The federal government’s cybersecurity growth centre has turned its attention to helping the local sector face the reality of the nation’s new encryption laws.
AustCyber has met with Home Affairs representatives to discuss the implications of the bill, and plans to release practical guidelines and information on the new scheme for cybersecurity companies before Christmas.
It is also set to release its survey conducted with Australian Strategic Policy Institute (ASPI) on the economic impact of the legislation, which had previously been expected to be unveiled prior to the vote on the legislation last week.
AustCyber chief executive Michelle Price said the cybersecurity sector now had to deal with the practical reality of the legislation.
“There is deep concern about what the implications of this legislation are, and it’s moving into a phase of people trying to make sense of it. It is a reality now,” Ms Price told InnovationAus.com.
“We’re going to make sure that companies aren’t going off on leave feeling like they don’t have anything to be able to further their thinking, to deepen their thinking on what this means from a strategic growth perspective, she said.
“The information we’ll be putting out will go much further than just drawing people’s attention to sections of the legislation. There will be high-level case studies of what this particular piece of legislation might mean.”
The AustCyber information aims to address much of the concerns about the bill from a cybersecurity perspective, and sort fact from fiction, Ms Price said.
“We’re seeking to cut through a lot of the hysteria – and I use that word very carefully. Hysteria is what happens when people are fearful, and people are fearful when they don’t understand or can’t see the trees for the forest,” she said.
“We need to change that very quickly as a country, and on my assessment of the conversations with quite senior people in government, there is a desire to change that. But we’re not waiting.”
“Irrespective of whether or not they are going to publish information or not, we’re not waiting. We’ll make sure we have information published for companies by Christmas. It won’t answer all the questions but we’ll try our level best to answer as many as possible.”
Ms Price said she has had “really constructive” and useful discussions with the department since the passing of the legislation last week.
“People can throw bricks at me for saying that, but that’s the honest truth. This is the first time that we’ve seen legislation at that horizontal level in the modern age,” she said.
“There is a whole set of circumstances multiplied by the fact that conversations are emerging and sensitive technologies have been running rampant globally.”
“We’ve never seen these circumstances before, and I think perhaps the government had underestimated what kind of interest there might be from the broader community in a piece of legislation like this. They’ve been very, very receptive to the views we’ve put forward.”
AustCyber is also preparing a report with ASPI on its recent survey of cybersecurity companies and the impact of the encryption bill.
The organisations had earlier been trying to rush the report out before the legislation passed, but is now focusing on further analysing the result and providing commentary before releasing it by the end of the year.
The report would be an opportunity to influence the Parliamentary Joint Committee on Intelligence and Security’s further scrutiny of the legislation, ASPI’s International Cyber Policy Centre head Fergus Hanson said.
“It’s an opportunity to feed into the process and make sure those voices and issues are heard. It’s an opportunity for the Australian industry to have a collective perspective put on the table – getting out in a collective form is useful to understand what the issues are,” Mr Hanson told InnovationAus.com.
A big issue that has emerged on social media and commentary about the new powers is that a tech employee could be forced to work with authorities to provide access to encrypted data without the knowledge of their employer. The AustCyber information will aim to address potential issues like this.
“If we can’t assure people working in the sector that this isn’t going to be a barrier for people entering the sector or staying then we can’t grow a sector,” Ms Price said.
“We’ve been talking to government departments about how these sections around what an employee can and can’t say about being served a notice and what that means for the company’s legal and HR policies.
“We’ll be seeking to develop anonymised situations that provide people with information so they can say, ‘oh, I get it now. I might not like it but I get it now’.”
The bill’s passage through Parliament was rushed and further issues will likely emerge, Mr Hanson said.
“With a bill this complex, lots of things come out of the woodwork as it gets more scrutiny. Whatever you think about the bill, 17 sitting days is not enough time to iron out the wrinkles in a bill this complex,” he said.
“People from both sides see merit of having more scrutiny in the bill like this and making sure we address the issues that crop up.
The true impact of the new powers will depend on how they are implemented, he said.
“A capability notice can be executed in a relatively benign way that has a very low risk of impact. But a less responsible agency could ask for a capability to be built that inadvertently creates another vulnerability that no-one’s aware of, and that can be exploited by cyber criminals. That cost is hard to calculate,” Mr Hanson said.
“And you’ve got reputational costs. If you look at what happened in the UK – it didn’t collapse. There were dire warnings about what the impact would be there, but that didn’t eventuate.”
It’s also likely to serve as a test case for other countries around the world looking to introduce similar powers, he said.
“Lots of countries will use this as a model to roll out in their jurisdictions. Anyone operating internationally will be looking at what gets through here, it has international significance,” Mr Hanson said.