Defence export review knocks back call for looser crypto research rules

Recommends government consider reintroducing less-restrictive research permits, however

A review of Australia’s defence export regime says the government should consider reintroducing a less-restrictive cryptography research permit scheme. However, it falls short of recommending the kinds of changes to defence export controls sought by researchers.

The government today released the Independent Review of the Defence Trade Controls Act 2012 conducted by Dr Vivienne Thom as well as its preliminary responses to the report’s recommendations.

Cryptography is treated as a ‘dual use’ technology under the DTCA regime, and as such there are limitations on the export of crypto technology. In some circumstances, international collaboration between researchers can be considered a regulated activity under the DTCA.

Currently, the Defence and Strategic Goods List, which implements the export controls, contains an exemption for “basic scientific research”. However, some of Australia’s best known information security researchers used the review process to call for the exemption to be broadened to “fundamental” scientific research.

The current exemption doesn’t apply to research that is undertaken with a specific aim in mind. Submissions from the research and university sectors suggested that the current exemption “is overly restrictive because the vast majority of research, even at the basic and theoretical levels, is performed with the broad objective of a specific application,” Thom’s review noted.

However, the review argued that a “fundamental research” exemption in similar US export regulations is “caveated and not universally applicable” and a direct comparison between the US and Australian regimes was “not possible or useful”.

“While the Review accepts that the exemptions in Australia may not align exactly with those in the United States, it was not persuaded that a case to amend the ‘basic scientific research’ exemption has been made out at this stage,” Thom’s report states.

However, Thom did recommend that the Department of Defence should formally evaluate a two-step cryptography permit trail launched in 2017.

“The evaluation should consider whether an alternative approach would be preferable and explore whether the clarification of existing thresholds would be sufficient or whether legislative amendment is required,” the review stated.

The two-step permit allowed a general research permit to be obtained allowing a broad range of collaboration with researchers in countries not subject to sanctions. A second permit was only required to be obtained in limited circumstances (enabling “more sensitive projects and collaborations to proceed under a tailored permit that will be crafted to address the identified level of risk,” according to the Defence Export Controls office).

The trial ended in December last year, leaving researchers concerned about the impact on their research.

The Department of Defence has indicated it will consider reintroducing two-step permits. It its initial response to the Thom review, the government said Defence would “undertake an internal review of the two-step cryptography permit in 2019 to determine its continuing viability for both Defence and affected stakeholders.” “Defence will consult any proposed actions regarding the permit,” the document added.

“Comments at the roundtables supported the proposition that collaboration in cryptographic research of the type that did require permits in Australia did not require permits in other countries, including the United States,” Thom's report states.

“It was not possible for the Review to verify this anecdotal evidence by examining the US legislation because of the complexity of, and interaction between, the various regulations and arrangements (including exemptions) that are in place between the US Government and various US research institutions,” it adds.

However, the report says that the review “accepts the proposition that Australian cryptographic researchers should be subject to similar, but not more severe, regulatory constraints as their counterparts in the United States” but “cannot make any specific recommendation to amend the DTC Act to achieve this because of the dependence on the DSGL (a multilateral instrument).”

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cryptographycyber securitydepartment of defence

More about AustraliaDepartment of Defence

Show Comments