How is the Australian government looking to protect its citizens in a time where cyber threat is on the rise?
The current cyber threat environment has become increasingly complex with new types and scale of threats surfacing every day. Research company Cybersecurity Ventures has forecasted cybercrime damage costs to reach $8.45 trillion by 2021 – due to the increasing number of fraudulent actors that are consistently employing more powerful and disruptive technologies targeted at both private and public sector networks.
In a move to better protect people against cyberattacks, the Australian Government announced in July 2017 about its plans to introduce new legislation that companies would have to comply with in order to safeguard people’s information. Following this announcement, further information surrounding the proposed laws came to light last week as the Australian government presented two bills before the Parliamentary Joint Committee on Intelligence and Security for their review:
- The Identity-matching Services Bill 2018 which will “allow the Department of Home Affairs to collect, use and disclose identification information in order to operate the systems that will support a set of new biometric face-matching services”; and
- The Australian Passports Amendment (Identity-matching Services) Bill 2018 which will “authorise the Minister for Foreign Affairs to disclose personal information for the purpose of participating in a service to share or match information relating to the identity of a person”.
What will the Identity-matching Services bills entail?
The Identity-matching Services bills have been designed to enable two systems – Face Verification Service (FVS) and Face Identification Service (FIS), to match a photo against identities of citizens stored in various federal and state agencies. To make this possible, the bills would require the participation of both domestic and foreign tech companies that operate in Australia. Whilst FVS is a verification service that will match a person's photo against an existing image on government records; FIS provides a service that will match a photo of an unknown person against multiple government records to help establish their identity.
It will then be up to users with appropriate facial-recognition training to shortlist a number of possible matches for further investigation. Law enforcement agencies will only receive biographic information about candidates that have been shortlisted and will also have to make the final identity solution decision. The Identity-matching Services bills will not be available for mass surveillance and will allow the state and territorial law enforcement to use face-matching services to access passport, visa, citizenship, and driver licence images from other jurisdictions.
Is the government looking to pass other laws to reduce cybersecurity threats?
The government is planning to impose greater obligations on companies that provide encrypted communications services through its Telecommunications and Other Legislation Amendment (Assistance and Access) Bill (Assistance and Access Bill 2018). The bill offers amendments relating to cybersecurity and law enforcement. It has been designed to adequately address the impact of encrypted communications and devices on a national scale.
Whilst encryption enables people to communicate privately and securely, the Australian Department of Home Affairs has voiced that such security measures are often abused by criminals. This is mainly because law enforcers are unable to intercept criminal activity due to end-to-end encryption technology that blocks third-party sources from hacking into the system. As such, encryption technology is a challenge that Australia’s law enforcement agencies have to continuously work with.
What is the aim of the Assistance and Access bill?
The passing of this bill will allow police and intelligence agencies to request tech companies such as messaging service providers, telecommunications, physical communication facilities or even contracted software developers for voluntary assistance in either lifting any form of encryption to facilitate access to devices, or concealing the fact that agencies had undertaken a covert operation. This can also be escalated to an official notice depending on the degree of the crime. In such scenarios, tech companies who are involved are obliged to assist in retrieving the user’s data or create a decryption solution within 28 days. Whilst access to any data will require a warrant, law enforcement agencies will have authority to request companies’ technical assistance. At this stage, it is unclear whether tech companies have the capacity to fully comply with the proposed laws. The bill also mentions a ban on the use of backdoors – access to encrypted data by bypassing the system's security mechanism.
How can companies help police or ASIO?
According to attorney-general Christian Porter, a technical capability notice might be issued to make it mandatory that companies build a new capability to better assist police or Australian Security Intelligence Organisation (ASIO) with their inquiries. However, the notice cannot enforce that companies remove encryption in the event that this compromises secure communication and weaken companies’ encryption systems. The attorney-general also has the capacity to issue orders such as locating criminals through GPS tracking or creating an online identity that communicates with a network of criminals.
Law enforcement agencies are currently finding it difficult to manage applications that offer end-to-end encryptions such as Signal and Wick that seal messages with a unique key that only the recipient can decode. However, the government is hoping this would change with the enforcement of new laws that will enable access either through the application, the device or the networks. Senator Jordan Steele-John advised to err on the side of caution as such measures could undermine the purpose of end-to-end encryption if agencies force companies to install malware on devices in order to read the encrypted data. The new laws will also enable police and ASIO to seize and examine computers for 30 days – rather than the usual 14 days and warrant them access to account-based data such as Facebook and emails. Companies will also be able to conceal their tracks within 28 days of the search.
What are the penalties if companies are non-compliant?
Companies may face up to $10 million in fines if they refuse to assist police in the investigation of a serious crime. According to Australia’s domestic spy agency ASIO, 90 % of priority cases involve some form of encryption and more than 90 % of data intercepted by the federal police is encrypted. Part of the legislation will therefore allow police access to individuals’ mobile phones, should there be reasonable suspicion that there is evidence of a crime on it. Refusing to action police’s requests may result in two to five years in prison. The Australian government is currently planning to introduce this law before Christmas this year.
We can help
With the rise in cyber threats and the Australian Government looking to establish new legislation, there has been a significant increase in the demand for cybersecurity specialists. It is anticipated that there will be a worldwide shortage of cybersecurity professionals totaling 1.8 million by 2022. As a leading recruitment firm within the cybersecurity space, we can help you connect with the best cybersecurity experts in the market. Feel free to give us a call on 02 8251 2120 for a confidential discussion about current cybersecurity opportunities.