MIT to Oz: Crypto-busting laws risk banning security tests
I see the red team and I want it painted black
Australia's government's crypto-busting legislation risks blocking security research, a leading Internet policy boffin has warned.
Speaking to a parliamentary hearing into the “Assistance and Access” legislation this morning, a director of the Massachusetts Internet Policy Research Initiative, Daniel Weitzner, said the problem arose out of secrecy provisions of the proposed legislation.
The problem, Weitzner told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) today, is that if a Technical Capability Notice that requires access be added to hardware or software, disclosing its existence is a crime.
However, organisations like service providers typically subject their systems to security assessments before deployment. Red Teams, he said “will do everything they possibly can to find weaknesses.”
What happens if researchers find a vulnerability covered by a TCN, when they can't know that the TCN exists and the vulnerability therefore has to be kept secret, Weitzner postulated
“If the specific features that are mandated by the TCNs are kept secret, it will be hard for security engineers to know where to look”, Weitzner said, and it will be “perilous” for service providers to engage people to run security tests.
Weitzner said any TCN regime needs transparency so as to allow security testing: “It would simply be irresponsible to keep the behavior of parts of those systems secret”.
That is, of course, assuming such capabilities exist in the real world – that, for example, “golden keys” to systems can be created and protected against misuse.
Oz intel committee: Crypto-busting is only bad if you're a commie, and we're not by the wayREAD MORE
“Our view is that if those keys to unlock the system are kept for one purpose, which may be entirely legitimate and lawful, they can be exploited for another purpose,” Weitzner said. “We haven't seen a design of a system that reduces that risk.”
The only way to know whether any proposed system is functional and secure is to test it, and that is once again at odds with the secrecy the government hopes to apply to what he called “exceptional access systems”.
“I would not claim that it's 'impossible' to design such a system because we haven't seen every possible design,” but if anyone claimed to offer such a system, “you have to subject that system to very careful study.”
Shadow attorney-general Mark Dreyfus pointed out that the government's position is that the bill does not require “specific exceptional access systems, or to require that providers redesign their entire systems to facilitate government access”.
However, Weitzman replied, as the legislation now stands, the government has very broad discretion in what may be contained in Technical Capability Notices, and “there's no restriction that they only be targeted to a limited set of users.” ®