The Australian Signals Directorate (ASD) has released a new document that sketches out what it does with vulnerabilities and why it would keep it for its own intelligence work.
The document “Responsible Release Principles for Cyber Security Vulnerabilities” appeared on the ASD’s website on Friday and follows the UK’s November release of spy agency GCHQ's decision-making process for disclosing or withholding vulnerabilities its cyber security researchers find.
Mirroring NSA’s and GCHQ’s stance, the ASD says its "default position" is to release information about vulnerabilities when it becomes aware of them, but states that it will keep them when national security reasons “strongly outweigh” the benefit of disclosing the bug.
“We only retain a vulnerability if the national interest in keeping it strongly outweighs the national interest in disclosing it. This might happen if the weakness allows us to gather foreign intelligence that will prevent a terrorist attack, for example,” it explain.
In weighing up the decision to disclose a bug, the ASD’s says its review committee "carefully considers the likelihood of a malicious actor being able to take advantage of the weakness.”
If it is likely to be exploited by attackers, ASD will report the issue to the affected maker so the bug can be fixed. It also considers what damage could be done if a malicious actor was to exploit it.
If a vulnerability is retained the ASD’s decision is subject to a 12 month review and in that time the intelligence agency “might release security advice that mitigates the weakness” to help businesses affected by its decision.
The decision to keep a bug under wraps or disclose is handled by the ASD’s Equity Steering group, which consists of “working level technical experts”. If that group recommends a bug be retained, an Equity Board made up of seniors executive service officers makes a call on whether to retain or disclose it.
The ASD says all decisions to keep vulnerabilities are reviewed quarterly by the ASD’s Director-General, Mike Burgess.
Other oversight and accountability measures include an annual report to the Inspector-General of Intelligence and Security (IGIS) and a copy is also sent to the Minister for Defence.
The move to explain how the ASD decides what bugs to keep follows the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act), which empowers the ASD and law enforcement agencies to request tech companies assist decrypt encrypted messages.
In the UK oversight of the GCHQ vulnerability equities process is handled by the UK Investigatory Powers Commissioner, who oversees the nation's 2016 UK Investigatory Powers Act, aka the Snoopers' Charter, and law enforcement use of surveillance capabilities enabled by the Regulation of Investigatory Powers Act (RIPA).