‘This blows away the entire idea of end-to-end encryption’
A majority of key stakeholders in Australia’s cybersecurity industry have expressed concerns over the possible fallout of a controversial encryption law – with the majority citing a lack of clarity around what’s required of them under the new legislation.
Compliancy costs and a negative economic impact were other factors raised in a survey of 512 Australian infosec businesses, ahead of the bill’s passing on December 8.
As previously reported by The Daily Swig, the Assistance and Access Act aims to extend the data-sharing relationship between tech firms and law enforcement, whose investigations are said to be hindered by the widespread use of encrypted communication found in the likes of WhatsApp and Signal.
This means that telcos, ISPs, and other tech companies in Australia which hold data on consumers may be required to hand certain communications over to authorities when requested – even if it means modifying their software in order to do so.
“One of the things that has come up from proponents of the AA [Assistance and Access] bill is that the law says it may never require the introduction of a systemic flaw to any encryption, and that there are ways to intercept communications without introducing these systemic flaws,” Benjamin Donnelly, a security consultant specializing in cryptography, told The Daily Swig.
The main problem with this sort of exceptional-access system, Donnelly said, is that encrypted communications found in, say WhatsApp, aren’t designed to work like that – the contents of a sent message are only decrypted when they reach the intended recipient.
“So if you’re the Australian government and you say, OK, we don’t want you to break your encryption, but we do want you to be able to decrypt it for us, it blows away the entire idea of end-to-end,” Donnelly said.
“And by changing that architecture, you are producing a systemic risk.”
Behind the back door
Some 65% of survey respondents – a combination of security start-ups, SMEs, and large enterprises – expect the law to have repercussions on their export business, not least due to the perception that a so-called ‘backdoor to encryption’ will undermine the integrity of their products.
Tom Sulston, board member at the Australian NGO Digital Rights Watch, says a combination of technical ambiguity and absence of judicial oversight rightly has the wider tech industry worried.
“I did hear of a company with Australian development presence who are thinking of requiring an extra code review for anything written in Australia before it goes to product,” he told The Daily Swig, admitting that he did not know the name of the business in question.
“Most companies are understandably keeping quiet about what they’re doing.”
An Australian electronics manufacturer, Extel, has been more outspoken, estimating a loss of up to A$3 billion (US$2.1 billion) in export revenue upon the law’s implementation.
“One of our major customers is Senetas Corporation, which is a leading developer of high speed encryption devices. Its devices protect governments and banks around the world,” Greg Toland, chief executive officer at Extel, explained in a letter to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on November, 30.
“Senetas have informed me that they could not manufacture in Australia if there was a risk that it would be required by a government agency to create a back door to its products.”
The Daily Swig reached out to Senetas to confirm its intentions now that the bill has received royal assent, but we have yet to receive a response.
Others have also been quick to express their discontent over the Assistance and Access bill, publicly stating how the law’s implications will only hinder the cybersecurity skills shortage that Australia, like many countries, currently faces.
RELATED Cybersecurity workforce gap fast becoming a chasm
Australia has been looking to diversify its economy by developing its information security ecosystem – an industry that’s expected to be valued at A$6 billion (US$4.2 billion) by 2026, according to data from the Australian Cyber Security Growth Network (AusCyber).
In order to reach that goal, AusCyber estimates that an additional 18,000 vacancies will need filling at risk of a loss in revenue and wages, as was the case in 2017, when a skills gap fallout resulted in an estimated A$400 million (US$284 million) being forfeited.
AusCyber is in charge of supporting and promoting cyber businesses, both at home and abroad. The organization recently received an additional A$4 million (US$2.8 million) to help develop three industry-led projects.
“The real impact of the Bill on exports of Australian technology products is hard to gauge and will depend on many external factors, such as how many other governments develop ‘copycat’ legislation and the results of early risk assessments by foreign government buyers of Australian products,” the organization said.
Michelle Price, AustCyber CEO, added: “We will continue to work constructively with stakeholders on this issue, helping to ensure that as many individuals and organisations as possible appreciate the impacts of the legislation on the economic growth of the cybersecurity sector.”
Breaking encryption: A global trend?
Threats that companies will move business outside of Australia may very well diminish as countries around the world begin to follow suit with new communications agreements of their own.
This trend started with the UK’s 2016 Investigatory Powers Act, and now looks set to be imitated by India, as policymakers look to push through new amendments to the country’s Information Technology (IT) Act.
Regardless of their country of origin, these laws are all ostensibly designed to reign in the power of Big Tech, and come at a time where ongoing East-West trade tensions are increasingly dividing the internet into what appears to be a showdown between China and the Five Eyes.
China, in particular, has been heavily criticized for exerting its influence over vendors like Huawei, which was banned from supplying 5G technology in Australia last year amid fears of state-sponsored eavesdropping by way of backdoor access.
The situation looks rather ironic from Sulston’s point of view – the Assistance and Access Act sounding a lot like legislation found in China that compels private companies to serve up data to the country’s security services.
How this will work in practice in Australia are some of the technical considerations that has the industry up in arms, especially as the law boasts a maximum A$10million (US$7.1 million) penalty for non-compliance.
“It’s much easier to go through the operating system (OS) manufacturers, particularly if they have revenue in Australia,” Sulston said. “Then you can say if you want that revenue, you have to modify that OS in order to allow our intelligence agencies access, much in the same way that China does.
“Honestly, it’s probably only two or three companies – Apple, Google, Amazon, Facebook. Go after those and say, ‘Alright, if you want to do business here, you have to do this stuff’.”
The tech giants that Sulston mentions lobbied heavily against the new measures in the run-up to its approval in the Australian Senate, but now that it’s passed, their hands seem more or less tied.
A letter submitted this week by industry representatives of Facebook, Google, et al, indicates support for proposed amendments that were hurriedly put forward in the rush to make the bill law.
While the letter makes additional calls for further scrutiny of the legislation, the lengthy submission by Silicon Valley’s finest may also act as an indicator that compliance, of some sort, will soon to be on its way.
The full review of the legislation will be released at the beginning of April.
It is unknown if the Assistance and Access Act is being used at this time.
RELATED Australia pushes ahead with its anti-encryption bill