We live in interesting times. The recent introduction of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (AA Bill) makes life less interesting and more complicated, especially if your business is in the telecommunications, ICT, software or data business. If you want your eyes to glaze over you can read the Act for yourself here, or you may prefer the overview version.
I understand the need and the intent of the legislation. I get that the Australian security agencies need to investigate criminal activity, protect the public and enforce the law. However, I don’t believe the average business that will be impacted by the AA Bill legislation is prepared for what needs to happen if a request for assistance is received and how the process needs to be managed. A number of government agencies can now take advantage of the powers that this new legislation enables. Specific agencies can compel any telecommunications provider, device or application vendor to break software and data encryption.
What processes does an organisation follow when it receives one of three new tools that agencies can use for requesting assistance?
The Technical Assistance Request (TAR)
The Technical Assistance Notice (TAN)
The Technical Capability Notice (TCN)
What does an organisation need to have in place to ensure that its own internal controls, governance framework and decision-making parameters are not negatively impacted? I suggest that every business that falls into the nominated category needs to assess the impact on its enterprise architecture and governance framework. Why? Because the Act has the potential to change how the enterprise architecture operates. It also has the potential to impact the trust relationship between a service provider and its customer. The breaking of encryption may have some serious unintended consequences, depending on the type and timing of the encryption. For example, encryption can be done when data is at rest, at the time of transfer or at specific integration points to name a few. So at which point is the encryption to be broken? What is the fallout from breaking at a specific point? Good questions to ask yourself and your teams.
There are some positive aspects to the legislation, in that a TAR, and TCN must be reasonable and technically feasible. It also has its downsides – a request recipient cannot reveal the existence or non-existence of a request for assistance. Disclosure can result in a fine or jail. A classic carrot and stick approach. All ICT based organisations need to understand the requirements and implications of what can only be considered a poorly thought through piece of legislation.
If you would like information on how you can determine the impact on your organisation, email us at info@realisingpotential.com.au
Read more on the new legislation, here are a few informative links:
What (we think) you should know about Australia’s new encryption bill
More information on the bill.
How could, and how should, we transition?
August 14, 2020
Protected: Weather the storm or change the climate
June 24, 2020
realising success® playbook
June 17, 2020
How to go quicker by taking time to stop…
April 1, 2020
Getting through the crisis.
March 30, 2020
Less than 50% of businesses are leveraging process insights.
February 17, 2020
Business Alignment Webinar
December 20, 2019
The Westpac alignment lessons we should take to the bank
December 4, 2019
It’s not progress, it’s just activity
October 4, 2019
Getting better visibility of emergent risk
September 14, 2019
Bright Shiny Object Syndrome
July 26, 2019
Collaboration – the social contract
May 1, 2019