Preventing Cybercrime: Australia’s Assistance and Access Act

As organizations and businesses undergo digital transformations, so do criminals and other nefarious actors. In today’s modern era, criminal activity frequently occurs online through digital communication channels, providing avenues for phishing, data loss, and security breaches.

Australia passed the Assistance and Access Act in 2018 to combat cybercrime through digital channels.‍

The Australian Signals Directorate (ASD) stated, “Cybercrime is one of the most pervasive and endemic threats facing Australia and the most significant threat in terms of overall volume and impact to individuals and businesses.” This 2018 regulatory measure enables Australian agencies to conduct specific, appropriate, and monitored surveillance operations to prevent cybercrime.

This blog explores details of the Assistance and Access Act, including key components, directions for compliance, and recommendations for preventing cybercrime in Australia and beyond.

Protect your organization from cybercrime with UpGuard BreachSight >

What is the Assistance and Access Act?

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 is an encryption law that assists the Australian government in addressing challenges posed by digital communications to law enforcement and national security.

The Act grants the Department of Home Affairs the power to request or compel assistance from telecommunications providers and technology companies in accessing encrypted communications. According to the Australian Security Intelligence Organisation (ASIO), over 95% of the most dangerous counter-terrorism targets use encrypted communications, and encryption impacts intelligence coverage in 9 out of 10 of ASIO’s priority cases.

The Act aids law enforcement and security agencies, like the Australian Federal Police (AFP), in intercepting and reading messages exchanged by individuals suspected of criminal activities without compromising the system's overall security.

After Australia passed the Act, there was a significant debate on the balance between national security, individual privacy, and judicial oversight. However, the Australian government has stressed its interest in encrypted communication that conceals illicit activities to avoid criminal laws.

Opponents of the law also cite potential conflicts within the Five Eyes Alliance, reinforcing Australia’s status as a major outlier. All Five Eyes nations—the United States, UK, Canada, Australia, and New Zealand—require judicial authorization for their intrusive intelligence collection powers.

Regular use of encryption as electronic protection, such as online banking or shopping, is not of primary concern in the Act. To reinforce this, the Act includes safeguards between government and industry, such as restricting backdoors and decryption capabilities, preventing the creation of systemic weaknesses, and accessing communication without proper jurisdiction, warrants, or authorisations.

Key components of the Assistance and Access Act

The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include:

• Technical Assistance Requests (TARs): TARs are voluntary requests for assistance accessing encrypted data from law enforcement to teleco and technology companies. Companies are not legally obligated to comply with a TAR but law enforcement sends requests to solicit cooperation.‍
• Technical Assistance Notices (TANs): TANS are compulsory notices (such as computer access warrants) that require companies to assist within their means with decrypting data or providing technical information that a law enforcement agency cannot access independently. Examples include certain source code, encryption, cryptography, and electronic hardware.‍
• Technical Capability Notices (TCNs): TCNs are orders that require a company to build new capabilities that assist law enforcement agencies in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible.

Several oversight methods, limitations, and safeguards that ensure the government uses the Act responsibly and for its intended purpose are included alongside TARs, TANs, and TCNs. According to evidence from the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in 2020, ASIO has issued “fewer than 20” TARs, the AFP eight, and the New South Wales Police Force thirteen. 

To confirm industry assistance is constructive and does not jeopardize cybersecurity, the Commonwealth Ombudsman and Inspector General of Intelligence and Security exercise extensive independent scrutiny, overseeing the complaints mechanism. The Independent National Security Legislation Monitor also reviews the Act. 

Who must comply with the Assistance and Access Act?

Many organizations must comply with requests and notices issued under the Assistance and Access Act. These organizations mainly include designated communication providers, carriage service providers, and device manufacturers. Some entities may already be required to comply with similar regulations, such as the Telecommunications Act 1997 or the Telecommunications (Interception and Access) Act 1979.

The Act also applies to other companies and organizations in the digital and communications sectors. The Act covers the following areas specifically:

• Teleco service providers:  The Act covers traditional telecos and internet service providers that offer communication services in Australia, ranging from small local service providers to large multinational corporations.
• Technology companies: Any company that develops or supplies software may be required to assist law enforcement agencies, including messaging apps (such as Apple Messenger and WhatsApp), social media platforms, and operating systems. This provision covers many businesses, from startups to global tech companies.‍
• Device manufacturers: Entities manufacturing devices that connect to the internet (including smartphones, tablets, and computers) may be asked to provide technical information or unlock devices.‍
• Related service providers: The act also applies to other entities that provide digital communication services. Examples of related service providers include email services, cloud storage providers, and companies developing, supplying, or maintaining technology used for communications.

The organizations listed above may come across as rather broad. Still, the Act is designed with a broad scope to ensure law enforcement and intelligence agencies have access to a wide range of industry entities. This access provides the necessary tools to tackle cybercrime and national security threats in an increasingly digital world.

Penalties for non-compliance

Complying with the Assistance and Access Act is crucial to ensure that law enforcement agencies can access the necessary information to safeguard national security. The act imposes severe penalties for non-compliance, demonstrating the Australian government's commitment to securing cooperation from telecos, technology companies, and other relevant entities in national security and law enforcement matters.

Penalties for non-compliance with the Act include:

• Financial penalties: Corporations that do not comply with a TAN or TCN may be issued substantial fines of up to 10 million AUD or more, depending on the entity’s revenue and specific violation details.‍
• Daily fines for ongoing non-compliance: Alongside the one-time fines, corporations that remain non-compliant with a notice may be subject to additional daily fines until compliance is achieved. These daily fines apply continuous pressure on non-compliant corporations.‍
• Individual penalties: Within an organization, individuals responsible for non-compliance may also face legal consequences depending on their role in the refusal or failure to comply. These can include fines or potential imprisonment.

The listed penalties ensure compliance with the Act and ongoing collaboration between industry and government to protect national security.

The Assistance and Access Act’s role in preventing cybercrime

The Assistance and Access Act plays a significant role in preventing cybercrime by ensuring law enforcement agencies have all the necessary tools to investigate and counteract various cybercriminals’ activities, including:

• Access to encrypted data: Cybercrime is challenging to combat due to the common use of encryption for secure communication. Encryption is necessary for security but enables criminals to hide their activities. The Act helps law enforcement access encrypted communications with tech providers, aiding in investigating and preventing cybercrime.
• Technical assistance: The Act allows agencies to request or compel assistance from tech companies via TARs, TANs, and TCNs. This assistance can include modifying software or decrypting data, which is vital in tracing cybercriminal activities and gathering evidence.
• Disrupting cybercriminal networks: The Act enables law enforcement to access encrypted communications to identify and disrupt cybercriminal networks. This practice helps to prevent further crimes by understanding the networks' structure, membership, and operations.
• Prevention of cyberterrorism: The Act helps prevent cyberterrorism by allowing the government to access communications related to planning and executing attacks, especially when terrorists use encrypted messaging apps to evade detection.
• Legal framework for digital investigations: The Act provides a legal framework that clarifies the responsibilities of technology providers in assisting with digital investigations, which can speed up the process of obtaining crucial data.

The above tools help dismantle communication channels often used by cybercriminals and reinforce why compliance with the Assistance and Access Act is vital.

Eight steps to comply with the Assistance and Access Act

To prevent non-compliance issues, organizations should take the following steps to ensure compliance with the Assistance and Access Act:

1. Understand the legislation: Before implementing the Act, organizations should seek legal advice to understand how the new law applies to their operations and services. This step may involve consulting legal experts specializing in technology and security laws to interpret how the Act applies to their industry.
2. Assess current capabilities: Review the organization's current technical abilities and processes to determine its capacity to respond to TARs, TANs, and TCNs. This analysis should evaluate encryption practices, data access procedures, and the organization's ability to modify products or services.
3. Designate a compliance officer or team: Consider appointing a dedicated officer or team responsible for facilitating requests under the Act. Provide this team with the authority to make decisions regarding compliance so they can act as liaisons with government agencies.
4. Implement security and privacy safeguards: Ensure your organization has measures to protect user privacy and information security while maintaining compliance with the Act. This compliance step includes minimizing the amount of data collected and stored and implementing security measures like end-to-end encryption and authentication controls to prevent unauthorized data access.
5. Prepare for transparency reporting: Identify how to report any government requests to the public within the legal constraints of the Act. Transparency reporting can help maintain user trust by openly discussing the nature and volume of government requests.
6. Develop internal policies and procedures: Develop or update internal policies and procedures for responding to government requests. Establish clear protocols for identifying the legality and rationale of requests, compliance mechanisms, and timelines for response.
7. Update compliance measures: Regularly review and update compliance measures to reflect technological changes, business practices, and legal requirements. Businesses should also stay informed about any amendments to the Act or related legal interpretations.
8. Engage with legal and technical advisors: Maintain regular communication with legal and technical advisors to navigate complex requests, especially those that impact user privacy or require the development of new features.

Protect your organization from cybercrime with UpGuard BreachSight

Protecting your organization from cybercriminals can feel daunting, but the key is staying prepared—and UpGuard BreachSight is here to help.

UpGuard BreachSight helps you confidently manage your attack surface—allowing you to discover and remediate risks 10x faster with continuous attack surface monitoring. View your organization’s cybersecurity at a glance with our user-friendly platform, which you can also use to communicate internally about risks, vulnerabilities, or current security incidents. Features include:

• Continuous monitoring: Get real-time information and manage exposures across domains, IPs, and employee credentials.‍
• Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting‍.
• Workflows and waivers: Simplify and accelerate how you remediate issues, evaluate risks, and respond to security queries.‍
• ‍Reporting and insights: Access reports tailored for stakeholders and view information about your external attack surface.‍
• Data leak detection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches.‍