The Telecommunications (Interception Capability and Security) Act 2013 (the TICSA) establishes obligations for New Zealand’s telecommunications network operators in two key areas – interception capability and network security.
The Government Communications Security Bureau (GCSB) is responsible for administering the network security provisions of the TICSA.
Part 3 of the TICSA, which relates to network security, establishes a framework under which network operators are required to engage with the GCSB (through the NCSC) about changes and developments with their networks where these intersect with national security.
The legislation sets out a path to identify and address, prevent, mitigate, or remove network security risks which may arise. To assist in applying TICSA, the Director of the GCSB has issued Guidelines for Network Operators, and has granted a number of exemptions from the duty to notify which are in place.
The GCSB will work co-operatively and collaboratively with network operators so that risks to New Zealand’s national security arising from the design, build or operation of public telecommunications networks and their interconnection to other networks both domestically and overseas are identified and addressed as early as possible.
The Director of the GCSB has issued Guidelines for Network Operators on how the GCSB & network operators will interact to fulfil each other’s responsibilities under TICSA. The final Guidlines was prepared following consultation involving network operators.
The Guidelines covers;
- Definition of a “network operator”
- Process for Network Operators to register
- The national security focus of the TICSA
- Role of security cleared personnel in network operators
- Notification requirements for network operators – what and when
- A step-by-step description of the network proposal process
- Understanding “network security risk” & mitigations
- The GCSB’s consideration of proposals, including:
- The factors the GCSB must take into consideration
- Expected turnaround times
- How the GCSB will communicate to network operators
- How the GCSB will manage exemption requests
- Referral of cases to the Minister responsible for the GCSB
- The process for updating the Guidelines
Section 48 of the TICSA creates the obligation for network operators to notify the GCSB of proposed decisions, courses of action or changes in regard to certain parts of their network (Proposals). Under this section, it is only proposals that affect an “area of specified security interest” that need to be notified.
If a network operator becomes aware that implementation of any other decision, course of action or change, to any part of their network, may give rise to a network security risk, they are required to notify GCSB (section 46(1) TICSA).
Network operators need to notify the GCSB of proposed decisions, courses of action or changes to certain parts of their network at the stage when these decisions, courses of action or changes are still proposals, yet to be implemented. More detail on the notification requirements and process is provided in the Guidance to Network Operators.
Under the TICSA, the Director of the GCSB can grant exemptions to network operator’s obligation to notify of proposed decisions, courses of action of changes to certain parts of their network. Exemptions can only be granted if the Director is satisfied that the granting of an exemption will not give rise to a network security risk.
Exemptions can be granted to individual network operators or a class of network operators. The GCSB will notify individual network operators directly in writing of any exemption applying only to them. Exemptions that apply to a class of network operators will be published on the GCSB & NCSC websites (as required in s49(5) of the TICSA) as well as written notification being sent to all network operators falling in that class.
Network operators will be able to request exemptions from the GCSB through the notification process. This will provide the GCSB with the information it needs to be able to assess whether granting the exemption will give rise to a network security risk.
Under the TICSA, the New Zealand Police are responsibile for maintaining the Register of Network Operators on behalf of all of the surveillance agencies. Information and registration details are available on the New Zealand Police website.
Network Operators can contact the TICSA team via firstname.lastname@example.org
The Guidance and Templates can also be made available in alternative document formats upon request.