Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Australia’s Intelligence Agency Publishes its Vulnerability Disclosure Process

The Australian Signals Directorate (ASD), Australia’s intelligence agency responsible for foreign signals intelligence, has joined America’s NSA and the UK’s GCHQ in publishing an account of its vulnerabilities disclosure process. All three agencies are part of the Five Eyes western intelligence alliance — the remaining being Canada and New Zealand.

The Australian Signals Directorate (ASD), Australia’s intelligence agency responsible for foreign signals intelligence, has joined America’s NSA and the UK’s GCHQ in publishing an account of its vulnerabilities disclosure process. All three agencies are part of the Five Eyes western intelligence alliance — the remaining being Canada and New Zealand.

Australia’s process starts with the assertion that its default position is to disclose all vulnerabilities it discovers, so that vendors can develop and issue patches. “Occasionally, however,” it adds, “a security weakness will present a novel opportunity to obtain foreign intelligence that will help protect Australians. In these circumstances, the national interest might be better served by not disclosing the vulnerability.” This is the same position as that taken by the NSA and the UK’s GCHQ  — if the agency believes it can make use of the vulnerability in the service of national security, it will retain it undisclosed for its own use.

The Australian government process (PDF) for deciding to release or retain is described in a brief document (one page of text and two diagrams) titled ‘Responsible Release Principles for Cyber Security Vulnerabilities’. Very little detail is provided, and its content can be simply summarized. The default position is to disclose discovered vulnerabilities, unless there is a national security argument for retaining them.

That decision is made by assessing the risk (if it is considered that a malicious actor might discover and use the vulnerability, it will be disclosed). If it is retained, the ASD will try to protect Australian businesses. It might, for instance, “release security advice that mitigates the weakness.”

The process, says the document, is subject to rigorous oversight — but the process of oversight and review is an entirely internal process. “All of ASD’s vulnerability decisions are subject to independent review by the Inspector-General of Intelligence and Security,” it says. “ASD submits an annual report covering all vulnerability decisions to the Inspector-General. A copy of this report is also provided to the Minister for Defence.”

This makes the Australian process more like the GCHQ process than the NSA process. The NSA’s ‘Vulnerabilities Equities Policy and Process’ involves multiple agencies and has the provision for an annual report that will be “written at the lowest classification level permissible and will include, at a minimum, an executive summary written at an unclassified level. As part of a commitment to transparency, annual reporting may be provided to the Congress.” The ASD reporting is seen only by the Inspector-General of Intelligence and Security and the Minister for Defence.

The GCHQ process, similar to the Australian process, is largely internal to the intelligence agencies and requires no public reporting. However, it has one major difference to the NSA and ASD. In the U.S. and Australia, it is the foreign SigInt agencies that hold the key decision-making positions. In the UK it is the domestic cyber agency that holds the key role (the CEO of the NCSC, currently Ciaran Martin, is the final arbiter on the decision to disclose or retain). Since the NCSC’s primary role is to keep the UK cyber-safe, it is likely that national cyber-safety will have edge over foreign cyber incursion potential. 

It should be noted, however, that despite the different roles, the NCSC is actually part of GCHQ; and while this has obvious advantages in information sharing, there is potential for a conflict of interests.

Advertisement. Scroll to continue reading.

There is one further difference between the NSA and GCHQ approach compared to that of the ASD. Both the NSA and GCHQ say they will not even consider disclosing a vulnerability that has been shared with them by a foreign partner — that is, shared between each other. This is likely a reflection of the long-standing information sharing agreements between the U.S. and the UK.

There is no such ‘sharing’ exclusion in the ASD process. This doesn’t mean it doesn’t exist in practice. With few details, no transparency and only internal reporting described in the process, there is little opportunity to know what actually happens.

Related: Microsoft Proposes Independent Body to Attribute Cyber Attacks 

Related: Microsoft Calls for Cyber Geneva Convention 

Related: Shadow Brokers Release More NSA Exploits

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.