Sunday, 14 October 2018 17:28

Cisco fears encryption bill will lead to creation of backdoors Featured

Cisco fears encryption bill will lead to creation of backdoors Pixabay

Global networking giant Cisco has expressed grave reservations about several aspects of the Federal Government's proposed encryption bill, with the creation of backdoors one of its major concerns.

In a submission to the Parliamentary Joint Committee on Intelligence and Security, which will be holding hearings on the bill — the first is on 19 October — Eric Wenger, director, Cyber Security and Privacy Policy, Global Government Affairs, and Tim Fawcett, head of Government Affairs, Cisco Systems Australia, said the company did not want to have any capabilities in its equipment that were not publicly documented.

They pointed out that since the Bill would, via a technical capability notice, require the creation of a capability, while at the same time preventing the entity being asked to do so from documenting it, the end result would be the creation of a backdoor.

"Building an undisclosed surveillance function — even if mandated by law and intended for use only in specific instances pursuant to a lawfully issued judicial warrant — would violate our public pronouncements to the contrary," Wenger and Fawcett wrote.

Cisco has good reason to be wary of backdoors – in 2014, it was revealed by NSA whistle-blower Edward Snowden that the agency's Tailored Access Operations Unit had backdoored the firmware of Cisco equipment without the company's knowledge, while it was en route to organisations that had been targeted for surveillance.

Under the Bill, companies will be initially requested to co-operate with law enforcement; if they do not, the pressure will be stepped up to force them to help.

First, there will be a “technical assistance request” that allows voluntary help by a company. The staff of the company will be given civil immunity from prosecution.

Next, an interception agency can issue a “technical assistance notice” to make a communications provider offer assistance.

Finally, a “technical capability notice” can be issued by the Attorney-General at the request of an interception agency. This will force a company to help law enforcement, by building functionality.

However it cannot include the decryption of information or removal of electronic protection in any system.

Cisco recommended changes to the authorities who could issue TCNs and TANs, pointing out that both suffered from a lack of checks and balance to ensure that the steps demanded were "reasonable and proportionate".

"In neither case is a court involved in either authorising the issuance of the notice or in hearing a challenge raised by the DCP [designated communications provider]," the two Cisco officials said.

They said the DCP should be able to seek relief from courts if it was believed that the steps required under a TAN were not within its existing capabilities and would require new capabilities. Additionally, if a DCP believed that less intrusive methods, which were less likely to cause a systemic weakness, could meet the government's aims, then they should be able to appeal this.

Cisco also raised concerns around the transparency of the TAN and TCN authorities, saying that the DCPs should be able to report annually on the TANs they received.

Wenger and Fawcett said it was even more disconcerting that any new surveillance capability added to equipment could not be publicised. They said while Bill noted that DCPs could not be forced to make misleading statements or engage in dishonest behaviour, if they kept quiet, then previous statements made by them about any surveillance capability would automatically be misleading.

They also said the language used in the Bill could lead to the implementation of cross-border laws in a way that created "untenable conflicts of laws for multinational companies".

"Merely providing immunity from civil suit in Australian courts is in no way the solution to this problem," Wenger and Fawcett said. "Instead, the Parliament should pursue avenues that limit the application of Australia's laws in a manner that avoid adversely impacting their design, development and use globally."

They warned against the adoption of country-specific mandates as it could well end up harming the global competitiveness of Australian businesses and prevent them from gaining access to new technological innovations.

While Cisco welcomed the notion of working across borders to fight crime and terror, the company said it was imperative that such arrangements should not end up becoming "a pathway for the circumvention of national laws that protect civil liberties".

"Therefore, we recommend that the Australian Government clearly articulate as a matter of policy: 1) the Australian Government will not meet requests that it knows to violate restrictions on surveillance in the requesting country; and 2) Australian authorities will not request assistance from other national governments that would violate laws restricting surveillance authorities in Australia," Wenger and Fawcett said.

They also expressed apprehension about the new powers in the Bill allowing authorities to carry out remote access searches and seize digital information, cautioning that this could well lead to the leaking of undisclosed, unpatched vulnerabilities and then to the creation of zero-day exploits.

"The minister should ensure that there is a robust and transparent policy for handling and disclosing these vulnerabilities to vendors capable of responsibly patching them," Wenger and Fawcett said.

"For as certainly as [the leaked NSA Windows exploit] EternalBlue led to WannaCry ransom attacks, government agencies routinely handling vulnerability information without such policies will lead to additional global security crises."

Under the Bill, telecommunications and Internet companies and makers of digital devices will face fines of up to $10 million if they do not help law enforcement agencies gain access to data that the government says is needed for investigating terrorism offences while individuals will face fines of up to $50,000.

The PJCIS has released a number of submissions that have been made to it ahead of the hearings. The draft of the proposed legislation, officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, was released for public comment on 14 August. The period for comment ended on 10 September.

Home Affairs Minister Peter Dutton introduced the bill into Parliament on 20 September. The Labor Party has advised caution on proceeding with the bill, while the Greens have said that Australian cyber security "will be significantly diminished by undermining the fundamental principles of end-to-end encryption".


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments