A group of information security researchers has called for changes to Australia’s Defence Trade Controls Act. The group argues that the current DTCA regime can act as a barrier to cryptography research.
The government has commissioned Dr Vivienne Thom to conduct a review of the DTCA, which imposes penalties for the unauthorised export and in some cases publication of certain types of technology — including so-called “dual-use” technologies.
The DTCA is Australia’s implementation of the 42-nation Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
Among the categories of technologies covered by Wassenaar and Australia’s Defence Strategic Goods List (DSGL) are a range of cryptographic and other information security-related technologies.
DSGL has some exemptions relating to technology that is already “in the public domain”, “basic scientific research”, and the minimum information necessary for applying for a patent.
(There are also exceptions for software that is “generally available to the public” and software that is necessary to install, operate, maintain or repair items whose export has already been approved.)
However a group of researchers has called for a broadening of the exemption on “basic research” to “fundamental research”.
The submission to the review is signed by prominent security researcher Dr Vanessa Teague from the University of Melbourne’s School of Engineering, along with Professor Lynn Margaret Batten from Deakin University, Associate Professor Xavier Boyen from QUT, Professor Rajeev Gore from ANU, Dr Toby Murray from the University of Melbourne, Data61’s Josef Pieprzyk, Dr Ron Steinfeld from Monash University, and Dr Yuval Yarom from the University of Adelaide.
The researchers use the US Defense Advanced Research Projects Agency’s definition of “fundamental research”, which DARPA says is “basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community”.
“The DTCA exempts free publication, which is good, but there is still a problem for researchers when communicating internationally, but before publication,” the researchers write.
“Conducting this communication freely, spontaneously, and often, is a critical component of cryptography research. This communication often includes shared work on cryptographic algorithms and code, which are intended to be made public but are not public during initial development.”
“Useful cryptography research is generally directed towards a specific practical objective - that's why it's useful,” the submission adds.
Most Australian research on cryptography doesn’t qualify for the “basic research” exemption, they argue.
“Restrictions on research and teaching of fundamental skills and new advances in cybersecurity constrict the pipeline for such graduates,” the submission states.
“This makes us less secure and makes our industries vulnerable to malicious online actors. Many Australian cryptographers work overseas, and most Australian universities struggle to find people with adequate technical cybersecurity skills. The DTCA’s penalties and restrictions on the communication of cryptography research indirectly jeopardise our future national security.”
In DTCA is not amended, the group recommends that the current two-step permits being trialled by Defence for information security and cryptography research be retained.
(Separately the federal government is currently preparing to unveil legislation to boost law enforcement agencies’ ability to access encrypted communications services.)