A Response to Tim Watts’ Ransomware Bill

Proving that government meddling in the private sector’s cyber security practices isn’t a partisan issue, Labor’s Tim Watts, the Shadow Assistant Minister for Cyber Security, has introduced a Bill to force private companies to interact with the ACSC — the Australian Cyber Security Centre — which is part of the ASD, the Australian Signals Directorate.

The obvious problem? The ASD is primarily a spy agency, and the ASD is busily attempting to become more involved in the private sector’s cyber security practices. One doesn’t need to look too far into the future to see the issues with a spy agency becoming more involved with the private sector. In my opinion, the most surprising aspect of the Snowden revelations was the co-operation between government and the private sector, unbeknownst to the public.

In order to minimise mass surveillance, there needs to be a Chinese wall between the government and the private sector when it comes to cyber security; that is, the government should not regulate cyber security.

According to a federal government website, ransomware is already illegal under the Criminal Code Act 1995, which begs the question: Why are the spooks being involved when the police can already act?

The Bill would force private companies — and federal and state government entities — to disclose ransomware payments to the ACSC. The Bill would also allow the ACSC is disclose this information to the public; e.g., through the ACSC’s partner programme’s threat intelligence feed.

Worryingly, Watts said that the Bill is the first step, leaving the door wide open for forcing private companies to further co-operate with the spy agency. Watt’s Bill comes at a time when the ASD is demanding full access to critical infrastructure run by the private sector, under certain circumstances, to respond to cyber attacks.

The Bill highlights a number of repeating themes in my writing:

  1. When the door is opened by the government, there is no going back. Laws are very rarely abolished, and the scope creep, unintended consequences, and bureaucrats’ incentives only push in one direction.
  2. There is a worrying confluence of mass surveillance laws in Australia that intertwine government and the private sector. The proposed regulation of the cyber security industry in Australia will put the government in charge of the very networks and systems to which the ASD would love access, and they’re already demanding access under certain circumstances.

The demands of the ASD to have access to private sector networks, systems, and information are unacceptable, and the Bill needs to die a quick death.