It says quite a bit about the shallowness of debate around national security and surveillance in Australia that one of the most alarming extensions of intelligence-gathering powers in recent history has been dropped into public discussion with barely a ripple in the media.
As Crikey noted yesterday, one of the alarming aspects of the proposals to extend the powers of the Australian Signals Directorate to domestic activities is the idea that companies could invite ASD to maintain an active presence within their IT systems in order to protect them against cybersecurity intrusions of the kind plaguing Australian governments, businesses and institutions.
This would be an extraordinary win for the ASD and its Five Eyes partners, offering them access to data that at the moment has to be hard-won through theft and spying. Think of it this way: a major Australian bank, concerned about being targeted by China, invites the ASD to establish a presence within its systems, with unfettered access to every area. Not merely would that provide ASD with access to the financial data of every customer, it would also provide it with extensive commercial data — a window into the operations of every business that used that bank.
Energy companies. Health providers. IT services providers. Infrastructure providers. All of them with colossal amounts of immensely interesting data, all available if they invited ASD in. And customers would never know.
That would increase the risk premium for anyone using Australian companies who would prefer the Australian government — and, thus, its Five Eyes partners — not to have access to their information. Australian-manufactured software is now permanently tainted with a Huawei-like stench, given the passage of the government’s anti-encryption bill last year. No one can use a piece of Australian-made software without the suspicion that it has somehow been tampered with by Australian security agencies and the manufacturer gagged from warning them.
Under the new proposal, it will be impossible to use Australian banks or other major companies without the suspicion that ASD has been invited in and has a ringside seat to every piece of data.
As we saw with the encryption debate, the economic damage this will inflict on Australian companies is irrelevant to security officials. The basic method of agencies like ASD is economically damaging: they search for security flaws in widely used software and, when they find them, in at least one in ten cases (according to NSA officials), they don’t alert the manufacturers to the flaws, but instead develop or buy software that will exploit the flaws so that they can penetrate the systems of their targets. The damage done to large companies is irrelevant to them — as Microsoft found out after the NSA lost a trove of exploits, including one that targeted Microsoft products.
In short, the ASD and its Five Eyes counterparts don’t give a damn what damage they do to companies if they can get what they want.
The proposal now being touted, to the apparent non-interest of the media, would introduce a new golden era of corporate and commercial espionage in Australia — and who cares about the damage it would do to Australian businesses.