A new proposal would give the Australian Signals Directorate access to the IT systems of Australian companies, but the agency didn’t ask for these powers. By Karen Middleton.
Home Affairs pushes for cyber spy powers
The Department of Home Affairs is pushing ahead with moves to expand the powers of Australia’s cyber spy agency, the Australian Signals Directorate, to potentially embed ASD within the corporate computer systems that run the nation’s banks, telecommunications and other critical infrastructure.
The move is designed to protect essential services – including electricity, water, hospitals and transport – from sabotage, terrorism or organised crime by enabling ASD to attack or disable incoming threats when necessary.
There is universal concern in the security community about the seriousness of the cyberthreat. But at senior levels, there are differing views about how best to address it and precisely what extra powers are necessary.
The proposed changes would not only increase the protective and disruptive powers ASD currently has to detect serious criminal activity and cyber attacks from foreign organisations or governments offshore. They would also enable the agency to disrupt activity onshore – a significant extension of the disruption powers it was given in March last year.
Prior to that, ASD was a surveillance-only organisation that worked in conjunction with law-enforcement and other security agencies.
These latest proposed changes give rise to potential privacy and civil liberties concerns. But security sources insist there would be firewall-style protections to keep ASD from accessing Australian consumers’ personal information, unless warrants have been issued relating to particular individuals.
These sources also emphasise that these are not powers ASD has demanded. They are powers that Home Affairs department secretary Mike Pezzullo, as head of the policy-advisory agency, believes ASD needs.
The new powers covering both protection and disruption were the subject of correspondence between Pezzullo and ASD chief Mike Burgess last year that was described in a top-secret-classified note that was leaked to Sydney’s Sunday Telegraph.
The leak was the subject of an Australian Federal Police raid last month on the Canberra home of the news report’s author, journalist Annika Smethurst.
The proposal to proceed with the expansion of ASD’s powers is being generated in Home Affairs. However, it is expected to be presented as a joint submission from several departments whose portfolios would be affected by the changes. It will likely go before the cabinet’s national security committee in coming months.
ASD is already working with the private-sector operators of critical infrastructure on how to more closely collaborate to prevent and respond to attacks on their systems that could cause serious disruption and possibly physical harm. It is starting with the nation’s telecommunications and electricity providers.
Currently, this co-operation takes the form of ASD offering advice and assistance where it detects a company might be struggling to manage a threat or potential threat to its systems. But the companies are not obliged to accept the offer of help.
The proposal to ultimately more deeply enmesh the agency within private-sector corporations would enable ASD to react more quickly to threats. ASD did not initiate the proposal but The Saturday Paper understands that when Pezzullo, as head of the department overseeing domestic security, asked if it had the capacity and legal backing to conduct such work, it indicated it did not and would need extra powers if required to do so.
Mike Pezzullo’s minister, Peter Dutton, has expressed concern about both the risk of cyber attacks facing Australia’s critical infrastructure, most of which is now privately run, and the increasing incidence of child exploitation originating offshore but with images being routed through servers and to viewers in Australia.
Pezzullo told a senate estimates committee hearing in May last year – three weeks after The Sunday Telegraph published the leak – that agencies were “constantly looking at policy and legislative gaps”. He described the questions the security agencies were now being asked.
“Can you, for instance, interfere with, disrupt or degrade a server that is streaming the live torture and abuse of a child? That is not surveillance,” Pezzullo told the committee.
He laid out a circumstance in which intelligence and law-enforcement agencies could not identify who was controlling a set of exploitative images but had information about where the server and administrator were – and knew they were in Australia.
“In those circumstances, there is no lawful authority for any agency to disrupt that network,” Pezzullo said. He said the protection of onshore critical infrastructure “over and above the capabilities and capacities available to the private operators” was another example.
“I’ve asked the Defence Department and the Australian Signals Directorate to look, from a policy and legislative gap point of view, at whether there are gaps whereby no agency at the moment, ASD included, could act on Australian networks to either protect children … or in the case of protection of critical infrastructure,” he said.
There is some frustration within ASD that it has been portrayed publicly as a voracious agency seeking ever-more intrusive powers, when it did not initiate the proposal.
The agency’s remit has traditionally been Defence-related. Increasingly though, it has worked with other agencies and is now the home of the Australian Cyber Security Centre (ACSC), which acts as the hub for Australian cyber combat.
Defence and intelligence specialist Professor John Blaxland, who heads the Strategic and Defence Studies Centre at the Australian National University, says the activities of some foreign states, in particular, require Australia to change its approach. “The bottom line is there are echoes of the kind of Cold War enlistment of industrial support because the scale of the challenge is bigger than government can handle,” Blaxland told The Saturday Paper this week.
“And the approach being taken, particularly by China and Russia, is whole-of-nation because they’re enlisting everything and they’re outpacing the West and that is generating a concern that the post-Cold War ‘she’ll be right, mate’ of the last three decades is hurting us because that’s not the approach they’re taking. As a result, a much more joined-up approach is required.”
Blaxland said he detects an assessment within government that the risk of Australia being subjected to a large-scale, crippling cyber assault outweighs the risks to privacy and civil liberties of “big government” and “big industry” linking their systems. But the specialist, who was recently appointed to write the official history of ASD, warned protections remain important. “There are protections there,” he said. “The question is whether they’re robust enough. There are bounds beyond which industry should not legally operate.”
Blaxland also pointed to the extreme example of what can happen when public and private systems become one. “We’re now in an age of quantum computing,” he said. “What we’re seeing happening in China, its level of surveillance – it’s scary … how much you can do if the state and the private sector join up and work against [their citizens].”
The Saturday Paper has been told the proposed Australian changes would involve strict protections for personal data. Pezzullo has also strenuously denied that what is planned involves mass surveillance of Australians.
As the proposed changes have been explained to The Saturday Paper, a company’s secure core computer system – and its client data – would be like a locked room. Government monitoring and disruption technology would not sit permanently inside the room. Instead, it would be placed alongside the company’s capabilities in a kind of anteroom. This would give the ASD fast access to the metaphorical main room through a doorway that would otherwise be locked.
Former Australian Border Force commissioner Roman Quaedvlieg is among those who believe greater powers are required – along with greater vigilance about their use. “Capabilities are good and you should never dismiss the introduction of a capability for law enforcement [without seeing] if there is a demonstrable benefit,” he says. “But – and this is an inextricable but – the more powerful the capability being considered, the more powerful the checks and balances need to be to ensure accountability.”
Quaedvlieg says without strenuous accountability processes before, during and after action is taken, there is either the potential for complacency “or opportunity for malfeasance”. He says such new powers could create “a vulnerability that can be exploited”.
“The fundamental point is the lack of precision regarding what is proposed about what ASD will actually be able to do on Australian soil,” Quaedvlieg says, adding there need to be clear and proscriptive rules about data access, to avoid “rubbery lines”.
Changes such as those being proposed would allow agencies to act swiftly to protect infrastructure without first having to meet the burden of proof required by a court. “All of which I think is a good thing, provided you’ve got all those checks and balances, because an unchecked, rampant security architecture has the potential to be the thin edge of the wedge,” he says.
Pezzullo has strongly rejected suggestions of overreach. In an address to the ANU’s Crawford School last month, he insisted he was not proposing some kind of “mass trawling of information” and meshing of all government data together, reminiscent of George Orwell’s 1984. In a speech in November to Edith Cowan University in Western Australia, he flagged “broad cross-sectoral collaboration” in cybersecurity, foreshadowing what he called “a rolling reform agenda … to build up our national cyber defences, using all the levers of national power”.
Pezzullo said the threats to which he was most alert were a terrorist-borne nuclear, chemical, biological or radiological attack and a society-wide cyber attack. He said Australians did not appreciate the potential exposure to danger that came through the worldwide connectedness of their devices, systems and networks.
“The first indication of the virtual equivalent of a Luftwaffe bombing raid might well come from the information security ‘war room’ of a major financial institution or a major energy supplier, which might, with appropriate authorities and immunities, cue the cyber Spitfires and Hurricanes of the Australian Signals Directorate – should the relevant legal and constitutional issues be first resolved through diligent and creative policy-making and strategic planning,” he told the audience at Edith Cowan.
Not all senior figures in the security community employ Pezzullo’s forceful rhetoric. ASD director Mike Burgess told the ACSC conference in April last year that his agency would be making a national assessment of cybersecurity. Burgess said it would involve collaboration with major internet service providers and the operators of critical infrastructure to “drive out known problems and identify first-seen more serious threats”. He said a counter-cybercrime campaign would follow, plus moves to reach out and influence behaviour and improvements in cybersecurity across the community, business and government.
The heads of Australia’s most senior intelligence agencies agree that more openness is required to better explain their activities and the reason for their powers. ASD now operates a Twitter account, and this week the head of the Australian Secret Intelligence Agency, Paul Symon, gave his first public interview, recorded for the Australia in the World podcast, by the ANU and the Australian Institute of International Affairs.
Symon insisted there was a strong focus on accountability in both government and the security agencies. “Accountability in the governments that we have in Australia is quite profound,” he said. “I would say that most accountability actually comes from inside the organisation – the scrutiny that we put our people under, the way that proposals come forward, the way that senior officers test all of the underlying assumptions behind plans or proposals that come forward, the way that we have a framework of risk and risk management.”
But for all of their new openness, when The Saturday Paper asked about proposed expanded powers, neither Home Affairs nor ASD wanted to comment.
This article was first published in the print edition of The Saturday Paper on July 27, 2019 as "Home Affairs pushes for cyber spy powers".
A free press is one you pay for. Now is the time to subscribe.