Australian Signals Directorate will keep security bugs if it’s in national interest

Credit: ID 128782397 © Alexander Yakimov | Dreamstime.com

The Australian Signals Directorate (ASD) has released a new document that sketches out what it does with vulnerabilities and why it would keep it for its own intelligence work. 

The document “Responsible Release Principles for Cyber Security Vulnerabilities” appeared on the ASD’s website on Friday and follows the UK’s November release of spy agency GCHQ's decision-making process for disclosing or withholding vulnerabilities its cyber security researchers find. 

Mirroring NSA’s and GCHQ’s stance, the ASD says its "default position" is to release information about vulnerabilities when it becomes aware of them, but states that it will keep them when national security reasons “strongly outweigh” the benefit of disclosing the bug.

“We only retain a vulnerability if the national interest in keeping it strongly outweighs the national interest in disclosing it. This might happen if the weakness allows us to gather foreign intelligence that will prevent a terrorist attack, for example,” it explain. 

In weighing up the decision to disclose a bug, the ASD’s says its review committee "carefully considers the likelihood of a malicious actor being able to take advantage of the weakness.” 

If it is likely to be exploited by attackers, ASD will report the issue to the affected maker so the bug can be fixed. It also considers what damage could be done if a malicious actor was to exploit it. 

If a vulnerability is retained the ASD’s decision is subject to a 12 month review and in that time the intelligence agency “might release security advice that mitigates the weakness” to help businesses affected by its decision.  

The decision to keep a bug under wraps or disclose is handled by the ASD’s Equity Steering group, which consists of “working level technical experts”. If that group recommends a bug be retained, an Equity Board made up of seniors executive service officers makes a call on whether to retain or disclose it. 

The ASD says all decisions to keep vulnerabilities are reviewed quarterly by the ASD’s Director-General, Mike Burgess. 

Other oversight and accountability measures include an annual report to the Inspector-General of Intelligence and Security (IGIS) and a copy is also sent to the Minister for Defence. 

The move to explain how the ASD decides what bugs to keep follows the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act), which empowers the ASD and law enforcement agencies to request tech companies assist decrypt encrypted messages.

In the UK oversight of the GCHQ vulnerability equities process is handled by the UK Investigatory Powers Commissioner, who oversees the nation's 2016 UK Investigatory Powers Act, aka the Snoopers' Charter, and law enforcement use of surveillance capabilities enabled by the Regulation of Investigatory Powers Act (RIPA). 

 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags department of defenceasdzero day exploit

More about GCHQNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts