Report, February 2010).13 Centre for International Economics, Impacts of Genuine Broad-
band for Australia. (2008, Centre for International Economics,Sydney); Department of Broadband, Communications and theDigital Economy, Drivers of Broadband in Health, (2008, Common-wealth Government, Canberra); Department of Broadband,Communications and the Digital Economy, 21st Century Broad-band. (2009, Commonwealth Government, Canberra); Departmentof Broadband, Communications and the Digital Economy, Aus-tralia's Digital Economy: Future Directions, (2009, CommonwealthGovernment, Canberra).14 William Mitchell, City of Bits: Space, Place and the Infobahn,
(Massachusetts University of Technology Press, 1995), 168; GraceLi, ‘The return of public investment in telecommunications:Assessing the early challenges of the national broadband networkpolicy in Australia’, [2012] 28 Computer Law and Security Review220.
their implementation and in ensuring that their economic
benefits are harnessed.14 No matter their nature, not all net-
works are available to all citizens whether through prohibitive
cost, lack of education, geographic isolation or lack of choicee
broadband technology is no exception. Indeed, the OECD has
recognised the existence of a “broadband divide”15 and, whilst
the Australian NBN is intended to provide equal access to the
network, there are significant constraints upon true equality
being achieved in Australia's diverse urban, regional and
remote communities.
Fortunately, even though ICTs were in their relative in-
fancy at the time of Australia's Federation in 1901, the
Commonwealth Constitution provides that it is the national
Commonwealth Government which has been given exclusive
power to legislate with respect to “postal, telegraphic, tele-
phonic, and other like services” pursuant to section 51(v) of
the Commonwealth Constitution and the transfer of such
powers from the States.16 Historically, the High Court of
Australia has interpreted this head of power in a highly
practical, purposive manner since Federation.17 Accordingly,
Australia-wide legislative competence exists in relation to the
Australian NBN which is highly beneficial as it facilitates both
effective national co-ordinated Commonwealth legislative
oversight and financial backing.
3. Purposes of the Australian NBN
The Australian NBN, like its international equivalents, is
intended to increase productivity. The OECD describes this
purpose, pithily, as the objective to “prime the pump”18 and in
Europe high-speed broadband has been described as “digital
oxygen, essential for Europe's prosperity and well-being.”19
The broad, stated purposes of the Australian NBN have been
described by the Australian Government in its Statement of
Expectations for the NBN in 2010 as including the delivery of a
significant improvement in broadband service quality to all
Australians, addressing the lack of high-speed broadband in
Australia, particularly outside of metropolitan areas, and
reshaping the telecommunications sector.20
15 OECD, Current status of communication infrastructure regulation:Cable television, (Paris: Head of Publications Service, OECD, 1995)http://www.oecd.org/dsti/sti/it/cm/prod/e_96-101.htm.16 Telstra Corporation Ltd v The Commonwealth (2008) 234 CLR 210.17 R v Brislan; ex parte Williams (1935) 54 CLR 262.18 Organization for Economic Cooperation and Development,
Directorate for Science Technology and Industry, Towards aknowledge-based economydrecent trends and policy directions from theOECD. Background paper for the OECD-IPS workshop on promotingknowledge-based economies in Asia, (OECD, 2002) http://www.oecd.org/dataoecd/32/15/2510502.pdf.19 European Commission, Digital Agenda: Broadband Speeds
Increasing but Europe Must Do More, Nov. 25, 2010.20 NBN Rollout: Statement of Expectations, Joint Media Release,
The Hon Julia Gillard MP e Prime Minister, The Hon Wayne SwanMPeDeputy Prime Minister and Treasurer, Senator The HonPennyWong eMinister for Finance and Deregulation, Senator theHon Stephen Conroy e Minister for Broadband, Communicationsand the Digital Economy, Deputy Leader of the Government in theSenate, 20 December 2010, http://www.dbcde.gov.au/__data/assets/pdf_file/0003/132069/Statement_of_Expectations.pdf.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9702
4. The central legal issues e the well-recognised competition law dimension and theneed for greater attention to the cybersecuritycritical infrastructure dimensions
Since its formal introduction in 2009, the Australian NBN has
not had bi-partisan political support and in its early stages it
has faced management challenges and projected cost over-
runs.21 As but one illustration, the politicisation of the
implementation of the NBN is demonstrated most recently by
the introduction of a Bill in March 2014 into the Senate by an
Opposition Senator seeking to force the newly elected Coali-
tion Government to implement NBN Tasmania Ltd's imple-
mentation of the fibre-to-the-premises broadband to
approximately 200,000 premises in Tasmania. The Bill will not
be considered by the Commonwealth Parliament for many
months and is unlikely to pass as the Coalition has control of
the House of Representatives. However and in addition to
well-documented, political and financial challenges facing its
introduction,22 there are many key legal dimensions to a Na-
tional Broadband Network. A central dimension is the
competition law and user access dimension which has been
well scrutinised. However the cybersecurity critical infra-
structure dimension has been significantly overlooked.
It has been said, accurately, that there “is perhaps no issue
more central to the debate about broadband policy than the state and
role of competition.”23 Similarly, end user access and participa-
tion issues have been identified, appropriately, as significant
legal issues24 as have potential concerns about Australia'scompliance with its international trade obligations in relation
to the implementation of the Australian NBN.25 The compe-
tition law issues raise major implications for both consumers
andmarket participants and ultimately influence the ongoing
21 NBN Co Corporate Plan 2012e2015 (6 August 2012).22 Succinctly summarised in Rowan Wilken et al., ‘National,
local and household media ecologies: The case of Australia'sNational Broadband Network’, (2013) Communications, Politics andCulture 136.23 Organization for Economic Cooperation and Development,
Directorate for Science Technology and Industry, Towards aknowledge-based economydrecent trends and policy directionsfrom the OECD. Background paper for the OECD-IPS workshop onpromoting knowledge-based economies in Asia (2002) Retrieved fromhhttp://www.oecd.org/dataoecd/32/15/2510502.pdf; JonathanMacey, ‘Regulatory Globalization as a Response to RegulatoryCompetition’ (2003) 52 Emory Law Journal 1353.24 Mark Cooper, ‘Open Access to the Broadband Internet: Tech-
nical and Economic Discrimination in Closed, Proprietary Net-works’ (1998) 69 University of Colorado Law Review 331; AustralianCompetition and Consumer Commission, Submission to the“National Broadband Network: Regulatory Reform for 21st Cen-tury Broadband Discussion Paper, (2009, Australia); Lucy Crad-duck, ‘The future of the Internet Economy: Addressing challengesfacing the implementation of the Australian National BroadbandNetwork’, Queensland University of Technology, Doctoral Thesis(2010); Stephen Corones & Bill Lane, ‘Shielding Critical Infra-structure Information-Sharing Schemes from Competition Law’
(2010) Deakin Law Review 1.25 Tania Voon and Andrew Mitchell, ‘International Trade Law
Implications of Australia's National Broadband Network’ (2011)35(2) Melbourne University Law Review 578.
value and potential sale value of the Australian NBN.
Competition law issues are premised on economic theory and
their translation into effective antitrust regulation26 e the
need for competitive markets, the regulation (or removal) of
monopolistic practices, the control of abuses of market power
and the delivery of services and information to end users
based on efficient practices and equal information. However,
the Australian NBN, although it is not a government author-
ity,27 is a highly regulated monopoly and will remain so until
its sale. Historically, Australian government infrastructure
monopolies and duopolies (various water, electricity, gas, rail
and aviation State-run enterprises etc.) have been created as
such for a combination of financial and, often, national se-
curity reasons. The NBN has been promoted, predominantly,
as being a necessary monopoly in its start-up stage due to its
high up-front costs so as to enable the roll-out of the network
and for it then to be a corporate vehicle capable of being sold
in due course at high value.
Despite the high security implications of the Australian
NBN, as with other telecommunications systems, consider-
ation of the national security and critical infrastructure as-
pects has been remarkably dilute. This is despite the fact that
the Australian Government announced in July 2010 that “high
speed broadband should be seen as a critical utility service like
water, electricity and gas”.28
Further, when fully implemented, the Australian NBN will
not just be an internal network for Australians within
Australia. Indeed, the Australian NBN is intended to connect
more Australians to the rest of the world e both faster and
more efficiently. In doing so, as Johnson and Post observed
about the growth of the Internet, assumptions about the ca-
pacity of existing legal frameworks to govern its operation and
growth effectively are challenged by its influence across bor-
ders e laws which are historically based on geographical
borders are potentially undermined.29 The cybersecurity
threats arising from the exposure of the Australian NBN to
both national and international impacts has implications both
for its interim and ongoing operations and for its ultimate
sale. The inter-relationship between the critical infrastructure
which is created by the Australian NBN and its national se-
curity role is succinctly captured in the Attorney-General’s
Department's observation about such infrastructures that
they are: “physical facilities, supply chains, information technolo-
gies and communications networks which, if destroyed, degraded or
rendered unavailable for an extended period, would adversely
impact on the social or economic well-being of the nation or affect
Australia's ability to ensure national security.”30
26 See Daniel Clough, ‘Law and Economics of Vertical Restraintsin Australia’ (2001) Melbourne University Law Review 20; News Ltd &Ors v South Sydney District Rugby League Football Club Inc (2003) 215CLR 563 per Kirby J, [118].27 Section 95 of the National Broadband Network Companies Act
2011 (Cth).28 Australian Government, ‘Policy Statements’, Department of
Broadband, Communications and Digital Economy, 20 June 2010.29 David Johnson & David Post, ‘Law and Borders e The Rise of
Law in Cyberspace’ (1996) 48(5) Stanford Law Review 1367, 1367.30 Attorney-General’s Department, Critical Infrastructure Protec-
tion (2009) http://www.ag.gov.au/www/agd/agd.nsf/Page/Nationalsecurity_CriticalInfrastructureProtection.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9 703
What then is meant by the role of the Australian NBN as a
critical infrastructure? The use of the expression “critical
infrastructure”pre-dated theeventsof11September200131 and
was the subject of theUnited States'Critical Infrastructure Planin 1998, but it gained significant notoriety in the post-9/11
aftermath and, in legislative parlance, in its role in the United
States of America's PATRIOT Act 2001. The expression “critical
infrastructure”was defined in the PATRIOT Act as those:
“systems and assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of such systems and
assets would have a debilitating impact on security, national eco-
nomic security, national public health or safety, or any combination
of those matters. …”
32
The technical nature of the Australian NBN is highly com-
plex but relies, in a non-technical sense, upon the physical
network itself (cables, pipes, access nodes etc.), the data and
content which it conveys (telephone communications, email,
messaging etc.) and its customer services (connections, tech-
nical support and billing services etc.). Its inter-relationship
with other critical infrastructures is also both a complicating
factor and a valuable one. As a significant driver of the
Australian telecommunications network it is a critical infra-
structure of the highest ranking, when ICTs themselves have
been ranked by the International Risk Governance Council as
the most significant international critical infrastructure.33 In
Australia it is nowwell recognised that critical infrastructures
are “increasingly e if not exclusively e controlled by computers”34
which reflects the pithy observation made by Condron that in
theUnitedStates of America “[n]etworked computer systems form
the nerve center of the country's critical infrastructure”.35 The
31 In Ted Lewis, ‘Critical Infrastructure Protection in Homeland Se-curity e Defending a Networked Nation’, (John Wiley and Sons Inc,2006) at 2e3 it is suggested that the expression had been evolvingsince the 1962 Cuban Missile Crisis. Further guidance on criti-cality may be found in the Critical Infrastructure Protection RiskManagement Framework for the Identification and Prioritisation ofCritical Infrastructure and Handbook 167:2006 to the AS/NZS 4360:2004 Risk Management Standard.32 Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism (USAPATRIOT Act), 2001. See also Eric Jensen, ‘Computer Attacks onComputer National Infrastructure: A Use of Force Invoking theRight of Self-Defence’ (2002) 38 Stanford Journal of International Law207; Michael Levi and David Wall, ‘Technologies, Security andPrivacy in the Post 9/11 European Information Society’ (2004) 31 2Journal of Law and Society 194; Susan Brenner, ‘Distributed Secu-rity: Moving Away From Reactive Law Enforcement’, (2005) Inter-national Journal of Communications Law and Policy 1.33 International Risk Governance Council, ‘Managing and
Reducing Social Vulnerabilities from Coupled Critical Infra-structures’,(White Paper No 3, 2006) identified the critical in-frastructures as electric power networks, gas supply systems,water supply and waste treatment, rail transport systems; andinformation and communication technology (ICT) systems. Theauthors acknowledged at 57 that there are other important in-frastructures which were not considered such as air, road, waterand multi-modal transport, other aspects of ICT, food delivery,financial services systems, health care and government service.34 Parliamentary Joint Committee on the Australian Crime
Commission (2004), 53.35 Sean Condron, ‘Getting it Right: Protecting American Critical
Infrastructure in Cyberspace’, (2007) 20 Harvard Journal of Law andTechnology 403, 407.
mutual, often circular, inter-relationship between critical in-
frastructures (e.g. the reliance of ICTs on electric power and
vice versa) is also of critical importance to note and the IRGC
has also made the observation of this intricate critical infra-
structureweb that “our societies aremost vulnerable to disruptions
of electric power supply and disruptions to, or degradation of, ICT
services”.36 The Australian NBN is therefore a prime critical
infrastructure e prime in value, as well as a prime target.
In parallel with the rise of critical infrastructure protection
awareness, there has also been a rise in the international37
attention given to, and the obvious need to address, the
cybersecurity dimension to the point where it also became
one of Australia's national security priorities under the
former Australian Prime Minister's 2008 National Security
Statement. The Australian Government defines cybersecurity
broadly as: “[m]easures relating to the confidentiality, availability
and integrity of information that is processed, stored and commu-
nicated by electronic or similar means.”38 By its very nature, the
Australian NBN is potentially riddled with cybersecurity im-
plications which “include computer viruses and malicious
code, hackers and saboteurs, data breaches, data and identity
theft, electronic fraud and other criminal activity as well as
intellectual property issues.”39 Research in relation to the
cybersecurity of critical infrastructures is an emerging area
which has been noted, accurately, to require further exten-
sive new research.40 The North American Electric Reliability
Corporation (NERC) established cybersecurity standards for
critical infrastructures which follows the SCADA (supervisory
control and data acquisition) framework and involves four
significant components: a) real-time monitoring, b) anomaly
detection, c) impact analysis, and d) mitigation strategies.41
Further suggestions for enhanced cybersecurity of critical
infrastructures have involved “attack-tree” modelling based
on algorithms to evaluate both password policies and port
36 IRGC White Paper No. 3, above n 33, 12.37 Creation of a Global Culture of Cybersecurity and the Protection of
Critical Information Infrastructures, GA Res 199, UN GAOR, 58thsession, 78th plenary meeting, UN Doc A/Res/58/199 (30 January2004); Creation of a Global Culture of Cybersecurity and Taking Stock ofNational Efforts to Protect Critical Information Infrastructures, GA Res64/211, UN GAOR, 64th session, UN Doc A/Res/64/211, (17 March2010); K Andreasson (Ed), ‘Cybersecurity e Public Sector Threats andResponses’, (CRC Press, Taylor and Francis Group, 2011).38 Australian Government, Cyber Security Strategy, Common-
wealth of Australia, 2009.39 Nigel Wilson, ‘E-Risks and Insurance in the Information Age’
(2011) 24 New Zealand Universities Law Review 550, 554; UnitedNations Conference on Trade and Development InformationEconomy Report 2005 UNCTAD/SDTE/ECB/2005/1 (2005), 200; SIFTInformation Security Services Future of the Internet Project e Reli-ability of the Internet (2007) www.dbcde.gov.au [the SIFT Report](commissioned by the Australian Department of Communica-tions, Information Technology and the Arts (DCITA)).40 Ten Chee-Wooi et al., ‘Cybersecurity for Critical In-
frastructures: Attack and Defense Modeling’ (2010) 40 IEEETransactions on Systems, Man and Cybernetics - Part A: Systems andHumans 853, 863.41 NERC Tech. Rep. Cybersecurity Standards.http://www.nerc.
com/filez/standards/Cyber-Security-Permanent.html.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9704
auditing techniques.42 In the United States, the US-CERT has
established national SCADA test-beds for the purpose of
testing the cybersecurity of critical infrastructures, predom-
inantly energy networks,43 and cybersecurity work-plans44
and detailed cybersecurity guidelines to ensure consistency
in procurement language45 are publically available. What
then is known of the cybersecurity measures relating to the
Australian NBN?
Historically, Australian national cybersecurity policy has
relied upon general legislative provisions and whilst the
Australian NBN is the subject of its own suite of detailed
legislation,46 nowhere in the Australian NBN “legislative suite”
is there any provision for specific cybersecurity or critical
infrastructure protections for the Australian NBN itself.
Instead, such protections are left to the general, existing law.
Australia's extensive cybersecurity legal framework is the
subject of considerable Commonwealth and State and Terri-
tory legislation47 as well as extensive cybersecurity educa-
tional programmes.48 Of particular potential relevance in the
context of critical infrastructure measures are the Ministerial
powers to protect designated critical infrastructure pursuant
to the Defence Act 1903 (Cth) and the ability to “call out” the
Australian Defence Forces in a situation where the Minister
believes on reasonable grounds that there is a threat of
damage or disruption to a critical infrastructure and that it
42 Port auditing techniques are employed to ensure that acomputer system is free from malicious threats which mightcompromise the system by the use of local security checks, rootaccess, remote file access, default account, Trojan horse, worm,or possible backdoor attacks; see Chee-Wooi, above n 40, 859.43 J. Tang et al., ‘The CAPS-SNL power system security test bed,’
Proceedings of the 3rd CRIS, Alexandria, VA, September 2006; Gio-vanna Dondossola et al., “Emerging information technology sce-narios for the control and management of the distribution grid,’Proceedings of the 19th Int. Conf. Exhib. Elect. Distrib., Vienna,Austria, March 21e24, 2007.44 Department of Energy/Office of Electricity National SCADA
Test Bed Fiscal Year 2009 Work Plan http://energy.gov/oe/downloads/doeoe-national-scada-test-bed-fiscal-year-2009-work-plan.45 Energy Sector Control SystemsWorking Group, ‘Cybersecurity
Procurement Language for Energy Delivery Systems’, April 2014,http://energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-EnergyDeliverySystems_040714_fin.pdf.46 National Broadband Network Companies Act 2011 (Cth); Telecom-
munications Legislation Amendment (National Broadband NetworkMeasuresdAccess Arrangements) Act 2011 (Cth).47 Commonwealth legislation includes the Criminal Code Act 1995
(Cth) (as amended by the Cybercrime Act 2001 (Cth)), the Telecom-munications (Interception and Access) Act 1979 (Cth), the Spam Act2003, the Telecommunications Act 1997 (Cth) and the Privacy Act1998 (Cth), the Surveillance Devices Act 2004 (Cth), the IntelligenceServices Act 2001 (Cth) and the Australian Security IntelligenceOrganisation Act 1979 (Cth).48 For example, the Stay Smart Online, Scamwatch, FIDO and
Stay Safe Online programmes, together with the Australian HighTech Crime Centre and AusCERT, Australia's National ComputerResponse Team. However, an Australian Institute of Criminologysurvey suggested that 79 per cent of the businesses surveyedwere unaware of these initiatives; Australian Institute of Crimi-nology The Australian Business Assessment of Computer User Security:A National Survey (AIC Research and Public Policy Series 102, 2009),48.
would or could endanger Australians.49 At present, Australian
Government policy in relation to critical infrastructure pro-
tection has been to take a deliberately “non-regulatory
approach to critical infrastructure. This approach recognises
that in most cases, the owners and operators of critical
infrastructure are best placed to manage risks to their opera-
tions and determine the most appropriate mitigation strate-
gies.”50 In 2010 Cook made the observation that whilst “the
NBN will bring high speed internet to more homes and busi-
ness than ever before, there is, as yet, no corresponding se-
curity strategy that is aimed to match these developments in
anywhere near the same size and scale”51 and contended that
Public-Private Partnerships (PPPs), even partnering with Non-
Government Organisations (NGOs), would be an effective
method (both in cost and outcome) to achieve greater cyber-
resilience.52 As a consequence of current national policy to
leave critical infrastructure protection measures to their
owners and operators, the likelihood of specific legislative
measures in relation to the Australian NBN is unlikely and
Cook's suggestion for PPP-based initiatives to be implemented
has not occurred to date. However, other non-legislative
cybersecurity measures are being taken, internationally and
in Australia, through the use of critical infrastructure protec-
tion, or more recently, resilience-based programmes.53
5. The Trusted Information Sharing Networkfor Critical Infrastructure Protection (TISN) ecould it shed some light?
Following its international counterparts, in the last decade
Australia has established dedicated critical infrastructure
protection programmes and associated information sharing
mechanisms. These strategies mirror elements of the inter-
national critical infrastructure programmes such as the Eu-
ropean Union's European Programme for Critical
Infrastructure Protection (EPCIP) which is the subject of a Eu-
ropean Commission directive requiring Operator Security
49 Rob McLaughlin, ‘The Use of Lethal Force by Military Forceson Law Enforcement Options e Is There a ‘Lawful Authority’?’(2009) 37(3) Federal Law Review 441; see also Michael Head, ‘TheMilitary Call-Out Legislation d Some Legal and ConstitutionalQuestions’ (2001) 29 Federal Law Review 273; Michael Head, ‘Aus-tralia's Expanded Military Call Out Powers: Causes for Concern’,(2006) 3 University of New England Law Journal 125; Michael Head,‘Military Call-out Powers Expended: Disturbing Questions Posed’(2006) 31 (2) Alternative Law Journal 83; Cameron Moore, ‘Callingout the Troops e The Australian Military and Civil Unrest: TheLegal and Constitutional Issues by Michael Head’ (2009) 33 (3)Melbourne University Law Review 1022.50 Critical Infrastructure Resilience Strategy, (Australian Gov-
ernment, 2010), 14.51 David Cook, ‘Mitigating cyber-threats through public private
partnerships: low cost governance with high impact returns’,Proceedings of the 2010 International Cyber Resilience Conference ICR2010, 22-30,Edith Cowan University, Perth, Western Australia, 26.52 David Cook, 2010, n 51.53 See Benoı̂t Robert et al., Organizational resilience e Concepts and
evaluation methodology, (Montreal, Presses Internationales Poly-technique); Fr�ed�eric Petit et al., ‘Developing and index to assessthe resilience of critical infrastructure’ (2012) International Journalof Risk Assessment and Management, 16 (1/2/3), 28e47.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9 705
Plans to identify the infrastructure, its major threat scenarios
and vulnerabilities and to formulate detailed counter-mea-
sures.54 Similarly, the United Kingdom's Centre for the Pro-
tection of National Infrastructure provides information and
advice to critical infrastructure organisations in the United
Kingdom. In the United States of America the Critical Infra-
structure Protection Programme is even more advanced and
has operated since 1996. In 2013 it was the subject of a
detailed, revised National Plan entitled “NIPP 2013: Partnering
for Critical Infrastructure Security and Resilience”55 as a result
of the President's call for an updated national plan56 and an
Executive Order57 requiring the Federal Government to coor-
dinate with critical infrastructure owners to improve cyber-
security information sharing and develop and implement
risk-based cybersecurity solutions.
In 2003, and before the introduction of the Australian NBN,
the Australian Commonwealth Government implemented the
Trusted Information Sharing Network for Critical Infrastruc-
ture Protection.58 In 2008 a programme entitled “Cyber Storm II”
considered simulated scenarios across four critical in-
frastructures, namely communications, energy, banking and
finance and water.59 However, the project was confidential.
Corones and Lane have examined the competition law risks
which may arise from the sharing of security information
between competitors who are participants in such
information-sharing networks. They have identified that
Australian lawmay require the introduction of a defence so as
to protect such information sharing arrangements, consistent
with developments in the United States of America.60 Their
recommendation, based on competition law grounds, has not
been adopted. So it remains that in 2014 much information
relevant to the cybersecurity dimensions of the Australian
NBN remains commercially confidential to the entities
involved or to confidential networks of critical infrastructure
organisations with the possibility that in doing so competition
law risks are prevalent. Why do we need to know more about
54 European Programme for Critical Infrastructure Protection(EU COM (2006) 786 final) e Official Journal C 126 of 7.6.2007;Madelene Lindstrom, ‘The European Programme for CriticalInfrastructure Protection’, in Lindstrom and Olsson, Crisis Man-agement in the European Union, (2009, Springer), 37.55 US Department of Homeland Security, “NIPP 2013: Partnering
for Critical Infrastructure Security and Resilience”, 2013.56 The White House, Presidential Policy Directive 21 e Critical
Infrastructure Security and Resilience, http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.pdf.57 The White House, Executive Order 13636 e Improving Critical
Infrastructure Cybersecurity, http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf.58 Now styled as the Trusted Information Sharing Network for
Critical Infrastructure Resilience.59 Attorney-General’s Department, Security and Critical Infra-
structure Division, Cyber Storm II National Cyber Security ExerciseFinal Report (August 2008). The other five Infrastructure AssuranceAdvisory Groups are transport, emergency services, health, foodchain and mass public gatherings.60 Corones and Lane, 2010, above n 24; see also John Han,
‘Antitrust and Sharing Information about Product Quality’, (2006)73 University of Chicago Law Review 995 and Amitai Aviram andAvishalom Tor, ‘Overcoming Impediments to InformationSharing’, (2004) 55 Alabama Law Review 231.
the cybersecurity critical infrastructure dimensions of the
Australian NBN?
6. The Australian NBN e a cybersecurity“force-multiplier” or a “disaster waiting tohappen”?
From a competition law perspective, the regulation of the
Australian NBN is occurring within the traditional access
regime arrangements with highly tailored arrangements for
the various telecommunications technologies. As referred to
above, if competition law issues are recognised as one of the
greatest legal issues facing the Australian NBN but no special
treatment is being meted out on that front, then it could be
said to be unrealistic, superficially, to suggest that special
treatment is necessary on any other legal front: cybersecurity,
critical infrastructure or otherwise. Further, and based on a
much more theoretical premise, the whole concept of tech-
nology neutrality61 in modern regulation, which has been
much lauded with the rise of ICTs nationally and interna-
tionally, could be said to dictate a similar outcome e no spe-
cial treatment. Turning from theory to practice, today'sAustralian NBN may be tomorrow's Overland Telegraph Line
(the telegraph line built in the 1870s over 3200 km between
Adelaide, South Australia, and Darwin, in the Northern Ter-
ritory, which enabled Australia to be connected to the rest of
the world via undersea cable to Indonesia). With ongoing
changes in technology not only expected but championed in
the Digital Age, for the Australian NBN to be singled out for
special legal treatment may give rise to even more significant
legal issues or potential on-costs which may ultimately be
counter-productive to its perceived benefits.
However, are there reasons to be sensitive, even hyper-
sensitive, towards a vast, highly expensive, publically-
funded infrastructure project which is recognised as being
both national in its operation and international in its
outreach? Indeed, one which is in the highest ranking of
critical infrastructures and the means through which, ulti-
mately, the vast majority of Australians, Australian busi-
nesses and governments are intended to communicate and
conduct their daily work and activities.
Whilst the Australian NBN is in its infancy, the cyberse-
curity threat is real and concerns have already been
expressed. Tellingly in the context of the cyber-threat risks
associated with the Australian NBN, Mr Graham Ingram,
General Manager of the Australian Computer Security
Response Team (CERT) said in 2011: “Everything bad you can do
online you can do much better and faster with a high-speed
network.”62 Further, an early case which raised public sensi-
tivity about the potential security of the Australian NBN
61 Chris Reed, ‘Taking Sides on Technology Neutrality’, (2007) 4SCRIPTed 263; Yoo, Beyond Network Neutrality, (2005) 19 HarvardJournal of Law and Technology 1; Nigel Wilson, ‘Regulating the In-formation Age e How will we cope with technological change?’(2010) 33 Australian Bar Review 120; Kayleen Manwaring, ‘NetworkNeutrality: Issues for Australia’ [2010] 26 Computer Law and Secu-rity Review 630.62 The Australian, ‘Cyber-attack alert for National Broadband
Network’, (28 July 2011).
68 CERT, above n 63 at 6.69 NBN Co Limited (2010), Product and Pricing Overview for Access
Seekers, Version 2.0, Sydney; NBN Co Limited. (2010), Building OurNational Broadband Network, Sydney; NBN Co Limited. (2012),
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9706
involved a hacker charged with unauthorised modification of
data of the telecommunications provider Platform Networks.
The telecommunications company involved, Platform Net-
works, was at the time signed as an Australian NBN retail
service provider but, in fact, was not actively performing that
role at the time of the offence. The accused was given a two
year jail sentence after pleading guilty. Similarly, in the
context of potential service providers to the Australian NBN
itself, the Commonwealth Government banned a Chinese
telecommunications vendor, Huawei Technologies Co Ltd,
from participating in the Australian NBN due to national se-
curity concerns in 2012 and the ban remains in place under
the new Coalition Government.
The Australian NBN's speed and capability is not without
significant risks and in its submission to the Senate Select
Committee on the Australian NBN, CERT stated that the
AustralianNBNwouldbeacyber-crimeenabling infrastructure:
It is assessed that the NBN has the potential to be a force-
multiplier for cybercrime attacks directed at Australian net-
works and information systems because cyber criminals are
attracted to attack, compromise and use systems with high speed
broadband access.63
Indeed, CERT forecast that if current approaches to cyber-
crime by both government and industry did not significantly
change, then gains from the Australian NBN would be seri-
ously undermined.64 Of significant importance was the
observation made by CERT that, whilst its submission only
addressed specific aspects of the Select Committee's Terms of
Reference, it noted, pointedly, that:
- the implications for cyber security for Australia as a result of the
roll out of the NBN; and
- the security of the NBN itself are not specifically part of the
terms of reference, which is concerning as it may mean that
important cyber security issues are not addressed during the
design, planning and implementation of the NBN. Attempting to
retrofit security to the NBN would be disastrous.65
These observations were based upon CERT's own experi-
ence since 2003 together with both OECD and industry
research that “the level of malicious Internet activity and cyber-
crime increases in proportion to the availability of, high speed
broadband services.”66 CERT observed that an unintended
consequence of surpassing broadband speeds which are
currently available in other countries may make Australia “a
preferred destination” by cybercriminals seeking to host
cyber-attacks which are aimed both at Australian and inter-
national targets.67
63 CERT Submission to the Senate Inquiry, www.auscert.org.au/download.html?f¼496, 2.64 CERT, ibid n 63, 2.65 CERT, above n 63, 3.66 CERT/CC (2005), Botnets a vehicle for online crime, www.cert.
org/archive/pdf/Botnets.pdf; OECD, Malicious Software (Malware)e A Security Threat to the Internet Economy. http://www.oecd.org/dataoecd/53/34/40724457.pdf, at 26; https://www.linx.net/files/hotlinx/hotlinx-17.pdf, p 3.67 CERT, above n 63, 6.
Of critical importance from a cybersecurity perspective is
the further observation by CERT that:
A key concern with the NBN, as with the existing telecommuni-
cation backbone network, is that there will be little or no security
built into the NBN backbone network. Rather, as currently ap-
plies, it will be increasingly important for the end points to bear
the major responsibility and burden for security measures, which
is already resource intensive, complex and challenging.68
It is noteworthy that the language adopted by CERT, an
Australian government agency, reflected the government'sown definition of cybersecurity emeasureswhich relate to the
confidentiality, availability and integrity of information that is
processed, stored and communicated by the Australian NBNe
and that CERT observed that there is little or no cybersecurity
built into the NBN backbone network and that end points (or
end users) will bear that responsibility and burden. Can any
better information or comfort be drawn from other sources?
7. Insufficient cybersecurity information iscurrently available about the NBN
Over and above the highly cautionary, and concerning, ob-
servations by CERT, are there other sources of information
regarding the state of cybersecurity in the Australian NBN?
There are three sources at least for this information e the
legislation enacting the Australian NBN, publically released
information and judicial scrutiny to date.
As noted above, the Australian NBN legislation contains no
specific provisions in relation to critical infrastructure pro-
tection or cybersecurity and the Australian NBN is therefore
wholly reliant on the existing general law, both statute and
common law. Based upon government policy in relation to
critical infrastructure, further legislative intervention is un-
likely. Similarly, the public release of information has also
tended to be limited to generic, catchphrase-type information
associated with the need for cybersecurity in relation to the
Australian NBN but with little detail.69
Interestingly, the Australian NBN's operations to date have
been the subject of quite extensive judicial scrutiny. Whilst
the cases have been predominantly civil in nature, some, for,
example, relating to the planning implications associated
with the Australian NBN rollout,70 the major emphases have
Corporate Plan 2012e2015, Sydney, NBN Co Limited, (2013).70 Richter v South Gippsland SC [2013] VCAT 2120 in which the
Victorian Civil and Administrative Tribunal refused an applica-tion for the installation by NBN Co of a 30 m telecommunicationspolicy and related facilities 500 m from the applicant's residencein country Victoria and 700 m from the country town centre. TheTribunal acknowledged at [9] that there “is strong planning policysupport for structures associated with the National BroadbandNetwork. This is a government initiative that is intended toimprove connections for all Australians, and the rollout of thisnetwork has been given emphasis in the planning scheme.”
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9 707
been requests for information about its commercial opera-
tions. Requests for information in relation to the Australian
NBN pursuant to the Freedom of Information Act 1982 (Cth)
provisions have been regularly made. In a different, but
related, context, Voon and Mitchell have made a call for
greater publically assessable information to be released in
order to ensure the Australian NBN's compliance with its in-
ternational trade obligations.71 However, to date this call has
been ignored.
As an analysis of the freedom of information cases to date
demonstrates, even in the early stages of the Australian NBN'soperations there are tensions between the commercial
sensitivity and competitiveness of the NBN Co, the Govern-
ment's role in its operations and the public interest in the
release of information regarding Australia's most significant
infrastructure project this century.
7.1. Telstra Corporation Limited and Department ofBroadband, Communications and the Digital Economy72 e
access granted to NBN documents which are in the “publicarena”
Telstra Corporation Limited (Telstra) made three requests to
the Department of Broadband, Communications and the
Digital Economy (DBCDE) for access to documents under the
Freedom of Information Act 1982 (the FOI Act). DBCDE gave access
to some of the documents requested but contended that two
were exempt from access on the basis that they were Cabinet
documents within the meaning of s 34 of the FOI Act. Deputy
President Forgie of the Administrative Appeals Tribunal held
that the two documents were not submitted to Cabinet or a
Committee of Cabinet. DBCDE also contended that the two
documents, together with three further documents which fell
within the terms of the request by Telstra for access, should
not be released as to do so would involve the disclosure of
“deliberative processes involved in the function of an agency or
Minister or of the Government of the Commonwealth” and be
contrary to the public interest within themeaning of s 36(1) (b)
of the FOI Act.
Deputy President Forgie held:
… there is a public interest in an informed debate about the
regulation of the telecommunications industry.…there is a public
interest in ensuring that the telecommunications industry is
regulated fairly and appropriately. That finding has nothing to do
with the fact that the Australian community continues to be the
majority shareholder in Telstra. It has everything to do with the
vital importance of an adequate telecommunications system,
including a National Broadband Network, in Australia howso-
ever and whosoever provides it. Whether regard is had to the
conduct of business, the defence and security of the country, the
conduct of its local, State and Commonwealth governments, its
educational facilities, its emergency services, its community ac-
tivities and the way in which its inhabitants manage their per-
sonal and financial affairs and maintain their family and social
71 Tania Voon and Andrew Mitchell, ‘International Trade LawImplications of Australia's National Broadband Network’ (2011)35(2) Melbourne University Law Review 578.72 [2010] AATA 118.
interaction, a telecommunications system that meets Australia's
current and future and expanding needs is vital.73
Deputy President Forgie held that the balance lay in favour
of disclosure. This conclusion was based, amongst other
things, on the finding that the Government had put its request
for one of the documents, an Australian Competition and
Consumer Commission (ACCC) report, and the topic to which
it related “squarely in the public arena”. The ACCC report
subsequently took a central role in proceedings before the
Australian Competition Tribunal (ACT) in which it was held
that the report contained information relevant to a critical
issue before the ACT relating to how Telstra's “unconditioned
local loop service” (ULLS) price structure should occur. Tell-
ingly, Deputy President Forgie held that disclosure was “rele-
vant in informing public debate on the maintenance of an effective
system of telecommunications in Australia. Its disclosure is consis-
tent with the public interest in the administration of justice. An in-
tegral part of that public interest is the transparency of
proceedings.”74
7.2. Crowe and NBN Co Ltd75 e refusal to grant accessto NBN's points of interconnect information
In 2011 the Freedom of Information Commissioner (the FOI
Commissioner) affirmed the decision of NBNCo Limited (“NBN
Co”) which had held that NBN Co was not an entity that was,
at that time, subject to the FOI Act. This was because at the
time of the request it was not a “prescribed authority” pur-
suant to Section 4(1) of the FOI Act and NBN Co had not been
declared by the regulations to be a prescribed authority for the
purposes of the FOI Act. The FOI Commissioner confirmed the
refusal of access to NBN Co's submissions to the ACCC
regarding the determination of the number and location of
Points of Interconnect (POI) for the Australian NBN. The de-
cision demonstrates that the novelty of the NBN Co, which
was not at the time of the request a prescribed authority, had
implications upon the legal capacity for a request under the
FOI Act to be met effectively.
7.3. Internode Pty Ltd and NBN Co Ltd76 e refusal togrant access to certain of NBN's arrangements with Telstra
A similar outcome to the result in the Crowe decision was
reached by the FOI Commissioner in Internode Pty Ltd and NBN
Co Ltd but by a different path. In this case Internode Pty Ltd
sought disclosure of four agreements made between NBN Co
and Telstra which translated financial heads of agreement
which had been signed in June 2010 into legally binding
agreements, provided for the use by NBN Co of Telstra'sinfrastructure and related to the decommissioning of some of
Telstra's network capability during the rollout of the Austra-
lian NBN which had been valued at $9 billion. On this occa-
sion, the FOI Commissioner held that NBN Co was subject to
73 Telstra Corporation Limited and Department of Broadband, Com-munications and the Digital Economy [2010] AATA 118, [228].74 Telstra Corporation, ibid n 73, [237].75 [2011] AICmr 1 (25 January 2011).76 [2012] AICmr 4 (20 January 2012).
79 [2012] AICmr 15 (Fletcher (No.3)), (16 May 2012).80 Fletcher (No.3), ibid n 79, [20].81 Homeland Security Act of 2002, H. R. 5005, 107th Cong, x214(a)
(1) (2002).82 Kristen Uhl, ‘Freedom of Information Act Post-9/11: Balancing
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9708
the FOI Act because, on 11 June 2011, the Telecommunications
Legislation Amendment (National Broadband Network Measur-
esdAccess Arrangements) Act 2011 (Cth) changed the definition
of ‘prescribed authority’ in s 4(1) of the FOI Act to include NBN
Co. However, the FOI Commissioner held that NBN Co was
exempt from its operation in relation to documents which
were held to have been brought into existence in the course of,
or for the purposes of, the carrying on of its commercial
activities.
7.4. FOI applications by Mr Paul Fletcher MP regardingthe NBN
A number of applications have beenmade by Mr Paul Fletcher
MP pursuant to the FOI legislation for information relating to
the Australian NBN's operations.
In the first case in 2012, Fletcher and Department of Broad-
band, Communications and the Digital Economy,77 the FOI
Commissioner affirmed the decision of the DBDCE to reduce
the charge applicable to the FOI request byMr Fletcher under s
29 of the FOI Act by 50%. Mr Fletcher sought the disclosure of
documents relating to Lazard Australia Pty Limited (Lazard)
which had been appointed to advise the Australian Govern-
ment in relation to the arrangements entered into between
the Government, Telstra Corporation Limited (Telstra) and
NBN Co regarding the Australian NBN. Mr Fletcher contended
that the Australian NBN represented a substantial investment
of public funds and that there was no publicly available in-
formation about the process by which Lazard had been
appointed and that therefore there was a general public in-
terest in understanding how these public funds were utilised.
The DBCDE agreed with Mr Fletcher's argument and held that
there was likely to be a general public interest in the release of
documents relating to the administration of a government
procurement process involving public funds and the selection
of a commercial entity to provide services to the DBCDE. The
FOI Commissioner agreed that the documents requested were
in the general public interest and the approved the reduction
of the fee by 50%.
In the second case in 2012, Fletcher and Department of
Broadband, Communications and the Digital Economy (No. 2),78 Mr
Fletcher sought disclosure of information in relation to anal-
ysis, or briefings provided by DBCDE to the Minister and the
Minister's Office relevant to the decision to move to the FTTP
(fibre-to-the-premises) process and establish the NBN Co be-
tween 30 June 2008 and 30 June 2009. As in the earlier case, Mr
Fletcher submitted that therewas significant public interest in
the project but that there was little information publicly
available about the Government's decision to shift from a
fibre-to-the-node network to a (more expensive) FTTP
network and that the need to understand the rationale for the
decision to build the network with public funds could not be
greater. DBCDE accepted Mr Fletcher's argument about the
general public interest in the documents in question and
again the FOI Commissioner agreed. In this case, Mr Fletcher
sought a full waiver of the fee but the FOI Commissioner
agreed with the DBCDE that the fee for disclosure should be
77 [2012] AICmr 1 (Fletcher (No.1)), (6 January 2012).78 [2012] AICmr 14 (Fletcher (No.2)), (16 May 2012).
reduced by 50% again, primarily due to the work involved by
the DBCDE in processing the request.
In the third case in 2012, Fletcher and Department of Broad-
band, Communications and the Digital Economy (No. 3),79 Mr
Fletcher sought disclosure of information regarding the deci-
sion to establish the Broadband Champions Program and the
process of selecting champions including criteria used and
persons approached. Again, disclosure was not objected to by
DBCDE but on this occasion its decision to reduce the fee by
25% was amended by the FOI Commissioner to a reduction of
50%. The FOI Commissioner observed that the Broadband
Champions Program was relatively small program in the
context of the nature and public interest in the Australian
NBN.80
The recent Australian cases emphasise the potential for
FOI applications to be made for documentation relating to the
Australian NBN, even of sensitive commercial interest. How-
ever, to date no such application has been made for infor-
mation in relation to cybersecurity or critical infrastructure
protections in place within the Australian NBN. In all likeli-
hood, such an application would be refused on various
grounds including commercial confidentiality. It is note-
worthy that Australia has not proceeded down the path taken
by the United States of America of enacting a critical infra-
structure exemption within its FOI Act. In the United States,
critical infrastructure information (including the identity of
the submitting person or entity) that is voluntarily submitted
to a designated Federal agency for use by that agency
regarding the security of critical infrastructure and protected
systems is exempt from disclosure under the United States
Freedom of Information Act.81 Uhl contends that the United
States' provision is redundant in its effect and counter-
productive to building (or re-building post September 11,
2001) trust in critical infrastructures which, being predomi-
nantly privately owned, have access to and retain an
increasing amount of citizen's personal information and
data.82
8. Conclusion
The legal implications of the Australian NBN are vast and are
only starting to emerge and to receive judicial scrutiny. Its
implementation has involved the enactment of a suite of
Commonwealth legislation and in its formative stages
emphasis has been given, not surprisingly, to competition law
and access issues. Despite information technology being in
the top five critical infrastructures internationally, a critical
infrastructure perspective regarding the NBN has had little
public attention. Due to the confidential nature ofmuch of the
NBN's operations, the security aspects of the project have only
been lightly scrutinised and the release of information,
the Public's Right to Know, Critical Infrastructure Protection, andHomeland Security’ (2003e2004) 53 American University Law Re-view 261.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 9 9e7 0 9 709
principally under the Freedom of Information Act, has been
limited.
As Condron has observed in the context of critical infra-
structure protection in the United States:
The United States cannot afford to get this wrong. Failure to
properly protect the computer systems and networks of the na-
tion’s critical infrastructure could result in catastrophic conse-
quences for the United States. As Leonardo da Vinci put it, [ i]t is
easier to resist at the beginning than at the end.83
The Australian NBN could learn much from these words
which have long stood the test of time. Paradoxically, greater
scrutiny will provide enhanced security for both the network
itself and for Australian users and will also provide for more
secure and reliable engagement with Australia's international
trading partners and enhance national prosperity and
competitiveness.84
The massive public investment which is being made in the
Australian NBN demands transparency throughout the proj-
ect.85 Further, given the need for a high level of trust in, and
the immense reliance upon, the Australian NBN, consumer
and business confidence can only be enhanced by more, not
83 Sean Condron, ‘Getting it Right: Protecting American CriticalInfrastructure in Cyberspace’, (2006e2007) 20 Harvard Journal ofLaw and Technology 403; See also Janine S. Hiller & Roberta S.Russell, ‘The challenge and imperative of private sector cyber-security: An international comparison’ [2013] 29 Computer Law andSecurity Review 245.84 Dirk Van Rooy and Jacques Bus, “Trust and privacy in the
future internet e a research perspective” (2010) 3 Identity in theInformation Society 398.85 Grace Li, 2012, above n 14, 225.
less, awareness of the critical infrastructure implications of
the NBN for Australia's future, particularly if what is being
expected of them is to take their own measures to effectively
secure their own domains and at their own cost. Much more
information is required for the public to be in a position to do
so effectively. In addition, extensive cybersecurity research is
required into this new Australian critical infrastructure, as in
the United States, through the establishment, for example, of
test-beds and working groups involving interdisciplinary
research teams and meaningful engagement with industries,
both the Australian NBN itself and associated users and small
to medium enterprises (SMEs). As a critical infrastructure, the
Australian NBN will be a prime target of cybersecurity attacks
and will potentially be a “force-multiplier” in their creation.
Properly designed and implemented, there could be signifi-
cant cybersecurity benefits, in effect a countervailing force, by
the implementation of the Australian NBN which is cyberse-
curewhich can enhance the detection of cybersecurity threats
and reduce their effectiveness. As CERT has cautioned, but
remains far from clear based on available information,
cybersecurity issues should be addressed during the design,
planning and implementation of the Australian NBN as “to
retrofit security to the NBN would be disastrous.”86
86 CERT, above n 63, 3.