Andrea Danti - Fotolia

Australia’s decryption plan seen as untenable

Experts say efforts to get technology and social media firms to cooperate with the authorities in decrypting communications will be hard to achieve

The Australian government wants smartphone companies and social media platforms to ensure terrorists cannot hide behind anonymous posts or encrypted messages, but it has not said how or when.

In his recent national security statement to parliament, Australia’s prime minister Malcolm Turnbull said traffic on encrypted messaging platforms was difficult for security agencies to decrypt.

“Most of the major platforms of this kind are based in the US, where a strong libertarian tradition resists government access to private communications, as the FBI found when Apple would not help unlock the iPhone of the dead San Bernardino terrorist,” he said. “The privacy of a terrorist can never be more important than public safety.”

The Australian government has already legislated to force internet service providers in the country to store metadata for reasons of national security, but has yet to spell out how it expects largely overseas-based technology suppliers to comply with its wishes for easier access to encrypted content.

In any case, some secure communications technologies only provided users with encryption keys that were not held by platform operators or suppliers, said Matthew See, WatchGuard Technologies’ APAC manager of sales engineering.

Even if the rules could make access to encrypted content easier, terrorists would probably find a workaround, he said.

“One suggestion has been that the government holds private keys in escrow,” said See. “The bad guys would simply move to an app written in Russia. Everyone wants the good guys to triumph and I understand why the government wants to achieve this, but it will be extremely difficult.”

James Turner, cyber security analyst at advisory and consulting company IBRS, added: “You can’t build crumple zones into encryption systems because it puts up big neon signs saying there’s a vulnerability.”

Instead of trying to gain access to the encrypted communications, Turner said governments should “aggressively target the endpoints”, especially as services such as Apple’s iMessage were being re-engineered to make encrypted content inaccessible to even Apple itself.

Call for industry consultation

Laurie Patton, executive director of Internet Australia, which represents internet users, said that before taking action, the government should consult widely with the industry to avoid the mis-steps taken with its metadata retention policy.

“There is no doubt that we are now facing serious problems that were unforeseen when the internet was created 25 years ago,” said Patton. “Surely it makes sense to actively involve the people who built the internet, and those who run it from day to day, as we search for ways to avoid its misuse by terrorists and other law-breakers.”

The issue is likely to be on the agenda when Australia’s attorney-general, George Brandis, attends the Five Eyes security conference at the end of this month in Ottawa, Canada.

Responding to a question in the Senate, Brandis said uncovering encrypted communications was not just a job for governments. He said the private sector also had a role to play in an era of ubiquitous encryption, where terrorists are using increasingly encrypted telecommunications to plan attacks.

Read more about cyber security in Australia

  • Australia’s national cyber security blueprint has been a catalyst for improvements in cyber security across the country, but its long-term impact remains to be seen.
  • Australia and Singapore will conduct joint cyber security exercises, among a raft of measures to secure critical infrastructure and bolster cyber security knowhow.
  • Australian enterprises are increasingly investing in security software as the threats to data continue to multiply.
  • Demand for people with the right mix of skills to keep organisations in Australia safe from cyber attack is far in excess of supply.

But WatchGuard’s See warned that even if the Five Eyes were somehow able to access encrypted communications – and reports suggest the US Central Intelligence Agency has cracked iPhone, Android and Windows phones – fresh challenges could emerge.

“There is nothing to stop terrorists from writing their own encryption,” he said. “The source code is open, and the government will never get that.”

Ted Pretty, a former group managing director of technology and product at Telstra and now CEO of Sydney-based security company Covata, said his company supported government initiatives to gain access to encrypted messages in the interests of national security.

“Extending the reach of existing government regulation – which allows for the lawful interception of communications under certain prescribed circumstances – to social media and other means of communication is appropriate as technology changes,” said Pretty.

“That being said, it is always necessary to seek to balance the interests of national security and privacy, and successive Australian governments have a great track record in navigating these issues.”

Read more on Regulatory compliance and standard requirements

Data Center
Data Management