By Vanessa Teague
Everyone agrees that the threat of cyberattack is serious, the results could be devastating, and Australia is woefully underprepared. The question is whether forced "assistance" from the Australian Signals Directorate (ASD), under orders from Home Affairs, will make us more or less secure.
Critical infrastructure is not just dams and power plants — the new Critical Infrastructure Bill also includes financial services, health care, higher education, communications and "data storage or processing" (i.e. almost anything). There are two risks for government intervention: incompetence and abuse. Neither is adequately managed in this bill.
In recent years the Australian government's IT specialists have brought us COVIDSafe, myGovID, Robodebt and CensusFail. They were unable to put a digital signature on domestic vaccine certificates, and remain unwilling to include encryption among their essential eight mitigation strategies. Even well-intentioned "assistance" may introduce or exacerbate vulnerabilities and problems instead of correcting them. Nothing in the bill requires that they consult anyone with relevant technical knowledge.
Then there is the risk of deliberate abuse of power, which is increased by the decision to include systems that contain ordinary people’s personal data.
Sometimes law enforcement agencies have to break into places for the good of everyone. When it is a home or office, the police need a warrant — this restrains their power and deters abuse, ensuring that invasive powers are used for good. Most democracies impose some similar restraints on access to electronic personal data. Recent Australian legislation (notably the TOLA and ‘Identify and Disrupt’ 2021 Act) already moves Australia away from this principle.
The Critical Infrastructure Bill removes the restraint of judicial oversight entirely, allowing forced entry without a warrant by ASD, under instructions from the Ministry of Home Affairs, into anything listed in the bill as ‘Critical Infrastructure’.
The following powers are included:
- An "intervention request" (Section 35AX), comes from the Minister and can force an entity to modify its system or install ASD software on it. Refusal attracts a very large fine.
- An "Information gathering direction" (Section 35AK) can include being forced to give information about the system to the Secretary of Home Affairs. Refusal attracts a large fine.
- An "Action direction" (Section 35AQ) is like an "intervention request," but refusal is punished with 2 years' jail.
The bill has almost no protection against arbitrary use of these powers. The Minister and Secretary of Home Affairs need only satisfy themselves of some things in order to justify the order to ASD to force their way in to a system.
Consider how many times in recent years a minister or public servant has been quite satisfied of some claim about technology that was not generally believed by other Australians. A cyberattack need not be occurring, it need only be believed to be imminent. The Minister must believe that its consequences will be severe, but need not rely on any evidence for this belief. Cyberattacks happen all the time. The Bill doesn’t even say they have to believe in an imminent attack on the system they are targeting (Division 2, 35AB(2)(b)).
The oversight consists only of reports or requests to other ministers, or happens long after the order is given. The Secretary must report to the Parliamentary Committee on Intelligence and Security (PJCIS) with a description of any directions or requests they have made, but there are no specifics and no deadline. They could intervene in a system before an election, then report at their leisure after the return of the writs.
If all this assistance is so helpful, why does it need to be forced upon us through the threat of jail time?
The only answer comes from ASD's submission to the PJCIS inquiry into the legislation, in which they describe a health care provider which refused to engage with ASD intervention despite being the subject of a ransomware attack. I do not know whether this refusal was a good or a bad decision, but it is an entirely understandable decision for an entity that might have held a great deal of very sensitive personal information.
There are no protections against exfiltration, manipulation or misuse of personal data
Nothing prevents an information gathering direction from seeking personal information. The software installed as part of an intervention request can report information back to ASD and Home Affairs without restriction. An action direction is forbidden from requiring an entity to give information to the Secretary (Section 35AQ(5)), but nothing stops the Secretary demanding information be given to someone else. In short, there is no prohibition against exfiltrating personal data, nor any restriction on its use once acquired.
The bill also omits an important paragraph that both the TOLA and the ‘Identify and Disrupt’ Act contain: “To avoid doubt, this Division does not affect the law relating to the powers, privileges and immunities of [Houses, members and committees of Parliament]”. I am a cryptographer, not a constitutional scholar, so it is possible that this clause was never necessary, but why include it in earlier acts and omit it here?
Regulations, genuine assistance, and judicial oversight would keep us more secure
Governments should make regulations and then enforce them; law enforcement and intelligence agencies should need a warrant for forced access. Regulations for data protection (like the GDPR) would be a good start. Australia could impose strong data protection obligations on corporations or public entities that hold personal data. If a corporation (or health service or financial system or cloud provider) was found to be in breach of their data protection obligations, the authorities could investigate with appropriate judicial oversight.
The US Cybersecurity and Infrastructure Security Agency (a similar name for a completely different concept) offers federal assistance without coercive power — also a good example to follow.
If I had 10 seconds with a red pen, I would:
- Require a warrant (from a judge) for forced access to systems holding personal data;
- prohibit exfiltration of data that relates to an identifiable person;
- add the paragraph about not violating Parliamentary privilege.
So what can we do about it?
Nothing that I can think of. The bill has already passed the House, and both major parties have signalled their intention to pass it in the Senate.
If you are a journalist, whistleblower, or opposition candidate in the upcoming election, you need to understand that this is happening. Use end-to-end encrypted communications (such as Signal or FaceTime), turn off or encrypt cloud storage, and install 2-factor authentication on all your accounts. You cannot take for granted that the upcoming election will be contested according to normal rules. Ironically, this threat might motivate us all to make ourselves a little bit more secure.
Vanessa Teague is a cryptographer with a longstanding interest in the security of systems of interest to public processes, such as elections and open data. She is the CEO of Thinking Cybersecurity Pty Ltd and Associate Prof (Adj.) in the College of Engineering and Computer Science at the Australian National University.
Follow her on Twitter here.
See how far our language has changed, even since TOLA: a "request" cannot be refused.