Balancing the protection of sensitive information against openness is a perennial challenge for governments and their national security agencies. Too little disclosure damages public trust in institutions. Too much undercuts important capabilities that keep Australians safe.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
The Australian defence organisation has struck this balance differently at different times over its history. Since the first principles review in 2016, Defence has come to view disclosure of information about its operations, policies and projects as just creating risk, and so is reluctant to release anything not required by law.
A high point of this is a recent quarterly performance report of Defence's acquisition organisation-which uses so much black ink to censor the text that a toner warning and reorder form should accompany the link to the document.
Much of the inked-out material on project implementation challenges and issues would be provided publicly in answers by Defence officials to senators' questions at any estimates committee hearing. But it seems none of this can be provided to the public through an FOI process - an odd and telling indicator of the risk-averse mindset now governing Defence's public engagement.
And a lot of very similar information to that behind the wall of black ink will almost certainly be in the next major projects report from the Australian National Audit Office. Defence has less discretion to say no to the ANAO than it does when dealing with a member of the public or a journalist.
Which makes what the Australian Signals Directorate did quietly back in March - without anyone outside the tech community seeming to notice - even more surprising than it would be on its own.
READ MORE:
ASD put a three-page description on its website of how it tangles with the enormously sensitive issue of whether to keep a software or system vulnerability it finds secret or to reveal it to vendors to get it fixed.
The document sets out what ASD calls its "Responsible release principles for cyber security vulnerabilities". It's a welcome example of an agency disclosing how an activity of high public interest is conducted while also protecting sensitive classified information.
As Australia's cyber security lead agency and collector of foreign electronic intelligence, ASD is the poacher and gamekeeper when it comes to the vulnerability of computers and other electronic devices and networks -and all the software that operates on them.
How it balances these twin responsibilities when it comes to discovering software vulnerabilities is now clear - because that's what the document on ASD's website describes.
It's a very readable, coherent set of principles, accompanied by two pages of decision flowcharts, written in plain English people outside the cyber world can understand.
Publishing these principles is a bit of a contrast to the tech community's experience with the introduction of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 - dubbed the anti-encryption law in commentary.
The fact powers in the act relate to serious criminal offences punishable by three or more years' jail time, and are focused on access to particular persons' communications, not systemic weaknesses, is still not well understood. That's partly because, in the absence of solid public disclosure up front, the public narrative about the powers was led by understandably anxious and energised critics.
In contrast, we know up front that when it comes to software bugs ASD discovers, its "default position is to release information on vulnerabilities when [it] become[s] aware of them", because one part of its mission is "making Australia the safest place to connect online".
ASD will "retain a vulnerability" - that means not make it known to the relevant vendor - "if the national interest in keeping it strongly outweighs the national interest in disclosing it". That could be the case, ASD explains, if, for example, the information "can be used to gather foreign intelligence to prevent a terrorist attack".
When it decides not to tell the vendor about a vulnerability, ASD takes steps to protect Australian systems from being exploited-including by "releasing security advice that mitigates the weakness".
These "vulnerability decisions" are subject to review by Australia's inspector-general of intelligence and security, an official with the powers of a standing royal commission.
This disclosure, made outside the heat and light of a crisis or other event that spotlights the issue, shows a culture of accountability and an understanding that - at a time of declining trust in public institutions - demonstrated compliance with laws and ethics is necessary to retain the public's support.
Mike Burgess, the head of ASD who the government has just announced will move to head up ASIO, has been a driving force for greater openness from this most secretive of government intelligence agencies. ASD's first tweet happened under his leadership - "Hi internet, ASD here. Long time listener, first time caller."
Mr Burgess will no doubt bring the same culture of openness and disclosure to ASIO, building on current head Duncan Lewis' work to be a voice of reason in a quite noisy public debate about secrecy and openness.
Hopefully his demonstration of this more open approach will be catching across other parts of Australia's national security community. A more informed and more supportive Australian public would be the result.
- Michael Shoebridge is the director of defence, strategy and national security at the Australian Strategic Policy Institute
