ASPI, AustCyber on encryption bill
Michelle Price: Concerns about the commercial impact of the encryption legislation
The recently-passed encryption bill had the potential to “harm the economic viability and growth of Australia’s cybersecurity sector” if a series of serious concerns were not addressed, a report by the Australian Strategic Policy Institute and AustCyber has found.
In late December last year, the two organisations released the results of a survey on the highly controversial encryption bill, just after the legislation was passed on the last parliamentary sitting day of 2018. The survey itself had been conducted before the legislation was passed, and was based on the draft legislation.
AustCyber also released its own information sheet for Australian cybersecurity companies, aiming to explain some aspects of the bill and to clear up concerns surrounding its economic impact.
The survey included responses from 63 startups, scale-ups, SMEs and industry organisations, with more than three-quarters saying they are concerned about the bill.
“While the survey involved a comparatively small sample size, the results are compelling. In particular, there’s a clear opportunity to improve communication across the ecosystem and between government and industry,” AustCyber CEO Michelle Price said.
“The public debate in the lead-up and immediately following the passing of the legislation has resulted in perceptions that, if unaddressed, have the potential to harm the economic viability - and growth - of Australia’s cybersecurity sector,” she said.
Of the 63 respondents to the survey, more than 75 per cent had concerns with the likely impact of the bill. The majority of concerns related to a lack of definitions in the legislation, the perception that Australian products would be seen as less secure, and the economic cost of complying with a notice or request.
More than half of the companies expected the new powers to have a negative impact, and 40 per cent expected the government to not pay for any of the costs associated with compliance.
To accompany the survey, AustCyber also released its first in a series of “communiques” to the Australian cybersecurity sector that aim to clarifying the new encryption bill and clear up some misconceptions.
The organisation received a verbal briefing from the Home Affairs department and also a response to a series of in-depth questions, but AustCyber said a number of things related to the bill were still unclear.
“There remains a number of areas of concern that have not yet been adequately addressed. Where we have raised further questions, these have been provided to the government but responses were not available at the time of publishing. We are continuing to engage with industry and government on these matters and will publish responses in future iterations of our communication toolkit,” the communique said.
AustCyber has called on the federal government to properly define “systemic weakness or vulnerability”, and explain how companies are expected to seek compensation for complying with an agency request.
“It is not clear how providers will seek reimbursement of expenses related to compliance with notices, or who will determine what costs are considered ‘reasonable’,” it said.
Uncertainty around what costs might be incurred and which of these will be recovered is concerning from an economic impact perspective.”
These uncertainties will be damaging for the local cyber sector, CyRise chief executive Scott Handsaker said.
“The fact that we are still arguing about who it applies to, questioning when warrants are required and analysing who really has oversight is a reflection of how poorly drafted the legislation is,” Mr Handsaker told InnovationAus.com.
“Any time a government asks for increased powers of surveillance it should be done with care, community consultation, transparent communications, rigorous safeguards and a tightly defined scope. This act has none of that.”