Tech giants helping government circumvent secure-messaging encryption: minister

Private sector “tremendously important” to helping government protect health records while simultaneously accessing encrypted data, services

Australians can trust the government’s beleaguered My Health Record (MHR) service to secure their private data because it uses encryption, Australia’s minister for cyber security has argued while simultaneously admitting that technology service providers are providing “a high level of cooperation” to help the government circumvent their own privacy protections.

The government was not seeking to decrypt data in motion, minister for law enforcement and cyber security Angus Taylor told attendees at the recent Australian Security Industry Association Limited (ASIAL) security exhibition and conference in Melbourne.

But it was, he added, working with private companies to ensure that it could access those communications once they were decrypted at the receiving end.

“The real challenge is not to decrypt,” he said. “I don’t think we should even think about it that way.”

“The real challenge is to get access to it at a point where it is decrypted – and that is nowhere near offensive to technology service providers as much as us saying that they have to hand over decrypted communications from a device, where their value proposition to the customer is strong encryption.”

That encryption was, for example, helping child sex offenders hide in plain sight – exchanging messages and trading illicit content on “quite obscure” gaming platforms.

“Working with a small gaming application [developer] to get access to decrypted communications at the right point in that communication, is a real challenge,” Taylor said.

“But these [criminal] networks are using technology in ways they have never used it before. And that is as much a capability building exercise for small technology service providers as anything else. To the extent that we can get access to communications in ways that don’t compromise their product, they’re quite happy to work with us.”

Speaking to the government’s ongoing efforts to formalise and centralise its cybersecurity enforcement efforts, Taylor pointed to the successful integration of cybersecurity capabilities into the newly created Department of Home Affairs; the creation of top-level advisory roles; and the seamless integration of responses amongst cybersecurity, intelligence, law enforcement and other organisations.

“Whilst our connected world opens up enormous potential in every aspect of what we do,” he said, alluding to a growing tide of state-sponsored interference facilitated by hacking, “our potential to harness the digital age depends on the trust between us. And there are many out there who want to see the erosion of that.”

“Foreign interference is hardly something new, but the threat we’re facing now is unprecedented.”

That the government is seeking to open access to confidential communications, and to simultaneously convince an increasingly sceptical public that its own MHR system is safe from interference.

Doctors have expressed concern about access to the information and one of the government’s own ministers publicly opted out of the scheme, which could potentially allow for broad reuse of healthcare data and creates a honeypot of information that was certain to be targeted by hackers.

A recent policy document inadvertently revealed efforts to downplay the cybersecurity risk that MHR would create, with committee member Dr Edwin Kruys blogging that “it has been decided that the risks associated with the MyHR will not be explicitly discussed on the website”.

The mixed messages from the government highlight the complex duality of the roles that it must fill, as it seeks to both secure Australians’ healthcare data from cyberattack and ensure that it can access secure data intended for other purposes.

Meeting this challenge would require increasing collaboration between “ham-fisted” government organisations that “tend to be a slow-moving beast”, Taylor said, and the private-sector security industry that has a “tremendously important role to play in supporting this.”

“We will not solve the cybersecurity problem without active involvement from the private sector,” he continued, noting that “most of what the government does is a public-private partnership in one form or another. We just need to be more adept at using technology than our adversaries, than ever before.”

Tags My Health Record

Show Comments