HyperMegaNet

joined 1 year ago
[โ€“] HyperMegaNet@lemm.ee 3 points 8 months ago

I'm not the person you responded to, but the Assistance and Access Act 2018 is probably a good place to start. Here is a page from the Aus Government about it, but the very short version is that the government can ask tech providers to assist them with building capabilities into their systems to allow the government to access data to help with the investigation of certain crimes. In some cases these will be voluntary requests, in other cases they will be requests that must be fulfilled, including asking providers to add capabilities that the government has developed.

There's a lot more detail about it, and the government insists that they won't ask providers to create systematic weaknesses or to decrypt communications entirely, but it's not clear to me exactly how those ideas are actually implemented. Unfortunately, much of the process (likely the entire process) is not made public, so as far as I'm aware there aren't any good examples of requests that the government has made and what sorts of things have or haven't been implemented.

[โ€“] HyperMegaNet@lemm.ee 2 points 11 months ago

Although I might be telling you something you already know (and at risk of sounding really boring); it sounds like what they're really doing here is standing up a system that is certified to handle data up to "top secret" classification. The fact that such a system exists, in and of itself, is clearly not a secret.

There are a huge number of requirements for systems handling data like that, everything from specific requirements for how physical cables are labelled, to which cryptographic algorithms are used for encryption, all the way through to corporate governance and management plans within the organisations that are involved. It is essentially a giant exercise in bureaucratic box ticking (although I can understand why governments want to be thorough about this stuff).

After completing that entire process, what you're left with is usually a fairly standard computer system, plus a whole bunch of assurances that this specific system is okay to use for "top secret" information. The actual capabilities of the system (and certainly the data within it) may well be top secret, but the existence of the system isn't.

It's broadly similar to the GovTeams PROTECTED system. The existence of the system itself is public information, complete with a relatively slick website, but the actual access to the system is controlled. A quick glance at that website makes it clear that GovTeams is essentially just MS Teams / MS365 but certified for "PROTECTED" information. In the same way, I would bet money on it that this "top secret " cloud system ends up just being a fairly standard commercial offering from a major cloud provider (Azure, AWS, etc.) which is approved for storing top secret information after the parties involved complete the required box ticking.