Brandis' cyber security redemption

Attorney-General George Brandis has once again managed to inflame the Australian tech community through another ill-conceived piece of legislation that will make it a crime to re-identify de-identified data.

Despite a quick attempt to soothe the irate by promising to exempt researchers from criminal prosecution, the government has only a laundry list of past clumsy technology laws to blame for the scepticism about Brandis' pledges that remains.

Take Australia’s new Defence Trade Controls Act, which is aimed at limiting proliferation of “dual use” technology, including software and research efforts. This may at first seem reasonable enough; that kind of stuff needs to be kept safe.

But what isn't reasonable is achieving those ends by forcing researchers to apply for permits from the Department of Defence before they share new ideas.

In fact, 'totally unreasonable' would be the way to describe the penalties of up to $400,000 and up to ten years in prison that researchers who do not apply for permission face under the DTCA before sharing ideas.

This kind of 'check with us first' approach also shone through last year when Brandis announced he wanted to force telcos to hand over details of network changes and procurement plans so the AGD can decide whether there are espionage and sabotage vulnerabilities.

Unsurprisingly, the telco industry wasn't too keen on what it labelled "unjustifiably, significant additional and intrusive powers", on top of the mandatory data retention, website blocking and a potential piracy blocking code the industry has been lumped with since 2013.

Across the Tasman, New Zealand was not so long ago at the forefront of internet-scale software defined networking. World-beating stuff, with big test networks that spanned the Pacific.

I say was, because the academic researchers that were sponsored by Google couldn’t comply with the country’s new cybersecurity law - which requires network operators to notify the NZ government of configuration changes for vetting and approval work with SDN - in time. This bureaucratic process can take weeks.

The point of SDN is that you can, and will, make network changes as frequently as every second. If government bureaucrats have to be notified of the changes and approve them, well, SDN on an internet scale isn’t going to work.

WIth no clarity provided on whether or not they risked breaking the law, the researchers moved the project to Five-Eyes partners Australia and the USA.

What the above examples tell us is that often when governments legislate to prevent infosec threats, they silence or export research capability that’s crucial to security, or hinder fast response.

It means those that continue to do the research are the bad guys, leaving the government with a bullet-shaped hole in its foot.

Brandis did, however, acknowledge that there is a need for research to test things like how effective de-identification of data really is for protecting privacy (spoiler: not terribly, the US government concluded in May 2014 [pdf]).

So how do we ensure the people performing that research are protected?

How about guarantees that it won’t be the Australian Federal Police that decides after publication if a piece of security research qualifies in the government's eyes as research?

Or immunity from revenge prosecution by red-faced government agency and private sector players whose systems have been found to be weak?

Brandis has the opportunity to somewhat redeem himself in the eyes of the Australian technology sector after a series of ill-received legislative changes.

The new amendments to the Privacy Act need to be drafted in a way that doesn't require researchers to take legal advice before they commence their studies.

The more time critical systems plod along with vulnerabilities that have only been noticed by the bad guys, the worse the impact for all of us.