How the ASD balances cyber security and offensive operations
- 18 March, 2019 10:01
Once a closely guarded secret, the role of the Australian Signals Directorate (ASD) in what the organisation’s director-general, Mike Burgess, describes as “offensive cyber operations” has been acknowledged by Canberra since 2016.
The “cyber” side of the organisation can be a balancing act, however: The ASD is tasked with helping protect Australia against online threats, but at the same time gather foreign intelligence and wage offensive operations against Australia’s adversaries.
Under Burgess’ leadership, the organisation has been undertaking the most significant transformation in its history, with a new level of independence since its July 2018 transformation into a statutory authority. As part of this new era, Burgess has had a more public role than former ASD leaders and the organisation has been more transparent about its operations.
Now, the ASD, which leads the Australian Cyber Security Centre (ACSC), has revealed details of how it balances the needs of its offensive operations with its efforts to keep networks safe. The organisation last week published an outline of the principles that apply to its decision-making about vulnerability disclosure.
The document says that for the ASD the “starting position is simple: when we find a weakness, we disclose it”.
“As part of our work, we sometimes discover security weaknesses or vulnerabilities in technology that are unknown to the vendor and may pose a threat to Australians and Australian systems,” the ASD said in an outline of its policy posted on its website last week.
“For many years, we have made these vulnerabilities known to vendors so they can patch or otherwise mitigate the threat to their systems and customers.”
However, the document adds, there “are occasions when a security weakness will present a novel opportunity to obtain foreign intelligence that will help protect Australians”.
“In these circumstances, the national interest might be better served by not disclosing the vulnerability,” it adds.
The ASD said its decisions around disclosure are guided by “eight essential principles”:
Security first. ASD’s default position is to release information on vulnerabilities when we become aware of them. Protecting Australians is our top priority.
The national interest. We only retain a vulnerability if the national interest in keeping it strongly outweighs the national interest in disclosing it. This might happen if the weakness allows us to gather foreign intelligence that will prevent a terrorist attack, for example.
Assess the risk. ASD carefully considers the likelihood of a malicious actor being able to take advantage of the weakness. If we assess it is likely a malicious actor will discover and exploit the vulnerability, we will disclose the vulnerability so it can be fixed.
Consider the consequences. ASD carefully considers the potential impact if the weakness is exploited by a malicious actor. Considerations would include who and what could be affected, and how much damage could be done.
Mitigate the threat. If a vulnerability is retained, ASD will do all we can to protect Australian systems from being exploited. For instance, we might release security advice that mitigates the weakness.
Responsible release. ASD works closely with vendors to ensure that patches and other mitigation measures are available before information on a vulnerability is made public.
Regular review. ASD reviews all vulnerability retention decisions on an on-going basis. We do not ‘set and forget’. If the national security imperatives are no longer pressing, we will release the vulnerability.
Rigorous oversight. All of ASD’s vulnerability decisions are subject to independent review by the Inspector-General of Intelligence and Security. ASD submits an annual report covering all vulnerability decisions to the Inspector-General. A copy of this report is also provided to the Minister for Defence.
“ASD acts lawfully and ethically,” the document adds. “We operate within the letter and the spirit of the law. Australians can be assured that each and every decision about a cyber security vulnerability is made meticulously and in the national interest.”