Prominent cyber security researcher Dr Vanessa Teague says that Australian cryptography research is under threat from a decision by the Defence Export Controls office to alter an agreement with the University of Melbourne.
Teague, an associate professor at the university, was one of the researchers who found a significant security flaw in New South Wales’ iVote system as well as discovered the flawed deidentification of supposedly anonymous Department of Health data.
Teague told Computerworld that she was recently notified that Defence would not renew a general permit allowing her to undertake international collaboration on cryptography research.
Under the regime introduced by the Defence Trade Controls Act, cryptography is a controlled export. The act is Australia’s implementation of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
Teague said that in place of the previous general permit, DEC had given her only permission to collaborate with researchers in specific countries — Canada, Belgium and the UK — as part of projects she already has underway.
In 2017, Defence introduced, on a trial basis, two-step permits for cryptography and security research, allowing a broad range of international collaboration with a second permit required only in limited circumstances.
“The intention of the research permits... was that you didn’t have specifically ask in advance for permission to communicate with particular countries,” Teague said.
“This was kind of the whole point — that you would get a general permit to do cryptography research related communication and as long as you weren’t communicating with a sanctioned country, like Iran or North Korea, you were allowed to communicate first and notify [Defence] later.”
“They’ve just torn that up and gone, ‘Oh well, we’ll give you permission to communicate to these specific countries you’ve told us you already have collaborations with, but if you want to start a new collaboration, for example with the United States... then you have to specifically come and ask us again and we’ll think about it for a few weeks and then we might give you permission to communicate with that country.'”
Defence was been contacted for details on the scope of the changes to export control policy - Teague said she was told it was a "policy matter".
Teague said she expects to feel the impact almost immediately. Next week she is travelling to a conference that she expected to open up new avenues for collaboration on research.
“Communications at the conference are legal but as soon as we fly home and try to continue communicating code or details about cryptography, it’s potentially inconsistent with the Defence Trade Controls Act, which is exactly the problem that the more general permits were supposed to solve.”
Teague said that the threshold guidelines for collaboration are “very unclear”. “The guidelines are written with weapons in mind,” she said. “So if you’re building some big thing that goes bang, there’s quite well defined levels of technological readiness. If you’re just writing a paper in theory, it’s not covered — but then if you’re actually getting to the point of making something focused on something that actually works, then it becomes covered.”
The guidelines work well for defence hardware but are “not well written” when it comes to cryptography research. “In particular there’s a lot of stuff about whether there’s a workable prototype, or whether there’s a specific application, which for military hardware happens very late in the process — whereas for cryptography research can happen a week after you start talking about it, because you start coding it up to see how fast it runs,” she said.
She said it can be unclear, for example, if the threshold is crossed when researchers start collaborating on code in a GitHub repo or even just start writing out a detailed algorithm.
Last year Teague and a group of other researchers called for changes to the DTCA. In particular, they called for broadening an exemption in defence controls for “basic research” to encompass “fundamental research”.
The researchers cited a definition of “fundamental research” used by the US Defense Advanced Research Projects Agency: DARPA says fundamental research is “basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community”.
“The DTCA exempts free publication, which is good, but there is still a problem for researchers when communicating internationally, but before publication,” a joint submission by the researchers to a Defence consultation said.