A government-funded body's survey of Australian cyber security companies, which was conducted before the controversial encryption bill was passed but not released until late last month, reveals most firms fear the legislation will have a profoundly negative impact on their businesses.
The concern is most keenly felt by those companies that export overseas, which believe the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 – passed into law amid farcical scenes during the final day of parliament for 2018 – will result in the perception that their products are less secure.
According to the AustCyber (Australian Cyber Security Growth Network) survey, carried out by the Australian Strategic Policy Institute (ASPI), close to three-quarters of surveyed companies think the bill will damage the reputation of their products, while a similar number are worried about potential conflicts between the bill and laws in other countries in which they operate.
Around half reported the bill would result in additional compliance costs, with a similar number saying the bill would impact company revenue and reduce attractiveness to investors.
The most common concern was a ‘lack of clarity around definitions’. Some firmer definitions – such as clarification of the meaning of ‘systemic weakness’ – were included in amendments made to the final bill.
A third of respondents – of which there were 63, ranging from startups to large enterprises – think the bill will result in loss of existing customers, and 40 per cent said it will cause brand damage.
The results echo the concerns put forward by technology firms during the Parliamentary Joint Committee on Intelligence and Security’s scrutiny of the bill. The founder and non-executive chairperson of Senetas warned MPs the bill would “profoundly undermine” the reputation of Australian software and hardware manufacturers in international markets.
“Foreign governments and competitors will use the mere existence of this legislation to claim that Australian cyber security products are required to use or collaborate in creating encryption back doors,” Francis Galbally said at the time.
A letter from Australian electronics manufacturer Extel submitted to the inquiry warned of the loss of up to $3 billion in export revenue. Other firms have said they will move operations off-shore as a result of the bill’s passing.
Perceptions and misconceptions
AustCyber CEO Michelle Price said the results of the survey are “compelling” and the government-funded organisation would now be working to address the industry’s fears.
“There’s a clear opportunity to improve communication across the ecosystem and between government and industry. The public debate in the lead-up to and immediately following the passing of the legislation has resulted in perceptions – and misconceptions – that, if unaddressed, have the potential to harm the economic viability – and growth – of Australia’s cybersecurity sector," Price said.
The organisation – established in 2017 as an independent, not-for-profit organisation although fully funded by federal government grants – conducted the survey at the end of November last year. Its strategy chief Belinda Newham told Computerworld in December that it had initially hoped the survey results would inform debate on the bill.
However, “the discussion was sped up a bit” Newham said.
“Obviously we still see an opportunity to help inform and guide discussions going forward using [the survey results] as an evidence base. But yeah, we would have liked to have provided that as part of it,” she explained at the time.
Price, in her foreword to the survey results, said the organisation’s advocacy on the issue had been active “for much of the year”  which included “raising issues directly with the government”.
AustCyber – which works with around 280 Australian cyber security companies – did not make a submission during the bill’s consultation period, leading some to accuse it of ‘going missing’ when most needed.
The survey’s release had been expected at the beginning of December – ahead of the bill’s debate in the House of Representatives on December 6. It was not published, however, until December 20.
AustCyber is releasing a series of communiques to “inform stakeholders on the facts,” the first of which covers the economic implications of the bill. It includes a number of questions put to government about the bill, its responses and AustCyber’s analysis of what the responses mean for the industry.
The organisation said that “there remains a number of areas of concern that have not yet been adequately addressed”.
AustCyber in December called for cool heads following the passage of the bill.
“At this stage, it is important to recognise that there are many unknowns regarding the content and implementation of the legislation,” AustCyber’s co-chair Doug Elix and Price said in a joint statement.
“It is unwise to jump to conclusions, or make assumptions that could unnecessarily perpetuate a sense of uncertainty from creators and consumers of cyber security products and services,” the statement said.