Oz intel committee: Crypto-busting is only bad if you're a commie, and we're not by the way
El Reg listened to the whole depressing folly so you don't have to
Comment Tech vendors: don't worry about Australian law enforcement demanding you decrypt user messages. It's OK, because we're not a communist regime.
That's the upshot of a real exchange in the the powerful Parliamentary Joint Committee on Intelligence and Security conducting hearings into the country's crypto-busting "Assistance and Access Bill 2018".
Never mind multiple warnings that the bill puts at risk both Australia's (relatively meagre) IT exports and international vendors' willingness to sell us their kit.
It's OK, because we're not a communist regime.
Friday, Australian time, the committee heard from four industry groups – the Communications Alliance (representing nearly all Australia's telcos), the Australian Industry Group (a broad-based industry lobby), the Australian Mobile Telecommunications Association, and the Australian Information Industries Association.
Towards the end of their joint evidence, Comms Alliance programme management director Christiane Gillespie-Jones pointed out that Australia had banned Huawei from its telco networks because the government believes the vendor is subject to Chinese government influence; and that legislation allowing the Australian government to make demands of vendors put us in exactly the same position.
"This act is doing the exact same thing," she said, and foreign vendors "may be subject to the exact same concerns".
This apparently irritated the committee chair, Liberal MP Andrew Hastie, who snappily explained that the difference is: "We're not a communist regime."
Merely appearing before the committee to try and bring sanity to the government's shambolic, ill-defined demands takes on an aspect at once heroic and Sisyphean.
Cisco: Vendors "choose" who they sell to
While the industry groups had jointly warned about a few billion of Australian tech exports taking a dive because customers wouldn't trust our products, it fell to Cisco to be more blunt: good luck buying our routers if your government's going to crack open our crypto.
Appearing alongside carrier reps from Telstra and Optus, Cisco's global cybersecurity director Eric Wenger said a vendor like Cisco will "choose where it does business", adding that "companies might choose to limit their investment in countries they don't see as adequately secure".
Even though we're not a communist regime...
Wenger and Cisco local security architect Matthew Carling also called on the government to abandon the secrecy provisions under which a request for assistance can't be revealed by a vendor.
Their reasoning drew on the government's own fondness for saying it wants the old world of wiretaps reproduced in the digital arena.
In a market like telephony, Cisco said, legal intercept is built into products as a published, documented feature. Anything else is a bug, or a backdoor, in Cisco's world – and secret access to any user's communications, hidden and undocumented, falls under Switchzilla's definition of "backdoor".
"The existence of a capability that allows for lawful intercept... needs to be disclosed in order to maintain trust with our customers," Wenger said.
The Australian Industry Group warned that the threat to Australian manufacturing interests went far beyond the tech sector.
Defence exports are an important example: it would be impossible for an Australian defence subcontractor to convince an American prime contractor that it can protect proprietary intellectual property, if the customer knows the government can demand its network be compromised.
AI Group's Tennant Reed said security "is absolutely central to the ability to be in the ring at all" in defence contracts.
But it's all right – we're not a communist regime.
About those passwords...
The Register also heard, earlier in the day, that those in favour of the bill consider its remit even wider than Cisco, Telstra, Optus or the industry groups suspected when they prepared for today's hearing.
Explaining why the legislation uses "electronic protection" rather than "encryption", First Assistant Secretary at the Department of Home Affairs Hamish Hansford said the broader term meant the legislation could be applied to "things like passwords".
The legislation, in other words, was written so that "electronic protection" means whatever damn thing the government's spooks think they want it to mean, at any given time.
As far as The Register could tell during the hearing, the department thinks it's got a natty workaround for accusations that the bill demands backdoors – it's not about backdoors if you can take a warrant over to Telstra, Optus, eBay, PayPal, Signal, Telegram, or anyone else and demand they hand over a user's password.
They don't, apparently, realise those organisations don't store plaintext passwords, or at least not if they want or need to maintain user security or PCI compliance. They store hashes of the password – encryption again! – and don't have easy access to the plain text.
But wait, there's more – just a detail mentioned in passing, so to speak.
John Stanton of the Communications Alliance also mentioned that the effect of this bill could also be to vastly expand Australia's metadata retention regime, potentially exposing anybody covered by the Assistance and Access bill to being regarded as subject to collecting metadata. Got a website? Congratulations, you're a communications provider, and can be asked for metadata.
Take your pick: it's either a misinterpretation of the legislation, a drafting error, or someone in spooksville said "My Lord, I 'ave a cunning plan."
It seems depressingly likely that such ignorance will not only drive the debate, but bring the legislation to parliament.
It's OK, though. At least we're not a communist regime. ®
Sponsored: Becoming a Pragmatic Security Leader