“Underappreciated” consequences of Encryption Bill could damage Australian security industry for years

Two-thirds of Australian technology companies believe the federal government’s new encryption laws will compromise trust in their products and damage their export prospects in the long term, according to new figures from the Australian Strategic Policy Institute (ASPI).

Conducted before the passage of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 in December after token resistance from the Opposition, the new Perceptions Survey was distributed to 512 startups, scaleups, SMEs, large enterprises and peak bodies by industry body the Australian Cyber Security Growth Network (AustCyber).

Of the 63 responding companies, Fully 76 percent of respondents expressed concerns about the bill, with the most common concern – expressed by 81 percent of those respondents – being the lack of clarity around definitions.

Some 73 percent were concerned about conflicts between the new bill and other countries’ laws, while 71 percent were concerned that their products would be perceived by potential customers as being less secure than those from overseas rivals.

Some 65 percent of those believe the laws will negatively impact their business outside of Australia, while 69 percent believe that impact will last more than two years – confirming often-repeated industry concerns that the legislation could be disastrous for ongoing efforts to grow Australia’s $3.2 billion IT/communications export industry.

Local encryption success Senetas, for one, has already raised the possibility that the new laws could drive it offshore.

Security researchers and technology companies have resoundingly slammed the law, with secure-messaging provider Signal – whose technology is used in tools such as WhatsApp – saying that it couldn’t comply with the law even if it wanted to due to the design of its encryption platform.

Some 19 percent of respondents said they were offering encryption products and services, with 27 percent saying they are manufacturing in Australia.

The new ASPI research reflected widespread belief that the impact of the new legislation has been “underappreciated”, AustCyber CEO Michelle Price wrote while noting the “compelling” results of the survey as a clarion call for better communication “across the ecosystem and between government and industry.”

“The public debate,” she wrote, “has resulted in perceptions (and misconceptions) that, if unaddressed, have the potential to harm the economic viability – and growth – of Australia’s cybersecurity sector.”

Fully 51 percent said they are exporting products outside Australia, with an additional 22 percent expecting they would be exporting over the next 12 months.

While many companies are concerned about the impact of the new law, just 22 percent anticipated being asked to assist authorities through the issuance of a Technical Capability Notice (TCN) – an Assistance and Access Bill provision that requires technology companies to help provide access to encrypted messages.

Respondents also slammed the government’s lack of consultation in developing the policy, with only 3 companies saying they had been consulted before the release of the draft bill. And fully 57 percent of respondents said the timeframe they had to respond to public consultations about the draft bill had been inadequate.