Home Affairs on costly 'grey hats'
Michael Pezzulo: The encryption bill help avoid grey hacker costs
The federal government’s new encryption-busting legislation is needed to avoid the use of expensive third-party vendor products to get the job done, the Department of Home Affairs has claimed.
In a new submission to the Parliamentary Joint Committee on Intelligence and Security inquiry into the government’s encryption bill, the department argued that without “legislative solutions and reliable industry assistance”, law enforcement and agencies would be forced to turn to third party vendors known as “grey hats” to find ways to access encrypted data.
“In the absence of active cooperation from primary vendors, the services of ‘grey hats’ vendors can become the only viable technical solution, the department said.
“This is a less than ideal situation as it assists in perpetuating a cottage industry that includes vendors willing to provide capabilities to any nation state or other actor regardless of intended use.”
“Engaging these third party vendors attracts premium costs, particularly as agencies are competing for their services with malicious actors and manufacturers providing rewards.”
The Assistance and Access Bill provides new powers to law enforcement and agencies in compelling tech companies around the world to circumvent encryption.
The bill has been widely criticised for how it may impact the strength of all encryption, and the rushed process the government has employed in bringing it to Parliament.
But the government said these powers are necessary to avoid employing the services of these grey hat hackers.
“The Bill intends to strength cooperative working relationships between agencies and primary manufacturers and industry to reduce the reliance on a grey hat community. This will in turn increase transparency and accountability between industry and government,” the government said.
“[The bill] is not seeking for primary manufacturers and industry to provide the functionality of the grey hat community, but rather that industry proactively identifies opportunities to address current content loss through encryption.”
The department’s submission also outlines a list of things that it said the bill does not allow law enforcement to request of tech companies, including providing a “backdoor key”, building a way to break encryption when necessary or limiting the length of encryption keys.
“Critics of the above argue that it is impossible to adopt any of the above measures without introducing weaknesses that malicious actors can exploit. The logic follows that the creation of additional keys and other means of access for law enforcement creates new points in a system’s security that may be compromised,” it said.
“Home Affairs received many submissions during public consultation that expressed similar concerns. The Assistance and Access Bill does not adopt any of these approaches.”
Instead, the bill establishes a “technologically neutral framework for industry and government to work together towards access solutions with entrenched security protections”.
“Any arrangement that would introduce weaknesses and make innocent, third-party communications vulnerable would be in contravention of the bill’s legal safeguards,” the submission said.
The submission also aims to justify why there is no judicial oversight over the issuing of notices requiring companies to comply, with the department pointing to the “severity and urgency” of the decisions.
“If decisions relating to investigations were subject to merits review the investigation of breaches, as well as the proper enforcement of the law could be jeopardised. It is imperative that a technical assistance notice (TAN) can be issued and used quickly,” the department said.
“It would not be appropriate for a decision to issue a TAN to be subject to judicial review under the ADJR Act or merits review as review could adversely impact the effectiveness and outcomes of an investigation.
“Decisions made by the Attorney-General to issue a technical capability notice (TCN) are particularly unsuitable for review as they are ministerial decisions to develop law enforcement and national security capabilities.”
The perceived rushing of the bill through Parliament has been widely criticised by the Opposition and general public, but the department claims that it “undertook extensive consultation”.
“This process was productive and led to significant amendments that addressed key concerns, and reinforced the policy intent of the bill,” the department said.
“Importantly, the consultation process also allowed the government to clarify the strong safeguards and limitations in the bill that ensure that the privacy of Australians is not compromised, the security of digital systems is maintained and agency powers are utilised appropriately,” it said.