Home Government Tech Policy Cisco fears encryption bill will lead to creation of backdoors
Cisco fears encryption bill will lead to creation of backdoors Pixabay Featured

Global networking giant Cisco has expressed grave reservations about several aspects of the Federal Government's proposed encryption bill, with the creation of backdoors one of its major concerns.

In a submission to the Parliamentary Joint Committee on Intelligence and Security, which will be holding hearings on the bill — the first is on 19 October — Eric Wenger, director, Cyber Security and Privacy Policy, Global Government Affairs, and Tim Fawcett, head of Government Affairs, Cisco Systems Australia, said the company did not want to have any capabilities in its equipment that were not publicly documented.

They pointed out that since the Bill would, via a technical capability notice, require the creation of a capability, while at the same time preventing the entity being asked to do so from documenting it, the end result would be the creation of a backdoor.

"Building an undisclosed surveillance function — even if mandated by law and intended for use only in specific instances pursuant to a lawfully issued judicial warrant — would violate our public pronouncements to the contrary," Wenger and Fawcett wrote.

Cisco has good reason to be wary of backdoors – in 2014, it was revealed by NSA whistle-blower Edward Snowden that the agency's Tailored Access Operations Unit had backdoored the firmware of Cisco equipment without the company's knowledge, while it was en route to organisations that had been targeted for surveillance.

Under the Bill, companies will be initially requested to co-operate with law enforcement; if they do not, the pressure will be stepped up to force them to help.

First, there will be a “technical assistance request” that allows voluntary help by a company. The staff of the company will be given civil immunity from prosecution.

Next, an interception agency can issue a “technical assistance notice” to make a communications provider offer assistance.

Finally, a “technical capability notice” can be issued by the Attorney-General at the request of an interception agency. This will force a company to help law enforcement, by building functionality.

However it cannot include the decryption of information or removal of electronic protection in any system.

Cisco recommended changes to the authorities who could issue TCNs and TANs, pointing out that both suffered from a lack of checks and balance to ensure that the steps demanded were "reasonable and proportionate".

"In neither case is a court involved in either authorising the issuance of the notice or in hearing a challenge raised by the DCP [designated communications provider]," the two Cisco officials said.

They said the DCP should be able to seek relief from courts if it was believed that the steps required under a TAN were not within its existing capabilities and would require new capabilities. Additionally, if a DCP believed that less intrusive methods, which were less likely to cause a systemic weakness, could meet the government's aims, then they should be able to appeal this.

Cisco also raised concerns around the transparency of the TAN and TCN authorities, saying that the DCPs should be able to report annually on the TANs they received.

Wenger and Fawcett said it was even more disconcerting that any new surveillance capability added to equipment could not be publicised. They said while Bill noted that DCPs could not be forced to make misleading statements or engage in dishonest behaviour, if they kept quiet, then previous statements made by them about any surveillance capability would automatically be misleading.

They also said the language used in the Bill could lead to the implementation of cross-border laws in a way that created "untenable conflicts of laws for multinational companies".

"Merely providing immunity from civil suit in Australian courts is in no way the solution to this problem," Wenger and Fawcett said. "Instead, the Parliament should pursue avenues that limit the application of Australia's laws in a manner that avoid adversely impacting their design, development and use globally."

They warned against the adoption of country-specific mandates as it could well end up harming the global competitiveness of Australian businesses and prevent them from gaining access to new technological innovations.

While Cisco welcomed the notion of working across borders to fight crime and terror, the company said it was imperative that such arrangements should not end up becoming "a pathway for the circumvention of national laws that protect civil liberties".

"Therefore, we recommend that the Australian Government clearly articulate as a matter of policy: 1) the Australian Government will not meet requests that it knows to violate restrictions on surveillance in the requesting country; and 2) Australian authorities will not request assistance from other national governments that would violate laws restricting surveillance authorities in Australia," Wenger and Fawcett said.

They also expressed apprehension about the new powers in the Bill allowing authorities to carry out remote access searches and seize digital information, cautioning that this could well lead to the leaking of undisclosed, unpatched vulnerabilities and then to the creation of zero-day exploits.

"The minister should ensure that there is a robust and transparent policy for handling and disclosing these vulnerabilities to vendors capable of responsibly patching them," Wenger and Fawcett said.

"For as certainly as [the leaked NSA Windows exploit] EternalBlue led to WannaCry ransom attacks, government agencies routinely handling vulnerability information without such policies will lead to additional global security crises."

Under the Bill, telecommunications and Internet companies and makers of digital devices will face fines of up to $10 million if they do not help law enforcement agencies gain access to data that the government says is needed for investigating terrorism offences while individuals will face fines of up to $50,000.

The PJCIS has released a number of submissions that have been made to it ahead of the hearings. The draft of the proposed legislation, officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, was released for public comment on 14 August. The period for comment ended on 10 September.

Home Affairs Minister Peter Dutton introduced the bill into Parliament on 20 September. The Labor Party has advised caution on proceeding with the bill, while the Greens have said that Australian cyber security "will be significantly diminished by undermining the fundamental principles of end-to-end encryption".

CDAO SYDNEY TURNS 5 IN 2019

With 50+ Speakers, 300+ senior data and analytics executives, over 3 exciting days you will indulge in all things data and analytics before leaving with strategic takeaways that will catapult you ahead on your journey

· CDAO Sydney is designed to bring together senior executives in data and analytics from progressive organisations
· Improve operations and services
· Future proof your organisation in this rapidly changing technological landscape
· CDAO Sydney 2-4 April 2019
· Don’t miss out! Register Today!
· Want to find out more? Download the Agenda

REGISTER HERE!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications

 

Sponsored News

 

 

 

 

Connect