As far as laws go, the Assistance and Access Act passed in Australia before Christmas 2018 has alot going for it if you want to complain about ill considered, out of touch and over reaching legislation...but it also gives us a unique opportunity. It is a rare situation indeed where a law has the potential to cause fundamental changes in the day to day behaviour of individuals and business alike. This law seeks to allow law enforcement the ability to access messages or data secured by end to end encryption without notice or warning with the added ability to provide information to foreign governments, this creates significant risk for other individuals and businesses caught in the cross-fire. It has been said "if you are doing nothing wrong, then you have nothing to fear", but this is like saying "if you own nothing of value, then leave your door open", as the reality is that our perception is that only those with authorised legal rights will be able to use the power awarded through this law and nothing will go wrong. So where is the opportunity or positives out of this law that I mentioned? Well, while this law may be considered to be unfair and skewed, in the end it is the law, so we must adapt and change as a result allowing us the opportunity to change...perhaps for the better even if it doesn't seem that way at first.
I am very proud to be Australian, working in an Australian small business with our focus on community and business alike. Even so, I see this law for what it is, even though this was not its intent, it is a threat, a risk and creates a legal attack vector which will never be closed unless there is proof it has been abused...an unlikely scenario in that these attack vectors will often be undocumented, unmonitored and exploited without notice. But, change takes time and it is unlikely that this law will be reversed or altered quickly which is why we should start getting used to it in the mean time and start protecting ourselves and our businesses as a result. It is important that we assess this law in terms of what we can do to minimise its impact going forward and to do this we should look at it very much like any other risk. Let's look at the intent of the law, it is attempting to address the issue of accessing data secured through end to end encryption with a focus on messaging and communication services. Encryption forms the backbone of security measures implemented in any business operating these days and works on the premise of using complexity and length to increasingly secure a given set of data. In order to bypass sophisticated encryption, this law seeks to cause technology companies or its employees to comply with instructions to alter their products / services to provide law enforcement the ability to conduct targeted surveillance without notifying impacted individuals as they type away and in most cases hiding the alterations and capabilities. This law further complicates the scenario by impacting on technology companies and will test companies who must also comply with laws overseas where this law conflicts with other key laws inclusive of those targeting privacy.
Now knowing the intent of the law, we can now assess how this will impact on our lives or that of our business. Essentially, if you have employees who use end to end encryption messaging applications for work or personal use then you are opening up your business to potential surveillance...although a warrant is still required to access the actual content (no peeking now) which is like having a door closed without a lock. This may include applications that have the capabilities to perform end to end encrypted communications even if they are not used extensively. In the case of doctors, medical practitioners and lawyers it is unclear if the privacy rights between a professional and client would be respected under this law. Essentially, the law does not appear to discriminate with regards to who the communications are with, only who is under surveillance meaning that use of these applications for sensitive information or communications is no longer protected explicitly. It is concerning that if an individual was to be investigated by foreign governments that they could also request access to data from the Australian Government which could also potentailly lead to tainted business dealings, corporate espionage and other side affects although likely unintended consequences. As we can see the threats are various and it is not restricted to any given device or platform which may include phones, tablets, smart watches or even smart anything. It has been suggested that smart assistants such as the Google Home or Alexa could be used to monitor home environments and take voice recordings much like a self funded bug. This also preseumes that law enforcement is the avenue through which the security breach originates which will likely also be open to illegal sources as well in time...
I think we have sufficiently defined our threat and risk, but what now? We look to implement counter measures or containment to mitigate the risk and where possible remove the risk altogether...easier than it sounds right? Firstly, I would much prefer to be served a search warrant at my place of business than have someone looking at digital information without telling my business thus driving my business behaviour towards this goal. In order to acheive this it is essential that my business assess and implement the following solutions:
- remove externally hosted communication and messaging services that are not operated in house such as moving away from cloud based services that can be impacted without my knowledge.
- Consider implementing internal communication and messaging services on a segregated internal network without access via the internet.
- remove the use of applications, services and devices that might use end to end encryption from employees who handle sensitive information.
- seek to alter or replace businesses processes and procedures that previously incorporated end to end encryption applications or services.
- seek to engage with outsourced business components and service companies to remove end to end encryption communications from interactions.
- devise and employ new communication paradigms to reduce risk to the business by seeking to use alternative communication strategies such as verbal, video and paper based approaches when sensitive communication is required.
- consider whether to ban devices from selected meeting rooms or during sensitive communications.
- consider the "working from home" scenario and whether employees need to santise their workspace of devices such as smart speakers.
- consider "no data" plans for phones which will be used for key employees to minimise the liklihood of security breaches
By no means is the list above a solution for all and it is entirely likley that you will identify other risk sources and / or solutions, so I suggest that you seek to test each solution by working your way through the Heirarchy Of Controls:
- PPE (Not really relevant in this case)
I realise that this sounds like alot of work and excessive but this is the opportunity I spoke of...as a business, by seeking to address this threat this will help you become more robustly secure and protected from legal and illegal threats using associated attack vectors. You have been given the opportunity to look at the way you conduct business and to implement controls that will make you more aware of technology risks and how they can impact on your business as they become more prevalent in our lives. It wasn't long ago that businesses were getting comfortable using cloud technologies and encrypted communications to change the way they do business...it was a nice holiday, but now we have a choice to make. Hopefully, this article has given you insights into what you can do to protect your business, it is a more closed of approach, but when a threat is real I'd rather be cautious than test the alternative...good luck Generation Y.
If you are interested in finding out more about what we can do for you then please feel free to visit our main website or contact us. Thank you for your time, for reading our blog post and it would be great if you feel the need to share or like our articles via one of our social media platforms with the @ActsIntuitively tag as applies.
Technical Services Manager
Read Prev Post Read Next Post