How the B-Team watches over Australia's encryption laws and cybersecurity

Most telco interception warrants are issued by non-judges. Important cybersecurity work isn't being done. The Information Commissioner lacks funding. Does the government actually care about privacy and security?

The cybersecurity of the Attorney-General's Department (AGD) has not been independently assessed by the Australian Signals Directorate (ASD) despite it being made an action item nearly four years ago.

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read More

The nation's Cyber Security Strategy of April 2016 said that government agencies "at higher risk of malicious cyber activity" would receive "independent cybersecurity assessments".

discussion paper [PDF] for the 2020 strategy, released in September 2019, reported that "ASD has conducted active vulnerability assessments of a number of key government agencies".

But in written evidence given to the Senate Standing Committee on Legal and Constitutional Affairs this week, AGD revealed it wasn't one of them.

"ASD has not conducted an independent security assessment against Attorney-General's Department networks," it wrote.

"No additional funding has been provided to AGD for cybersecurity remediation activity."

AGD has vastly increased its spend on cybersecurity across the last four years, however.

From a base of AU$47,197 in 2015-2016, when they began tracking the annual operational spending of the IT Security Section, it rose to AU$225,826 in 2016-2017, then to AU$641,985 in 2017-2018. In 2018-2019, it declined slightly to AU$562,222.

"Other sections, projects, and activities make a substantial contribution to improving the overall cybersecurity posture, but are associated to other cost centres," AGD wrote.

But the department declined to answer specific questions about its compliance with the ASD Essential Eight cybersecurity controls, citing security concerns.

"Publicly identifying details of any briefings provided to the Attorney-General on cybersecurity vulnerabilities on departmental networks would provide an individualised snapshot in time and may provide a heat map of vulnerabilities for departmental networks, which malicious actors may exploit and thus increase the agency's risk of cyber incidents," it wrote.

Telco intercept warrants issued after mere minutes of consideration

It's bad enough that most telecommunications interception warrants are not approved by judges but by members of the Administrative Appeals Tribunal (AAT).

What's worse is that these less-qualified officials can spend mere minutes making their decision with no legal support from AAT staff.

After so little thought, and without further independent oversight, law enforcement agencies are free to use their controversial new powers under the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.

They can issue a "voluntary" Technical Assistance Request (TAR) to get a communications provider to help access the contents of an encrypted communication. Or they can issue a compulsory Technical Assistance Notice (TAN) to the same end.

Some seven TARs or TANs were issued by law enforcement in the first seven months of the Act's operations. The number issued by the spooky agencies, meanwhile, is unknown.

The concern, first raised by The Saturday Paper a year ago, is that AAT members might more readily approve warrants than judges, although there's no data on this one way or the other.

There have been concerns that many AAT members are political appointees with no legal qualifications. More than 60% of members appointed since 1 July 2015 are not legally trained, according to further AGD evidence to the Legal and Constitutional Affairs Committee.

And while section 6DA of the Telecommunications (Interception and Access) Act 1979 states that only AAT members who are "enrolled as a legal practitioner of the High Court, of another federal court, or of the Supreme Court of a State or of the Australian Capital Territory" for at least five years are approved to issue warrants -- a lawyer with five years experience is not a judge.

"Some legal experts argue that judges are more experienced and therefore more qualified to assess warrant applications than a lawyer with five years' practising experience," The Saturday Paper wrote.

"Key to this is the fact that during these warrant proceedings, there is no party making an opposing argument."

Judges are experienced in weighing up the pros and cons of a case to ensure fairness. Lawyers are experienced at arguing for their client's position. They're not the same.

Also concerning is the amount of support given to AAT members in this role: None.

The Senate was told that "members undertake these functions in a personal capacity (as a persona designata) and not as part of their duties as a member of the AAT".

"AAT staff do not provide any legal support in respect of applications considered by an AAT member under the Act," AGD wrote.

"The AAT and AAT staff provide limited assistance to facilitate the performance of these functions, particularly scheduling appointments."

Those appointments can be very brief indeed.

"Since 1 July 2015 the average (mean) length of all appointments with AAT members for warrant-related purposes is just 18 minutes," AGD wrote.

"The shortest amount of time recorded for an appointment that proceeded is 1 minute. The data is not subject to auditing."

Maybe the members spend hours of their own time wrestling over whether to approve each warrant. On that matter, your writer has a simple response: Prove it.

Either way, it might well be argued that one minute doesn't allow for a serious challenge to a warrant application's claimed merits.

Information Commissioner to focus on healthcare industry

Australia's health sector continues to be the most affected by data breaches, according to the Office of the Australian Information Commissioner (OAIC).

Some 58 notifiable data breaches (NDBs) were received by the OAIC between 1 January 2019 and 31 March 2019.

"The OAIC's 2019-20 corporate plan includes a continued focus on the health sector, particularly centred on uplifting the health sector's security posture," it told the Senate this week.

In September 2019, the OAIC released a Guide to Health Privacy.

"[The OAIC] is currently undertaking an associated outreach and social media campaign. This campaign includes the development of a toolkit to assist health service providers improve their information handling practices," it said.

Also during Estimates in November, the OAIC was asked if it was conducting an investigation into an alleged AU$10 million international identity theft scam that had affected several of Australia's largest super funds, including REST Super, AustralianSuper, and HESTA.

"The Information Commissioner has not opened an investigation into the named organisations in relation to the media report of an alleged identity theft scam," the OAIC said.

It did add, however, that the maximum current penalty that the Federal Court can impose for a serious or repeated interference with privacy is AU$2.1 million for a body corporate.

In recent years, the OAIC has found it difficult to process Freedom of Information (FOI) requests promptly. A substantial increase in all types of requests has since widened the gap, resulting in increased delays and backlogs.

This week the OAIC revealed that meeting the demand for FOI regulatory work would require nine more staff at a cost A$1.65 million a year, plus A$300,000 in the first year for accommodation.

Your writer is of the view that this is back-of-the-couch money, given that it would deliver a significant increase in government transparency.

RELATED COVERAGE