The increasing reliance on space-based assets for navigation, communications, and remote sensing makes space infrastructure an attractive target for malicious cyber actors. With the democratisation of space and rapid growth of the commercial space industry, the Australian government has over the years stepped up the regulatory governance of Australia’s critical infrastructure to manage strategic risks facing these assets.
This is in part demonstrated by the suite of law reform that occurred between late 2018 and 2021, which included a series of amendments to the Telecommunications Act 1997 (Cth) (Telecommunications Act) and the Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act). The SoCI Act defines the ‘space technology sector’ to be a critical infrastructure sector. The ‘space technology sector’ refers to the sector of the Australian economy that involves the commercial provision of space-related services. This definition acknowledges the shift in the risk landscape from the traditionally government-monopolised space domain to the commercial space sector.
Understanding space systems
Space systems involve different components of systems and assets generally comprising a variation of three primary ‘segments’, namely:
- ground segment: consisting of space systems physically located on earth, for example, launch facility, ground station, and control centre;
- space segment: consisting of space-based objects such as satellites and payloads; and
- link segment: consisting of the signal transmission and communications of network, which can be ground-to-space, space-to-space, or ground-to-ground network connections.
‘Critical space technology assets’
The SoCI Act defines a number of:
- ‘critical infrastructure sectors’, one of which is the ‘space technology sector’; and
- within those sectors, classes of ‘critical infrastructure assets’.
The SoCI Act provides a list of space-related services falling within the ambit of the ‘space technology sector’. This includes commercial services with respect to the position, navigation, and timing services in relation to space objects, space situational awareness services, space weather monitoring and forecasting, communications, tracking, telemetry and control in relation to space objects, remote sensing earth observations from space, and facilitating access to space. This definition would capture assets such as ground stations, control centres, and satellites assembly sites.
Notwithstanding that the space technology sector has been identified as a critical sector, the SoCI Act does not specifically define any categories of critical space technology assets. Certain critical space technology assets such as telecommunications networks (signals and communications) and facilities (towers, equipment, antennas) may still be captured under the SoCI Act as ‘critical telecommunications assets’, and entities responsible for such assets are usually also captured as carriers or carriage service providers under the Telecommunications Act.
Although assets relating to the space technology sector are not officially prescribed as critical infrastructure assets by the regulations, a space technology asset can still be captured by the SoCI Act if it is:
- prescribed by the Minister for Home Affairs under section 9(1)(f) of the Act;
- privately declared by the Minister Home Affairs to be a critical infrastructure asset under section 51 of the Act; or
- privately declared by the Minister Home Affairs to be a system of national significance under section 52B of the Act.
Security of critical infrastructure obligations
Most of the obligations under the SoCI Act are only enlivened if prescribed by the regulations, which is now the case for many of the legislation’s core requirements. The implications of being an entity responsible for a critical infrastructure asset, such as the reporting and notification obligations, are discussed in length in our earlier article. One of the most involved obligations under the SoCI Act entails preparing, implementing and maintaining a risk management program as we discussed here.
At the time of writing, ‘critical telecommunications assets’ are not prescribed for any of the obligations enlivened by the regulations, likely due to the corresponding obligations under the Telecommunications Act, as discussed below.
Security obligations under the Telecommunications Act
The Telecommunications Act sets out a number of security obligations for a:
- carrier, that is, an entity that owns a network unit (such as satellite-based facility) that supplies carriage services (service for carrying communications by means of guided and/or unguided electromagnetic energy); and
- carriage service provider, being a person who supplies or proposes to supply listed carriage service to the public using a network unit owned by one or more carriers.
The Telecommunications (Carrier Licence Conditions—Security Information) Declaration 2022 (Cth) (Carrier Licence Conditions) outlines certain licence conditions for a carrier. These obligations largely mirror the obligations contained in the SoCI Act, for example, the obligation to:
- provide ‘operational information’ (and ‘interest and control information’ of a direct interest holder) in relation to each asset of the carrier; and
- report critical and other non-critical cyber security incidents to the Government within prescribed timeframes.
There are identical provisions for a carriage service provider under the Telecommunications (Carriage Service Provider—Security Information) Determination 2022 (Cth).
One of the noticeable differences between the SoCI Act and the Telecommunications Act is in respect of the range of assets captured by the reporting obligations. While the ‘critical telecommunications assets’ under the SoCI Act only apply to telecommunications networks and facilities, the Carrier Licence Conditions apply to a broader range of assets referring to ‘all tangible assets’ including components of a telecommunications network (which may include the different segments of a space system), computers, computer devices, computer programs and computer data.
Other general security obligations
In addition, there are other general security obligations under the Telecommunications Act. For example:
- a carrier and carriage service provider must ‘do its best’ to protect telecommunications networks and facilities it owns or operates from unauthorised interference or access; and to ensure the availability, integrity, and confidentiality of communications (and the information contained on) such networks and facilities. Although this obligation is outcome-focused, it requires the entity to take proactive steps such as ensuring the ‘competent supervision’ of, and ‘effective control’ over, telecommunications networks and facilities owned or operated by the carrier or provider; and
- a carrier or a nominated carriage service provider must notify of certain events under section 314A, which include changing of the location of notifiable equipment (equipment that provides or manages all or part of the telecommunication services), procuring notifiable equipment, and outsourcing arrangements, unless a security capability plan is provided to the Office of the Communications Access Coordinator.
Section 315B of the Telecommunications Act also provides the Minister for Home Affairs with broad intervention powers to require a carrier, carriage service provider or carriage service intermediary to do or refrain from doing a thing if there is a risk of unauthorised interference with or access to telecommunications network or facilities that would be prejudicial to security.
Further reforms were initially contemplated to introduce the requirement of adopting and maintaining a risk management program similar to that under the SoCI Act into the Telecommunications Act, but these have yet to materialise.
There is a range of obligations under both the SoCI Act and Telecommunications Act that may apply to operators of space systems, some of which can be particularly onerous and prescriptive. Navigating the regulatory regime can be complicated given the parallel application of both the SoCI Act and Telecommunications Act, and in particular, the overlapping security obligations. Space operators responsible for Australia’s critical infrastructure should assess the extent those laws apply and implement appropriate processes and systems to ensure it is in the position to comply with those requirements.
How can HWL Ebsworth help?
HWL Ebsworth’s Space and Technology team has extensive experience in advising businesses on regulatory and intellectual property issues. If you have any queries about space or intellectual property law, please do not hesitate to contact us for further information on how we can assist you.
This article was written by Daniel Kiley, Partner, Nikki Macor Heath, Special Counsel and Paul Sigar, Solicitor.