Australia’s signals intelligence agency has outlined publicly for the first time how it decides when to make a security vulnerability public, and when to keep it secret and later use as an offensive capability.
As part of a new push for more transparency, the Australian Signals Directorate (ASD) posted a document outlining the steps the agency takes to determine whether a security weakness or vulnerability it has found should be kept secret for the purposes of “obtaining foreign intelligence”.
“For many years, we have made these vulnerabilities known to vendors so they can patch or otherwise mitigate the threat to their systems and customers. Our starting position is simple: when we find a weakness, we disclose it,” the ASD said in the document.
“Occasionally, however, a security weakness will present a novel opportunity to obtain foreign intelligence that will help protect Australians. In these circumstances, the national interest might be better served by not disclosing the vulnerability,” it said.
“The decision to retain a vulnerability is never taken lightly. It is only made after careful multi-stage expert analysis, and is subject to rigorous review and oversight.”
The revelation is hardly a surprise to anyone actively working in cyber. Or who watches spy movies. But the public nature of the disclosure is new.
The ASD has an eight-step process in deciding whether to make a vulnerability public, centred on a single objective: “ensuring the safety and security of Australia and Australians.”
Even if the weakness or vulnerability could assist the agency in gathering intelligence, the ASD will only keep it secret if the benefit is greater than the risks.
“We only retain a vulnerability if the national interest in keeping it strongly outweighs the national interest in disclosing it. This might happen if the weakness allows us to gather foreign intelligence that will prevent a terrorist attack, for example,” it said.
“ASD carefully considers the likelihood of a malicious actor being able to take advantage of the weakness. If we assess it is likely a malicious actor will discover and exploit the vulnerability, we will disclose the vulnerability so it can be fixed.”
These decisions are also subject to independent review by the Inspector-General of Intelligence and Security, and regular reports are handed to government.
“ASD reviews all vulnerability retention decisions on an ongoing basis. We do not ‘set and forget’. If the national security imperatives are no longer pressing, we will release the vulnerability,” the agency said.
“ASD acts lawfully and ethically. We operate within the letter and the spirit of the law. Australians can be assured that each and every decisions about a cyber security vulnerability is made meticulously and in the national interest.”
Late last year the ASD marked a change in direction, with a new focus on having a public presence.
ASD director-general Mike Burgess signaled a new intent for the agency to be involved with public debates and be more transparent about its operations.