Close×

It’s clear that the federal Government has thrown in the towel on advancing cybersecurity. Its opaque approach to encryption is unsettling and will undermine its cyber security strategy.

Launched in April 2016, Australia’s national cyber security strategy reported “a growing trend for groups and individuals to use encryption to hide illegal activity and motivate others to join their cause”.

At the same time, it added that it supports the use of encryption to protect sensitive personal, commercial and government information. Then came the inevitable ‘however’:

“However, encryption presents challenges for Australian law enforcement and security agencies in continuing to access data essential for investigations to keep all Australians safe and secure. Government agencies are working to address these challenges.”

Two years on, the federal government is reportedly close to finalising legislation to bolster its ability to enforce access to communications using encrypted services.

First raised in July 2017, Prime Minister Malcolm Turnbull with Attorney-General Senator George Brandis argued for a new cybersecurity law to force global technology companies such as Facebook and Google to help police unscramble encrypted messages sent by suspected extremists and other criminals.

Modelled on Britain’s controversial Investigatory Powers Act, passed by the British Parliament in November, the legislation armed intelligence agencies with the most extensive surveillance powers in the Western world, Turnbull said.

“We’ve got a real problem in that the law enforcement agencies are increasingly unable to find out what terrorists and drug traffickers and paedophile rings are up to because of the very high levels of encryption,” he added.

AFP Commissioner Mike Phelan claimed the encrypted communication traffic monitored by the police had grown from three per cent to 55 per cent over the last few years.

The proposed bill that would allow Australian courts to order tech companies to “quickly unlock” communications was scheduled for Parliament consideration by November 2017. This slipped to the first quarter of 2018. Now close to mid-year, there is still little detail on the precise nature of the new commitments for tech and communication companies will be.

No technical background present
In February 2018, inaugural minister for Home Affairs Peter Dutton offered no clues at his National Press Club Address acknowledging only that “ubiquitous encryption” was vital for secure personal banking and other communications including messaging. But it had become a “significant obstacle” to terrorism investigations.

The Australian Cyber Security Centre (ACSC) conference last month was also lacking in detail about what the legislative landscape will look like from senior leadership in politics and government.

Law enforcement access to encrypted communications should be “on the same basis” as telephone and other intercepts, where companies provide “vital and willing” assistance in response to court orders, he argued.

The legislation would ensure companies providing communications services and devices in Australia would be required to “assist” agencies with decryption.

Not surprisingly there has been little applause from either the tech or communications sector, even for the principle of legalising third party decryption in the interests of securing against terrorists and other rogue elements that deploy encryption in their messaging.

Apple and Facebook as well as many tech commentators familiar with the risks, are on record as being opposed to such laws.

The Australian Privacy Foundation, Electronic Frontiers Australia, Digital Rights Watch and Future Wise in a joint submission to the Parliament’s Joint Committee on Law Enforcement (PJCLE) noted that is so far unclear whether the government’s proposed legislation will require backdoor access to applications incorporating encryption such as Facebook Messenger and WhatsApp and whether it “would require these companies to modify their products and services in Australia or consider removing them from the domestic market altogether”.

In the US and UK similar attempts to usher such decryption laws have been made. In the US it was reframed as “responsible encryption” by the deputy US Attorney-General Rod Rosenstein. While Rosenstein said that the government doesn’t want to undermine encryption, he was opposed to “warrant-proof” encryption. By using encryption, many tech companies were trying to “exempt themselves from complying with court orders,” Rosenstein reportedly said.

Instead, Rosenstein urged tech companies to embrace “responsible encryption.” This would grant access to law enforcement – but not considered a back door. In fact, it is a back door adorned with a better sounding name.

That said, where the encryption keys are held by a company providing the technology or hosting the messaging, access is possible without a back door.

End-to-end encryption means only the sender and recipient of a message have the keys to read it. This implies that though tech and communications firms may have developed or hosted the message, they can’t give government (or any other unauthorised person for that matter) access to specific messages, even if they wanted to.

Decrypting an encrypted message with “brute force” computing tools is often spoken about but rarely demonstrated.

As one commentator suggests, breaking a symmetric 256-bit key by “brute force” requires 2,128 times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1,051 years to exhaust the 256-bit key space. Unless your passphrase is very guessable that makes your 256 bit + grade encryption effectively unbreakable.

Lack of understanding
The rift between tech analysts and Turnbull reached its nadir when he suggested “the laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia.”

Despite Turnbull’s confidence to the contrary, tech analysts see no way to provide a secure system to allow police in that keeps malicious hackers out. The only difference is that the police have to seek a warrant first to authorise the de-encryption

In the UK, whose laws seem to have prompted Australia’s endorsement, it’s clear they have so far proven less effective than promised. The Investigatory Powers Act, made law in late 2016, lets the UK government compel communications providers to remove “electronic protection applied … to any communications or data”.

Wary of taking its encryption concerns to the courts, Home Office Minister Rudd has criticised tech companies for not doing more to “work with” the government to allow intelligence services to get into encrypted services such as Facebook’s WhatsApp messaging app which the Westminster terrorist attack relied on.

There is no way to turn off the end-to-end encryption. Each chat has a code that can be verified, although this is optional, and includes 60-digit number. If each user stands next to each other and scans the code they can be sure, if they match, that no one is intercepting the messages or calls. By February 2016 the app reportedly had more than one billion users. If a back door exists then anyone can exploit it, including criminals, making it impossible to allow access to encrypted messages without compromising the entire system.

As one tech commentator mused, it would be more effective—and easier to police—to just ban cars from driving on roads, or at least make people pass a full background check before renting a car. Or perhaps Rudd could legislate a telecommunications “kill switch” and disable the country’s phones and Internet access.

The lack of perspective by regulatory agencies and their obsession about encryption being misused has led to some two or three years of wasted effort. The rift between tech companies and Government has widened. People have less trust in the Government and the bad guys will continue to use what ever means are available.

Role of encryption
Recent reports of terrorist attacks tend to discount the role of encryption.

For example, the 2015 terrorist attacks on Paris were planned and executed with plain old SMS messages sent via plain old prepaid burner phones. Though the number of the attackers were already known to the French and Belgian authorities, they didn’t have enough resources to track their movements and behaviour. At the time, the French authorities reportedly had around 500-600 staff available to physically follow people, versus a national security watch list of about 11,000.

Similarly the Lindt Café at Martin Place, Sydney siege in December 2014 which resulted in the death of two hostages and gunman Man Haron Monis with an unencrypted track record of violence and some 40 counts of predatory sexual assaults. He was on bail when he attacked. Furthermore ASIO investigated Monis over Islamic State Facebook posts less than a week before the siege.

Six days before the siege, the National Security Hotline received 18 tip-offs when Monis used Facebook to pledge allegiance to the “Caliph of the Muslims” which is believed to be a reference to Islamic State.

There should be a broader conversation on more thoughtful ways of dealing with terrorism than one confined to targeting users and providers of end-to-end encryption. Reviewing of public resources and application of intelligence may be a more rewarding direction than the Government’s knee-jerk decision to undermine encryption use, an essential element of cyber security.

This article first appeared in the May 2018 edition of ADM. 

comments powered by Disqus