How the B-Team watches over Australia’s encryption laws and cybersecurity – ZDNet

The cybersecurity of the Attorney-General's Department (AGD) has not been independently assessed by the Australian Signals Directorate (ASD) despite it being made an action item nearly four years ago.

The nation's Cyber Security Strategy of April 2016 said that government agencies "at higher risk of malicious cyber activity" would receive "independent cybersecurity assessments".

Adiscussion paper[PDF] for the 2020 strategy,releasedin September 2019, reported that "ASD has conducted active vulnerability assessments of a number of key government agencies".

But in written evidence given to the Senate Standing Committee on Legal and Constitutional Affairs this week, AGD revealed it wasn't one of them.

"ASD has not conducted an independent security assessment against Attorney-General's Department networks," it wrote.

"No additional funding has been provided to AGD for cybersecurity remediation activity."

AGD has vastly increased its spend on cybersecurity across the last four years, however.

From a base of AU$47,197 in 2015-2016, when they began tracking the annual operational spending of the IT Security Section, it rose to AU$225,826 in 2016-2017, then to AU$641,985 in 2017-2018. In 2018-2019, it declined slightly to AU$562,222.

"Other sections, projects, and activities make a substantial contribution to improving the overall cybersecurity posture, but are associated to other cost centres," AGD wrote.

But the department declined to answer specific questions about its compliance with theASD Essential Eightcybersecurity controls, citing security concerns.

"Publicly identifying details of any briefings provided to the Attorney-General on cybersecurity vulnerabilities on departmental networks would provide an individualised snapshot in time and may provide a heat map of vulnerabilities for departmental networks, which malicious actors may exploit and thus increase the agency's risk of cyber incidents," it wrote.

It's bad enough that most telecommunications interception warrants arenot approved by judgesbut by members of the Administrative Appeals Tribunal (AAT).

What's worse is that these less-qualified officials can spend mere minutes making their decision with no legal support from AAT staff.

After so little thought, and without further independent oversight, law enforcement agencies are free to use theircontroversial new powersunder the controversialTelecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.

They can issue a "voluntary" Technical Assistance Request (TAR) to get a communications provider to help access the contents of an encrypted communication. Or they can issue a compulsory Technical Assistance Notice (TAN) to the same end.

Someseven TARs or TANs were issuedby law enforcement in the first seven months of the Act's operations. The number issued by the spooky agencies, meanwhile, is unknown.

The concern, first raised byThe Saturday Papera year ago, is that AAT members mightmore readily approve warrantsthan judges, although there's no data on this one way or the other.

There have been concerns that many AAT members are political appointees with no legal qualifications. More than 60% of members appointed since 1 July 2015 are not legally trained, according to further AGD evidence to the Legal and Constitutional Affairs Committee.

And whilesection 5DAof theTelecommunications (Interception and Access) Act 1979states that only AAT members who are "enrolled as a legal practitioner of the High Court, of another federal court, or of the Supreme Court of a State or of the Australian Capital Territory" for at least five years are approved to issue warrants -- a lawyer with five years experience is not a judge.

"Some legal experts argue that judges are more experienced and therefore more qualified to assess warrant applications than a lawyer with five years' practising experience,"The Saturday Paperwrote.

"Key to this is the fact that during these warrant proceedings, there is no party making an opposing argument."

Judges are experienced in weighing up the pros and cons of a case to ensure fairness. Lawyers are experienced at arguing for their client's position. They're not the same.

Also concerning is the amount of support given to AAT members in this role: None.

The Senate was told that "members undertake these functions in a personal capacity (as apersona designata) and not as part of their duties as a member of the AAT".

"AAT staff do not provide any legal support in respect of applications considered by an AAT member under the Act," AGD wrote.

"The AAT and AAT staff provide limited assistance to facilitate the performance of these functions, particularly scheduling appointments."

Those appointments can be very brief indeed.

"Since 1 July 2015 the average (mean) length of all appointments with AAT members for warrant-related purposes is just 18 minutes," AGD wrote.

"The shortest amount of time recorded for an appointment that proceeded is 1 minute. The data is not subject to auditing."

Maybe the members spend hours of their own time wrestling over whether to approve each warrant. On that matter, your writer has a simple response: Prove it.

Either way, it might well be argued that one minute doesn't allow for a serious challenge to a warrant application's claimed merits.

Australia's health sector continues to be the most affected by data breaches, according to the Office of the Australian Information Commissioner (OAIC).

Some58 notifiable data breaches(NDBs) were received by the OAIC between 1 January 2019 and 31 March 2019.

"The OAIC's 2019-20 corporate plan includes a continued focus on the health sector, particularly centred on uplifting the health sector's security posture," it told the Senate this week.

In September 2019, the OAIC released aGuide to Health Privacy.

"[The OAIC] is currently undertaking an associated outreach and social media campaign. This campaign includes the development of a toolkit to assist health service providers improve their information handling practices," it said.

Also during Estimates in November, the OAIC was asked if it was conducting an investigation into an alleged AU$10 million international identity theft scam that had affected several of Australia's largest super funds, including REST Super, AustralianSuper, and HESTA.

"The Information Commissioner has not opened an investigation into the named organisations in relation to the media report of an alleged identity theft scam," the OAIC said.

It did add, however, that the maximum current penalty that the Federal Court can impose for a serious or repeated interference with privacy is AU$2.1 million for a body corporate.

In recent years, the OAIC has found it difficult to process Freedom of Information (FOI) requests promptly. A substantial increase in all types of requests has since widened the gap, resulting inincreased delays and backlogs.

This week the OAIC revealed that meeting the demand for FOI regulatory work would require nine more staff at a cost A$1.65 million a year, plus A$300,000 in the first year for accommodation.

Your writer is of the view that this is back-of-the-couch money, given that it would deliver a significant increase in government transparency.

Visit link:
How the B-Team watches over Australia's encryption laws and cybersecurity - ZDNet