Australia’s legislation, if approved, would likely serve as a test case for the United States and other governments to looking to pass similar encryption-breaking mandates. And the pushback from the companies signals the tech industry is digging in for a protracted fight with policymakers who argue the spread of encryption is thwarting investigators in high-stakes criminal cases.
“We believe this is a troubling example and would have negative security impacts,” Eric Wenger, Cisco’s director of director of cybersecurity public policy, told me. “You’d potentially have a situation where in a liberal democracy, technology is not being built in a way that maximizes security.”
The Australian bill would require companies to provide technical assistance to authorities seeking to retrieve encrypted data they believe is linked to criminal activity. Supporters say strong encryption has hindered law enforcement probes of terrorism, organized crime rings and other criminal enterprises, and argue the bill is essential for protecting public safety and national security.
But tech companies contend the legislation gives authorities overly broad powers that would undercut user privacy and jeopardize security in a range of technologies. “Rather than serving the interests of Australian law enforcement, it will just weaken the security and privacy of regular customers while pushing criminals further off the grid,” Apple said in a recent letter to Australian lawmakers.
Although Australian officials say the bill isn’t designed to get companies to build “back doors” in their products, Cisco, Apple and others say it could do just that. Per Apple’s letter:
“For instance, the bill could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well.”
The companies criticizing the bill represent a cross-section of the tech industry, spanning software and device makers to hardware manufacturers to social networks. They've joined advocacy groups opposing the legislation such as Access Now, projecting a broad united.
The increasingly vocal opposition deepens the divide between the tech industry and a coalition of governments, including the United States, pressuring companies to cooperate with law enforcement on requests for encrypted data.
Just weeks ago, the Five Eyes group of intelligence agencies — which includes Britain, Canada, New Zealand, Australia and the United States — issued a strongly worded joint statement threatening to crack down on companies if they don’t start assisting investigators. “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries,” the coalition said, “we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”
U.S. officials will be watching closely how the debate unfolds in Canberra. The Justice Department has expressed a strong interest in passing legislation forcing companies to create encryption workarounds if they continue to resist calls to cooperate with law enforcement.
So far, efforts to move such a bill have stalled in Congress. But fallout from the FBI’s epic legal battle with Apple over access to a terrorist’s encrypted cellphone has kept the issue on the radar, as has a recent court fight in which a judge ruled the government can't force Facebook to break the encryption on its popular Messenger voice app.
— SIGNING OFF: Regretfully, today’s newsletter is my final dispatch for the Cybersecurity 202. It’s been an honor covering this fascinating space for The Post and I wish I could continue, but family obligations are taking me to New York for a new adventure.
When we launched this newsletter back in the spring, my goal was to write cybersecurity stories that were smart but accessible — to break down some of the complex debates about cybersecurity policy in a way that might be equally valuable to insiders and curious newcomers alike. I hope I accomplished that, at least to some degree, and that all our readers opened the Cybersecurity 202 in the morning feeling like they'd learn something new. I’m grateful for all the tips, comments and criticisms I’ve received from the community here over the past six months. They’ve made me a better reporter, and I couldn’t have gotten this newsletter up and running without them.
I’m leaving the newsletter in excellent hands. Bastien Inzaurralde, the Cat Zakrzewski, The Post’s new tech reporter, will take my place for the time being. I have no doubt they’ll do outstanding work on this high-stakes beat. I’ll certainly be reading — and I hope you will too.Cybersecurity 202’s star researcher, will continue to dig into the day’s most important cybersecurity issues. And my colleague
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: State and federal officials exchange election security information more frequently than they did during the past presidential campaign, the Associated Press's Colleen Long reported Thursday. “Election officials and federal cybersecurity agents alike tout improved collaboration aimed at confronting and deterring election tampering,” Long wrote. “Granted, the only way to go was up: In 2016, amid Russian meddling, federal officials were accused first of being too tight-lipped on intelligence about possible hacking into state systems and later for trying to seize control from the states.”
The Department of Homeland Security has reached out to states and offered to help them prevent cyberthreats. “To assist states, Homeland Security offered them vulnerability assessments and help responding to incidents — so far, 37 states have signed up,” Long wrote. “Secretary Kirstjen Nielsen has urged states to make their systems auditable. Her department has funded ‘Albert sensors,’ systems that can detect attempts to hack into networks. So far, 31 states and 61 counties have installed sensors.”
But even though communication has improved, the AP reported that some local officials say they are still in the dark about what actually took place in the past presidential election. “I never received any information and still — to this day — I have no inside access to anything more than what’s reported in the media and the general public on what those threats are,” Kammi Foote, the head of elections in Inyo County, Calif., told Long.
PATCHED: “A former Minnesota FBI agent who shared classified information with the media was sentenced to four years in prison Thursday,” The Washington Post's Rachel Weiner and Ellen Nakashima reported. “Terry J. Albury, who had served in the agency since 2001, admitted earlier this year that he shared secret FBI documents on recruiting informants and threats from an unspecified Middle Eastern country with a reporter. He provided at least 25 documents, 16 of which were classified, according to court documents.”
Here is how Albury seized the documents, according to my colleagues: “Albury would get to work early to photograph documents without being seen, then turn them into new file formats to avoid detection before sending them to the reporter through an encrypted email program and wiping his laptop’s data. Prosecutors say they found 70 documents, 50 of which were classified, on a storage device in a shirt pocket in his home.”
Rachel and Ellen reported that President Trump has scolded Attorney General Jeff Sessions for not being aggressive enough in investigating leaks. “In the past 16 months, the Trump administration has charged five people — two were contractors and one worked for the U.S. Senate — in leak-related cases, though some were charged with lying rather than with disclosure,” my colleagues wrote. “The rate nearly matches that of the Obama administration, which brought five such cases between December 2009 and December 2010 alone.”
PWNED: “Twitter suspended a network of suspected Twitter bots on Thursday that pushed pro-Saudi Arabia talking points about the disappearance of journalist Jamal Khashoggi in the past week,” NBC News's Ben Collins and Shoshana Wodinsky reported. “Twitter became aware of some of the bots on Thursday when NBC News presented the company with a spreadsheet of hundreds of accounts that tweeted and retweeted the same pro-Saudi government tweets at the same time.”
NBC News reported that Josh Russell, an IT professional in Indiana, put together the list of bots. “Russell found the accounts by analyzing a trove of Twitter data and finding accounts that were created on the same date and had similar numbers of followers, tweets and likes,” Collins and Wodinsky wrote. “From there, he compiled a list of hundreds of accounts that tweeted identical tweets at the same time. He called the influence operation a ‘standard’ bot network, but was surprised at how old some of these accounts are.” Some of the accounts dated back to 2011, Russell told NBC News.
“A Twitter employee, who asked not to be identified because the employee was not authorized to speak publicly, said the company was aware of the influence operation and had already suspended even more pro-Saudi government accounts before they were caught by researchers,” Collins and Wodinsky reported.
— “Director of National Intelligence Dan Coats told CyberScoop on Thursday that he’s seen no evidence of Chinese actors tampering with motherboards made by Super Micro Computer, becoming the latest national security official to question a Bloomberg report that stated the company was the victim of a supply chain hack,” CyberScoop’s Greg Otto reported. “‘We’ve seen no evidence of that, but we’re not taking anything for granted,’ Coats told CyberScoop. ‘We’ve haven’t seen anything, but we’re always watching.’ The comments came before a speech Coats delivered at CyberTalks, where the director touched on supply chain threats as one facet the administration is focused on when it comes to cybersecurity threats.”
— Bloomberg News’s Steven T. Dennis reported that Super Micro Computer itself also pushed back on the Bloomberg Businessweek report in a letter responding to questions from Sens. Marco Rubio (R-Fla.) and Richard Blumenthal (D-Conn.) “With respect to the recent media reports, Supermicro has seen no evidence of any unauthorized components in our products, no government agency has informed us that they have found unauthorized components on our boards, and no customer has reported finding any such unauthorized components,” Perry Hayes, president of Supermicro Netherlands, said in the Wednesday letter, as quoted by Dennis.
— More cybersecurity news from the public sector:
— “European Union leaders agreed on Thursday to impose sanctions to stiffen their response to cyber attacks and to rush through new curbs on online campaigning by political parties to protect next year’s European polls from interference,” Reuters reported. “German Chancellor Angela Merkel became the latest leader this week to warn against the risk of disinformation and voter manipulation to undermine the May elections to the European legislature. The threat of a special EU economic sanctions regime against computer hackers, including hostile governments and individuals, as well as fines for political parties, will act as a deterrent, European Council President Donald Tusk said after a summit of EU leaders.”
— More cybersecurity news from abroad:
- Palo Alto Networks Federal Ignite 2018 conference in Washington on Tuesday.
What can we expect in the 2018 midterms? Here's what the polls say:
Just about everything you've read on the Warren DNA test is wrong:
White woman dubbed “Golfcart Gail” calls police on black father at soccer game: