What is Australia’s AA Bill and how will it affect US companies?

Australian-made software should now be considered a supply chain security threat as a result of the recently passed Assistance and Access Bill (“AA Bill”), which lets the government force Australian software developers to insert backdoors in secret without telling their employer, experts say.

The controversial bill has made waves in Australia, where the local IT industry fears the new law will destroy the growing tech sector in that country. “Australian developers should now be treated with suspicion just like the Chinese,” Alfie John, a security engineer in Australia, tells CSO. “The Australian government want to recruit average IT workers as spies…but the target isn’t a terror organization or an international crime gang. It’s the company they work for. But if they refuse or tell someone about it, they can face jail time. We are essentially spies not by choice [but] with guns to our heads.”

Any software developer under Australian jurisdiction could be forced to comply with such an order, including remote employees, branch office employees, open source contributors, plus any Australian software developers in the US who might want to return home someday.

Mandatory compliance to create backdoors

The new law gives the Australian government the power to issue a technical capability notice (TCN) to compel a tech company–or an employee–to “build a new capability” to give both law enforcement and intelligence agencies access. As a member of the Five Eyes spying alliance, Australia shares the data it collects with the US, UK, Canada and New Zealand.

“I’m Melbourne-based working for a security company,” John says, “and all my colleagues are concerned we may be commandeered into backdooring our service.”

Some AA Bill supporters have argued that a TCN could never be served on an individual employee, but the law is so vague and broad that the possibility cannot be ruled out. “Given the broad definition of acts or things that can be required to be done by a notice,” Elizabeth O’Shea, a Digital Rights Watch board member and lawyer told ZDNet, “it is not impossible to imagine something like this [a TCN commandeering an employee in secret] happening at some point, so if the drafters did not intend it, they should have drafted it differently.”

Tech companies concerned over security of their software

The uncertainty has North American companies like 1Password worried. “We do not, at this point, know whether it will be necessary or useful to place extra monitoring on people working for 1Password who may be subject to Australian laws,” Jeffrey Goldberg writes in a 1Password blog post. “Nor do we yet know to what extent we should consider Australian nationality in hiring decisions.”

Silicon Valley companies criticized the move. The AA Bill will “potentially jeopardize the security of the apps and systems that millions of Australians use every day,” Amazon, Facebook, Google, Oath and Twitter said in a statement issued by their joint lobbying group DIGI. Apple said that it “would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat.”

The AA Bill’s TCN provisions appear to be part of a Five Eyes effort to legalize backdoor access to tech companies across all five jurisdictions, UK security researcher Mustafa Al-Bassam at University College London notes in his analysis of the new law.

“We may need to adjust the threat model of software that provides end-to-end encryption to provide greater assurances in scenarios where there is a global active adversary willing to manipulate packets server-side…and where there is a legal authority that can compel companies to modify their software,” Al-Bassam writes.

Companies can deploy technical countermeasures to make it difficult for a commandeered employee to insert a backdoor without the knowledge of management, including tools such as binary transparency, open-source code and reproducible builds, he suggests.

US companies with Australian developers on staff or who deploy Australian-made software are now exposed to greater risk of malicious software in their network, and many are left wondering what legal and technical precautions they should take to mitigate that risk.

For his part, John wonders how the Australian IT industry can survive. “Why would anyone buy an Australian service if it could be used to hack their computers/networks?”