Blog Post created by Alex Heidenreich, Executive Director
During a recent risk committee meeting at a critical infrastructure operator, a concerned director asked our opinion on the recent legislation the Australian Government is introducing relating to a reduction in cryptographic controls (encryption) and the increased likelihood agencies can gain access to secure private communications. The answer is not simple, because the question relates to a wicked problem.
Our historical experience in combating terrorism and having lived with the burden of protecting Australian’s from domestic and offshore terrorist activity, we fully understand the drivers behind the legislation. Predicting terrorist events, and pro-actively responding relies on timely and accurate intelligence. Encryption and secure communications delay or defeat this endeavour. The bad guys know this. The Government has an obligation to protect Australian’s from this threat, and that endeavour is what this legislation is seeking to support. Increasingly, the media and public are quick to point out when agencies fail to prevent a terrorist event.
Conversely, as people who strongly value privacy and are now charged with securing our clients against a range of threat actors, including legitimate governments, this legislation has significant risk. Given that Government departments consist of people, and people are prone to mistakes, mismanagement, blackmail, corruption and fraud; the risk of this legislation creating a range of second-order negative security and privacy impacts is high. Further, given most backdoors, over time, work equally in favour of both the good guys and the bad, in the long term you could argue you simply rob Peter to pay Paul. This is especially true if you consider the likelihood that the threat will ultimately adapt, but much of the public will not.
Either approach has significant risk.
What keeps you awake at night? If it is the spectre of terrorism, you will perceive that this legislation will be good for you. If it’s your own personal security and privacy, or that of your company, you will perceive that this legislation will be bad for you.
Our opinion, for what it is worth- the legislation is not a good outcome. The risks outweigh the benefits. But make your own mind up- it’s a wicked problem.