Continuing this #AABill thread - Why is it so problematic that the Morrison Govt is trying to ram through this bill in order to start a fight to distract from its political woes?
Let's look at what have we learnt about the Bill in the PJCIS process so far
Let's look at what have we learnt about the Bill in the PJCIS process so far
As a pair technical experts from GCHQ rightly pointed out recently, “In any discussion of cyber security, details matter.”
lawfareblog.com/principles-mor…
lawfareblog.com/principles-mor…
This is a complex, nuanced area of policy making.
There are plenty of interventions the government could make here that could cause major damage to our national security and the health of our digital economy. senetas.com/why-we-depend-…
There are plenty of interventions the government could make here that could cause major damage to our national security and the health of our digital economy. senetas.com/why-we-depend-…
There are other things it could do to improve law enforcement access to digital coms that would probably be workable. risky.biz/bannedmath/
Australia’s long history as the Global Village Idiot in tech policy making, reinforced by the at best technically meaningless, and at worst technically ignorant comments of the Turnbull/Morrison Govt have heightened anxiety about the govt’s intentions.
Despite this, the Bill itself doesn’t ban end to end encryption (or outlaw maths) on its face as some of the more excited commentators have claimed.
BUT on its current drafting it does give broad powers for the Minister to subsequently issue Technical Capability Notices that could direct specific companies to do things that raise issues.
The PJCIS hearings have spent a lot of time looking at the detail what our security and law enforcement agencies actually want to do at an operational level, and what the legislation might theoretically allow the Minister to ask companies to do.
For example, it would be A Very Bad Thing if this legislation enabled the Minister to impose an encryption key escrow scheme...
... as Fmr AG Brandis seemed to imply 18 months ago:
"If there are encryption keys then those encryption keys have to be put at the disposal of the authorities."
smh.com.au/politics/feder…
"If there are encryption keys then those encryption keys have to be put at the disposal of the authorities."
smh.com.au/politics/feder…
Despite this, when we asked about this in the PJCIS hearings, the Department said key escrow couldn’t be imposed under the bill as it would be as a ‘systemic weakness’.
Image (parlinfo.aph.gov.au/parlInfo/downl… at 11)
Image (parlinfo.aph.gov.au/parlInfo/downl… at 11)
The responses were less definitive when we asked whether a range of other capabilities that could potentially be requested under the bill would be ‘systemic weaknesses’ eg using the service identity system to add an end point.
See also this DOHA answers to a Questions on Notice from the October hearing
We asked a lot of questions about what ‘systemic weakness’ was intended to mean in the bill. Both the Dept and ASD suggested it meant that ‘enterprise’ wide capabilities were precluded, and only ‘targeted’, presumably ‘handset’ or ‘individual’ level capabilities were permitted eg
This distinction was reiterated in DOHA answers to Questions on Notice from the October hearings:
The details and the text of the bill matters a great deal to the effect of the Bill here - by blowing up the PJCIS process, Scott Morrison has said he doesn’t care about the impact the Bill has, he only wants a political fight.
What are the costs if the Government gets these details wrong?
In addition to the national security concerns I discussed earlier, it also has the potential to hurt Australia defence and IT exports
In addition to the national security concerns I discussed earlier, it also has the potential to hurt Australia defence and IT exports
As Senetas told PJCIS last Friday, as currently drafted, the Bill:
"will profoundly undermine the reputations of Australian software developers and hardware manufacturers in international markets; there is simply no doubt that this will result in a significant reduction in local
"will profoundly undermine the reputations of Australian software developers and hardware manufacturers in international markets; there is simply no doubt that this will result in a significant reduction in local
R&D and manufacturing as a consequence of declining employment and export revenue,"
zdnet.com/article/encryp…
zdnet.com/article/encryp…
A joint submission from the Communications Alliance, business lobby Ai Group and others reinforced this stating that "the draft bill poses a real risk for the IT/communications export industry which Austrade values at $3.2 billion".
The Business Software Alliance gave a similar warning against rushing this bill just today
