It is true that the Cyber attacker knows no bounds when it comes to launching their threats. As I wrote about just this past weekend, as disgusting as it sounds, they will even come after your baby’s Social Security Number in order to launch Identity Theft attacks.
This no bounds approach even holds true across international borders, because of the virtual nature of the damage that be inflicted on others.
Here, we seem nation state actors even as remote as Siberia launching an attack from their laptop, from the most desolate places in North Korea, all the way to the most jam-packed café at a small town in China.
Slowly but surely, the world is catching up with all of this, and many nations are now starting to adopt strict Cyber security laws in an effort to bring the Cyber attackers to justice.
We have seen laws passed in Europe, and even here in the United States. Now, we are seeing Cyber security laws being passed in Australia. Their latest one is called the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill of 2018.
The main purpose of this new legislation is to get the private sector (which primarily includes the Internet Service Providers) involved with the law enforcement agencies when it comes to conducting at least the forensics aspect of a Cyber-attack. If they do not cooperate, then these business entities will face stiff financial penalties.
There are three separate components to this new law, which are as follows:
*The Technical Assistance Request, TAR:
This provides the baseline for what the minimum level of participation is. This also includes provisions for compensating firms that provide voluntary assistance.
*The Technical Assistance Notice, TAN:
If requested by law enforcement, a private sector organization must aid law enforcement, if is possible in their situation.
*The Technical Capability Notice, TCN:
No matter what has happened or transpired, a private entity must cooperate with law enforcement in investigating the Cyber-attack.
Fearing the retribution of huge financial penalties, more than 60 organizations have already submitted paperwork stating that they would like to participate with the law enforcement agencies into Cyber attacks that they were a victim of, or at least know something about if they were not impacted.
In a way, this is similar to the actions that are currently being enforced by the UK government, but their financial penalties are far steeper: 4% of net profit.
One of the other main objectives of this new law is for the Australian Government to their hands onto encrypted communications. They claim that safeguards will be implemented so that this will not fall into the hands of a malicious third party. But already, the big titans of tech are voicing strong concern about this: Cisco, Apple, Mozilla, Kaspersky Lab and others.
Kaspersky is worried about the lack of transparency about the new law, even including the implications that it will have on their lines of business:
“By enabling direct access to the foreign users’ machines through the technology provider, rather than through the approved cooperation channels, the Bill may instituonalize circumvention of the standardized procedures of formal mutual legal assistance . . .” (SOURCE: https://www.securityweek.com/tech-giants-concerned-about-australias-encryption-laws).
Cisco is worried about how other countries will follow suit in the wake of this new law:
“Without further amendment, we believe the net result of these changes would harm the security interests of Australia by setting a precedent that could be adopted by less liberal regimes.” (SOURCE: https://www.securityweek.com/tech-giants-concerned-about-australias-encryption-laws).
Mozilla is worried about how government intervention, no matter what the nation is, will greatly impede the design of the software applications that support the internet:
“Any measure that allows a government to dictate the design of Internet systems represents a significant risk to the security, stability and trust of those systems.” (SOURCE: https://www.securityweek.com/tech-giants-concerned-about-australias-encryption-laws).
Quite surprisingly, Apple is willing to cooperate with this new law (even in the face of its recent dispute with the FBI on opening the iPhone technology for investigative reasons):
“We encourage the government to stand by their stated intention not to weaken encryption or compel providers to build systemic weaknesses into their products.” (SOURCE: https://www.securityweek.com/tech-giants-concerned-about-australias-encryption-laws).
My thoughts on this?
So, there you have it, very different perspectives on the interpretation of this new Australian law. In my view, no Legislation or Mandate that is created by a government to fight Cyber terrorism will ever be perfect. There will be gaps, a lack of understanding on some aspects of it, etc.
And of course, there will always be that fear amongst the public and the private sector as to how those respective governments will handle confidential and private information/data.
But you know what? I applaud these nations at least trying to do something. First, we complain that not enough is being done about Cyber security, and once something is set in motion, we start to complain. As citizens, we simply can’t have it both ways. We all need to meet halfway somewhere at some point in time.
Perhaps it is also good that these new laws invoke some kind of financial penalties. Granted, some of them may be rather harsh, as in the case with the Legislation just passed in the UK, but it is about time that the C-Suite finally wakes up to the fact that they too need to be held accountable as well as responsible for the Cyber security in their organizations.
As one of my podcast guests so eloquently: No one individual, company, or country can go it all alone. We all need to work together, in some way, shape, or form.
Finally, the details of this new Australian law can be seen at this link: