The Australian Parliament recently passed the Assistance and Access Bill, which is widely recognized as an “anti-encryption” law by many U.S. tech giants. The law not only gives the country’s intelligence and law enforcement agencies access to end-to-end encrypted communications but also requires firms to create the technical capability to provide help where that capability doesn’t yet exist.
Whether this access is characterized as a “backdoor” or by some other name, the move will fundamentally weaken Australia’s cyber security, and possibly other users of these technologies.
The bill passed despite vocal opposition from cyber security and technology groups around the world who warned that even backdoors designed exclusively for law enforcement will undoubtedly be exploited by bad actors, opening the door to potential cyber attacks. Most recently, the Cybersecurity Tech Accord — an industry group comprised of more than 70 global companies whose goal is to improve the security and resilience of cyber space — recently denounced the new bill, saying it would put the privacy and data security of consumers at risk.
In today’s digital economy, lawmakers should be working to close the cyber exposure gap, not widen it.
When an individual device gets hacked, it opens the door to the internet infrastructure behind it. Not only does this approach weaken security for everyone who uses online services, but now imagine that device is connected to a bank, or to the nation’s critical infrastructure. The consequences of an attack on the financial system or electric grid would be catastrophic. There is also widespread concern that this law will result in the loss of jobs from Australian technology firms as the international community will no longer trust these products. So not only are lawmakers weakening Australia’s overall cyber security posture, but there will be economic consequences as well.
Unfortunately, this trend toward weakening encryption in the name of security is not unique to Australia. Governments around the world want easier access to data for their law enforcement professionals. Just last year, F.B.I. Director Christopher Wray described law enforcement’s inability to access data from electronic devices as an “urgent public safety issue.” Deputy Attorney General Rod Rosenstein has called for “Responsible Encryption” from tech companies, suggesting that he doesn’t believe companies will cooperate if left unregulated. In Europe, the French government has expressed interest in a similar bill to the Australian one.
Law enforcement agencies around the world face understandable challenges. However, laws that weaken encryption are the wrong solution. Every day, technology companies work with law enforcement when there are lawful court orders or compelling evidence to support a request. Quite simply, it’s in everyone’s best interest for the nation’s laws to be enforced. Encryption is not designed to undermine those efforts; in fact, it is designed to increase them.
Rather than following Australia’s dangerous precedent, the United States and others must work to ensure public safety while also closing the cyber exposure gap and strengthening cyber security standards for all devices. The risks associated with Australia’s action should not be understated –cyber security is national security.