The federal government is seeking public input on updating its cyber security strategy. However, the parameters it is using to frame the discussion ignore the detrimental impact on infosec from legislation that has enjoyed bipartisan support, according to a prominent cryptographer.
A discussion paper released as part of the government’s public consultation on cyber security strategy is “infused with the unshakeable belief that more active government involvement must be a good thing for cyber security,” according to Vanessa Teague.
The government in September released the paper as it prepares to issue the 2020 update to its cyber security strategy.
Teague, a high-profile security researcher and associate professor at the University of Melbourne’s School of Computing and Information Systems, noted that a key theme was the government’s role in addressing cybercrime.
The paper asks, for example, whether the government “could do more to confront cybercrime and protect the networks that underpin our way of life, or whether you think the current arrangements are right”.
“Now, whether you agree with my perspective on this issue or not, just as a matter of pure logic... we’ve been given two options here,” Teague said during a panel at NetThing, an Internet governance conference held last week in Sydney.
“Number one government should take a more active role in our cyber security and the networks and computers, or the current balance is about right. Now, can anybody think of a third option that might be worth considering at this point?”
Teague said that for “many years” a key characteristic of Australian cyber security policy has been bipartisan support for “a series of very bad policies.” One example the Defence Trade Controls Act which “made it a crime to export new cryptographic ideas or cryptographic software without permission from the military”. The Melbourne Uni academic has previously criticised elements of Australia’s defence exports regime because of its impact on collaborative cryptography research.
Teague told NetThing: “We all know about the TOLA Act, otherwise known as the bill that makes it compulsory to assist in undermining the security of your own system if you are able to re-engineer your system to extract more data.”
The TOLA Act — Telecommunications and Other Legislation Amendment (Assistance and Access) Act — is legislation that introduced a new legal framework for law enforcement to compel cooperation from online service providers, including in some circumstances introducing new capabilities into their systems to facilitate investigations.
“I think we’re not just looking at a government that is, you know, well-intentioned but a little bit ineffectual,” Teague said. “We’re actually looking at a series of policies that have actively done damage.”
“I don't think they’re deliberately doing damage,” she added. “I think they’re pursuing an agenda oriented around surveillance and control, which inevitably has a by-product of damaging our cyber security.”
The government has pursued a “national insecurity agenda,” Teague said.
“If it's undermining our technology industry... if it's causing companies to move offshore that would otherwise have built been building secure products here and training people in cyber security here, then it’s actually... not just neutral, it’s actually making it harder for us to do a good job of defending ourselves,” she told NetThing.
She said it’s unlikely that there would ever be specific evidence that a particular cyber attack was a direct consequence of the TOLA Act. Instead Australia is likely to suffer a “gradual failure... to grow in the cyber security space, and we’re going to be more vulnerable over the long term.”
“We're probably not going to be able to point to direct evidence that some particular data breach or some particular failure of security was a direct result of some company that moved away or some person who didn't have the skills to defend it,” Teague said. “But that doesn't mean that the consequences aren't real, just because they're not explicit and easily pointed to.”
She also questioned the effectiveness of ongoing engagement with the Department of Home Affairs. Civil liberties organisations, the local ICT industry, security pros, and major international tech companies including Apple, Google and Amazon expressed major objections to the TOLA Act in the lead-up to it being waved through parliament on the final sitting day of 2018.
The government, however, has rejected claims that the legislation could have a detrimental impact on cyber security in Australia (although Home Affairs has acknowledged there has been some impact on the tech sector, but argued that is the fault of misconceptions about the legislation rather than the TOLA regime itself).