The Weekly Cybers #47
Home Affairs launches a consultation on cybersecurity resilience, a trial shows you can verify a user’s age without recording their ID, and much more.
Welcome, especially all you new subscribers
After all the action last week and a few recommendations by trusted individuals — thank you! — we have a bunch of new readers. So, welcome, but also a small warning.
The Weekly Cybers is...
... a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me.
I use the word cyber in its old sense, which means it’s not about cybersecurity as such, although of course that’s included.
For Australian cybersecurity news may I recommend Risky Business News and Cyber Daily, among others.
Our primary focus here what’s coming out of Canberra, and because we’re entering the long summer slowdown of government action, we may be a bit thin for the next few weeks — at least in terms of me wanting to spend 600 words on a single topic.
That said, there is indeed a cybersecurity policy story this week, namely the Home Affairs consultation.
There’s also more aftershocks from the social media age restrictions, which are now law but not much is happening yet, and much more.
I’m keen to know what interests you and what doesn’t, so if you ever have any feedback, just reply to this email.
Home Affairs seeks your cybersecurity views
The government has opened a consultation one new policies for cybersecurity resilience.
The first package, part of the Commonwealth Cyber Security Uplift Program, is about the Guiding Principles to embed Zero Trust Culture (PDF).
That’s jargon not for us having no trust in the government, but for a cybersecurity architecture where every component requires every other component to prove its bona fides. It can be summarised as “never trust, always verify”.
Submissions close 28 February 2025.
Next year the government will also be consulting on new versions or the Protective Security Policy Framework, the Whole of Government Gateway Policy, and the Hosting Certification Framework — documents which are of course much-loved by cybersecurity professionals.
All this is part of the 2023-2030 Australian Cyber Security Strategy, which has six shields.
How to prove your age without identification
One of the biggest challenges with the social media age restrictions — apart from whether they should even be a thing at all — is people being able to prove they’re above a certain age without having their identity recorded.
Well, there are ways of doing this, and an international proof-of-concept trial has just confirmed that it works.
According to The Mandarin, tests of Australia’s Digital Trust Service (DTS), run by driver registry peak body Austroads, have shown that the credentials already in digital wallets can be used to verify proof-of-age at point-of-sale transactions without needing additional personal data.
“The issue at hand is not what protocol key identity custodians and registries like those that are members of Austroads use: rather it’s that they can settle on a standard to interoperate, as has already happened for global agreements around transport and logistics that digitise otherwise onerous paperwork.”
Doing this online with a social media platform is another step, of course, but the architectures are being established.
On that point, The Conversation has a backgrounder on the government’s age assurance trials, which are scheduled to provide some answers in about six months.
Meanwhile, the Guardian has a piece on how the social media bans might kill the big dreams of young Australians.
PODCAST DELAYED: I mentioned last week that there’d be an episode of my podcast The 9pm Edict with digital rights enthusiast Justin Warren on the social media age bans and much more. Unfortunately I had to postpone it after suffering some injuries earlier this week. This episode will now appear in your podcast app this coming Thursday 12 December.
Also in the news
- The attorney-general has announced the re-formation of an Administrative Review Council (ARC) to tackle systemic problems with government administration. As InnovationAus notes, this body had been “abolished by the Abbott government in its ‘smaller government’ reform agenda in the 2015-16 Budget — the same Budget that brought Robodebt into being”.
- Services Australia has been caught in yet another debt miscalculation debacle, although this one is only $4.3 billion. Maths is impossible.
- The Australian Competition and Consumer Commission (ACCC) notes that Google’s dominance in general search is yet to be disrupted, despite the rise of generative AI for answering queries.
- Against this background, Assistant Treasurer Stephen Jones announced a proposal to impose fines of up to $50 million on global tech companies who suppress competition. (Full speech.)
- The ACCC has also started measuring satellite broadband speeds for Starlink and NBN Sky Muster in its latest broadband performance report.
- The independent national security legislation monitor, Jake Blight, is wondering whether the Australian Criminal Intelligence Commission (ACIC) really needs hacking powers.
- Former defence secretary Dennis Richardson will review the Australian Submarine Agency (ASA), the organisation overseeing the underwater boats part of the AUKUS project, following growing concerns about its performance.
- The government is emailing people to say that myGovID is now called myID, and you’ll notice “the next time you use the Australian Government’s Digital ID app”. Which is amusing, because this actually happened back on 13 November. Your challenge today, as a normal human being, is to understand the new terms of use.
- The government is supposed to be reviewing the obligations it places on organisations to retain data, whether that’s telco metadata for investigating crime, or financial data for taxation and auditing purposes, whatever. Apparently it’s harder than it sounds, what with vague scope and ambiguous wording of the laws.
- In one of the best document titles of recent times, Australia and the UK have joined forces to combat scams. The title? “Framework for Practical Cooperation between the Australian Communications and Media Authority and the United Kingdom Office of Communications on Cooperation in the Enforcement of Laws on Certain Unlawful Communications and Related Enforcement Priorities”.
- Meanwhile the SMS Sender ID Register announced a few months back, a system whereby telcos check whether messages sent under a brand name match the legitimate sender, is now mandatory.
IF YOU FIND THIS NEWSLETTER HELPFUL, PLEASE SUPPORT IT: The Weekly Cybers is currently unfunded. It’d be lovely if you threw a few dollars into the tip jar at stilgherrian.com/tip.
Elsewhere
By “elsewhere” I mean not in government, or not really about the cybers. The boundaries are blurry, however.
- Papua New Guinea is to have a go at the social media ban for kids thing.
- Telstra bought Boost Mobile for $100 million.
- Criminals are still targeting Australians with celebrity scam ads, despite the additional defences deployed by Google and Meta.
- From The Conversation, “97% of adult Australians have limited skills to verify information online... Our study reveals a large gap between what people say they can do and their actual ability.”
- The FBI has advised Americans to switch to encrypted messaging apps following a massive breach of US telcos by Chinese hackers. The same apps they once hated. Indeed, back in 2012, the FBI and NSA were split over encryption policies.
- Australian National University (ANU) has cut off funding ($) for the Tech Policy Design Centre, although the centre hopes to keep going as an independent not-for-profit.
Inquiries of note
Apart from the Home Affairs consultation mentioned above...
- Treasury launched a consultation on a proposed new digital competition regime for digital platforms. This is based on ACCC proposals. Submissions close 14 February 2025.
What’s next?
Parliament is currently on its long summer break until Tuesday 4 February 2025 — although that doesn’t mean the policy work stops.
Here’s the parliamentary sittings calendar (PDF) for 2025, bearing in mind that it can be changed at any time, and there’s bound to be an election called for 17 May at the latest.
DOES SOMETHING IN THE EMAIL LOOK WRONG? If there’s ever a factual error, editing mistake, or confusing typo, it’ll be corrected in the web archives.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.