They pointed out that since the Bill would, via a technical capability notice, require the creation of a capability, while at the same time preventing the entity being asked to do so from documenting it, the end result would be the creation of a backdoor.
"Building an undisclosed surveillance function — even if mandated by law and intended for use only in specific instances pursuant to a lawfully issued judicial warrant — would violate our public pronouncements to the contrary," Wenger and Fawcett wrote.
Under the Bill, companies will be initially requested to co-operate with law enforcement; if they do not, the pressure will be stepped up to force them to help.
First, there will be a “technical assistance request” that allows voluntary help by a company. The staff of the company will be given civil immunity from prosecution.
Next, an interception agency can issue a “technical assistance notice” to make a communications provider offer assistance.
Finally, a “technical capability notice” can be issued by the Attorney-General at the request of an interception agency. This will force a company to help law enforcement, by building functionality.
However it cannot include the decryption of information or removal of electronic protection in any system.
Cisco recommended changes to the authorities who could issue TCNs and TANs, pointing out that both suffered from a lack of checks and balance to ensure that the steps demanded were "reasonable and proportionate".
"In neither case is a court involved in either authorising the issuance of the notice or in hearing a challenge raised by the DCP [designated communications provider]," the two Cisco officials said.
They said the DCP should be able to seek relief from courts if it was believed that the steps required under a TAN were not within its existing capabilities and would require new capabilities. Additionally, if a DCP believed that less intrusive methods, which were less likely to cause a systemic weakness, could meet the government's aims, then they should be able to appeal this.
Cisco also raised concerns around the transparency of the TAN and TCN authorities, saying that the DCPs should be able to report annually on the TANs they received.
Wenger and Fawcett said it was even more disconcerting that any new surveillance capability added to equipment could not be publicised. They said while Bill noted that DCPs could not be forced to make misleading statements or engage in dishonest behaviour, if they kept quiet, then previous statements made by them about any surveillance capability would automatically be misleading.
They also said the language used in the Bill could lead to the implementation of cross-border laws in a way that created "untenable conflicts of laws for multinational companies".
"Merely providing immunity from civil suit in Australian courts is in no way the solution to this problem," Wenger and Fawcett said. "Instead, the Parliament should pursue avenues that limit the application of Australia's laws in a manner that avoid adversely impacting their design, development and use globally."
They warned against the adoption of country-specific mandates as it could well end up harming the global competitiveness of Australian businesses and prevent them from gaining access to new technological innovations.
While Cisco welcomed the notion of working across borders to fight crime and terror, the company said it was imperative that such arrangements should not end up becoming "a pathway for the circumvention of national laws that protect civil liberties".
"Therefore, we recommend that the Australian Government clearly articulate as a matter of policy: 1) the Australian Government will not meet requests that it knows to violate restrictions on surveillance in the requesting country; and 2) Australian authorities will not request assistance from other national governments that would violate laws restricting surveillance authorities in Australia," Wenger and Fawcett said.
They also expressed apprehension about the new powers in the Bill allowing authorities to carry out remote access searches and seize digital information, cautioning that this could well lead to the leaking of undisclosed, unpatched vulnerabilities and then to the creation of zero-day exploits.
"The minister should ensure that there is a robust and transparent policy for handling and disclosing these vulnerabilities to vendors capable of responsibly patching them," Wenger and Fawcett said.
"For as certainly as [the leaked NSA Windows exploit] EternalBlue led to WannaCry ransom attacks, government agencies routinely handling vulnerability information without such policies will lead to additional global security crises."
Under the Bill, telecommunications and Internet companies and makers of digital devices will face fines of up to $10 million if they do not help law enforcement agencies gain access to data that the government says is needed for investigating terrorism offences while individuals will face fines of up to $50,000.
The PJCIS has released a number of submissions that have been made to it ahead of the hearings. The draft of the proposed legislation, officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, was released for public comment on 14 August. The period for comment ended on 10 September.
Home Affairs Minister Peter Dutton introduced the bill into Parliament on 20 September. The Labor Party has advised caution on proceeding with the bill, while the Greens have said that Australian cyber security "will be significantly diminished by undermining the fundamental principles of end-to-end encryption".