As we approach into 2019, there is one thing that will be on everybody’s mind: The Cybersecurity landscape, and how it will evolve. I have written a few pieces on this already, and in my podcasts, this is usually one of the last questions that I usually ask.
The answers have ranged all the way from new Ransomware attacks coming all the way to how the IoT will rule and could even possibly destroy our every day lives (given the interconnectedness that it possesses),
People have even mentioned that Cryptojacking and attacks to Critical Infrastructure will be the norm. But who’s to say what exactly will happen. But on this front, there is one certainty that all citizens on the globe will experience: The movement of governments worldwide to adopt laws and regulations in an effort to mitigate the threats of Cyberattackers, and to bring those perpetrators to justice.
We have seen recent movement here in the United States (with the passing of the IoT Security Bill in California), the implementation of the GDPR in the European Union, and even the passage of a related Bill in Vietnam which is meant for the government there to keep a close eye on Internet related activity. And, we are seeing this in Australia.
Just last Thursday, the Australian House of Representatives finally approved passage for the “Telecommunications Assistance and Access Bill 2018”. This is also known as the “Anti-Encryption Bill”. The main thrust of this law is to basically force the tech giants like Google, Apple, Microsoft, Facebook, WhatsApp, etc. to hand over any encrypted information and data, as well as any communications to the Australian Government upon request.
The specific details on this new piece of Legislation can be seen below:
The Australian Government has claimed that this new bill is needed in order to bolster efforts to combat Cyberattacks as well as other major, serious crimes that are non-Cyber related as well. Since the support is so strong for this bill (both the Coalition and Labor Parties totally back it up) it is expected that this bill will become enforceable law by early 2019. There still aren’t too many specifics yet detailed as to how the Australian Government can force these tech giants to divulge private communications, but it offers three specific levels as to how they can “cooperate” with them:
*The Technical Assistance Request (aka TAR):
This is an official notice asking the tech titans to provide so called “voluntary assistance” to law enforcement across all levels. This includes “removing electronic protection, providing technical information, installing software, putting information in a particular format and facilitating access to devices or services.” (SOURCE: https://thehackernews.com/2018/12/australia-anti-encryption-bill.html).
*The Technical Assistance (aka TAN):
This notice *requires*, the tech titans to hand over confidential information and data to law enforcement “. . . that is reasonable, proportionate, practical and technically feasible, giving Australian agencies the flexibility to seek decryption of encrypted communications . . .” (SOURCE: https://thehackernews.com/2018/12/australia-anti-encryption-bill.html).
*The Technical Capability Notice (aka TCN):
This is a final notice that is issued by the Australian Attorney-General that requires the tech titans to ” . . . build a new capability” to decrypt communications for Australian law enforcement.” (SOURCE: https://thehackernews.com/2018/12/australia-anti-encryption-bill.html).
In other words, with this last component of the bill, the tech giants will literally be forced to create some sort of backdoor in their apps (which will be encrypted) that will allow for the Australian Government to get access to this confidential information and data, as well as private communications. If these companies do not comply with this, they could face some serious financial penalties (the exact amounts have not been specified).
Now, here is the catch to this bill: The Australian Government can’t force these tech companies to alter any existing layers of Security or Encryption that has already been implemented into their apps, products, and services.
Instead, this bill states that law enforcement can force these tech companies to create and a deploy a mechanism that will allow for the “. . . decryption of encrypted technologies and access to communications and data at points where they are not encrypted.” (SOURCE: https://thehackernews.com/2018/12/australia-anti-encryption-bill.html).
Put in another way, the Australian Government wants to save face by not making these tech companies to change what they already have in place, but they want the ability to literally “spy” on Australian citizens before any messages are encrypted and sent out, or after they are decrypted at the point of destination.
The only fail safe here is that before all this can even happen, the law enforcement agencies would have to have to obtain a so called “judicial warrant” (aka the “search warrant” here in the United States).
The Australian Government is also currently a member of a Cyber coalition known as the “Five Eyes” alliance (this includes the United States, United Kingdom, Canada, and New Zealand). As a collective, these nations have stated that citizens rights to privacy are not an “absolute guarantee”.
But already, Australian citizens fear that the passage of this bill lead to other Cyber related laws which could impede upon their rights to privacy and confidentiality.
Another claim that is being made by the Australian Government is their fear of “going dark”. This is the terminology that has been used by both the FBI and Department of Justice when they have failed to intercept encrypted data and communications for investigative purposes (such as in the case when the FBI tried to get Apple to share the inner secrets of the iPhone technology).
My thoughts on this?
Apple has already responded to this new bill by stating that altering the Security related features (which also includes the Encryption functionalities) of one brand of device (such as the iPhone) will result in a cascading effect of Security weaknesses for all other brands as well. In other words, what impacts one device will impact all.
There is also fear that if any of these tech titans are required to create and deploy an add on so that the Australian Government can spy on individuals and/or businesses, this could also lead to an unexpected back door as well for the Cyber attacker to penetrate into as well.
Although the specifics of this bill have yet to be released, I feel that based from what I have read, it is a total hypocrisy. I mean, if a law enforcement agency legitimately needs access to private information/data as well as communications for a case to be solved that is Cyber or non-Cyber related, why not just simply subpoena the tech company to hand materials over to the respective law enforcement agencies and prosecutors?
Why make a mockery of saying to these tech companies by telling them that they don’t want them to alter their existing Security practices, but yet to deploy an add on that could lead to other Cyber threat issues?
Why not just come out and say that you need these materials, and if you don’t cooperate with us, we have the means to obtain it (of course, following the legal process that is already in place)?
My fear is that if this bill does indeed become enforceable law in Australia, the United States Government could also try to come up with something else like this in haste, without thinking through of what the ramifications could be like.
Finally, although the Cybersecurity threat landscape is changing almost every minute, this does not mean that any Federal Legislations that are crafted to mitigate and bring the perpetrators to justice should be rushed – after all, once the law is passed and enforceable, it will take just that much longer in order to rectify any sort of ramifications that was not intended to take place.