We live in interesting times. The recent introduction of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (AA Bill) makes life less interesting and more complicated, especially if your business is in the telecommunications, ICT, software or data business. If you want your eyes to glaze over you can read the Act for yourself here, or you may prefer the overview version.
I understand the need and the intent of the legislation. I get that the Australian security agencies need to investigate criminal activity, protect the public and enforce the law. However, I don’t believe the average business that will be impacted by the AA Bill legislation is prepared for what needs to happen if a request for assistance is received and how the process needs to be managed. A number of government agencies can now take advantage of the powers that this new legislation enables. Specific agencies can compel any telecommunications provider, device or application vendor to break software and data encryption.
What processes does an organisation follow when it receives one of three new tools that agencies can use for requesting assistance? The Technical Assistance Request (TAR) The Technical Assistance Notice (TAN) The Technical Capability Notice (TCN)
What does an organisation need to have in place to ensure that its own internal controls, governance framework and decision-making parameters are not negatively impacted? I suggest that every business that falls into the nominated category needs to assess the impact on its enterprise architecture and governance framework. Why? Because the Act has the potential to change how the enterprise architecture operates. It also has the potential to impact the trust relationship between a service provider and its customer. The breaking of encryption may have some serious unintended consequences, depending on the type and timing of the encryption. For example, encryption can be done when data is at rest, at the time of transfer or at specific integration points to name a few. So at which point is the encryption to be broken? What is the fallout from breaking at a specific point? Good questions to ask yourself and your teams.
There are some positive aspects to the legislation, in that a TAR, and TCN must be reasonable and technically feasible. It also has its downsides – a request recipient cannot reveal the existence or non-existence of a request for assistance. Disclosure can result in a fine or jail. A classic carrot and stick approach. All ICT based organisations need to understand the requirements and implications of what can only be considered a poorly thought through piece of legislation.
