Security Experts:

Australia's Intelligence Agency Publishes its Vulnerability Disclosure Process

The Australian Signals Directorate (ASD), Australia's intelligence agency responsible for foreign signals intelligence, has joined America's NSA and the UK's GCHQ in publishing an account of its vulnerabilities disclosure process. All three agencies are part of the Five Eyes western intelligence alliance -- the remaining being Canada and New Zealand.

Australia's process starts with the assertion that its default position is to disclose all vulnerabilities it discovers, so that vendors can develop and issue patches. "Occasionally, however," it adds, "a security weakness will present a novel opportunity to obtain foreign intelligence that will help protect Australians. In these circumstances, the national interest might be better served by not disclosing the vulnerability." This is the same position as that taken by the NSA and the UK's GCHQ  -- if the agency believes it can make use of the vulnerability in the service of national security, it will retain it undisclosed for its own use.

The Australian government process (PDF) for deciding to release or retain is described in a brief document (one page of text and two diagrams) titled 'Responsible Release Principles for Cyber Security Vulnerabilities'. Very little detail is provided, and its content can be simply summarized. The default position is to disclose discovered vulnerabilities, unless there is a national security argument for retaining them.

That decision is made by assessing the risk (if it is considered that a malicious actor might discover and use the vulnerability, it will be disclosed). If it is retained, the ASD will try to protect Australian businesses. It might, for instance, "release security advice that mitigates the weakness."

The process, says the document, is subject to rigorous oversight -- but the process of oversight and review is an entirely internal process. "All of ASD's vulnerability decisions are subject to independent review by the Inspector-General of Intelligence and Security," it says. "ASD submits an annual report covering all vulnerability decisions to the Inspector-General. A copy of this report is also provided to the Minister for Defence."

This makes the Australian process more like the GCHQ process than the NSA process. The NSA's 'Vulnerabilities Equities Policy and Process' involves multiple agencies and has the provision for an annual report that will be "written at the lowest classification level permissible and will include, at a minimum, an executive summary written at an unclassified level. As part of a commitment to transparency, annual reporting may be provided to the Congress." The ASD reporting is seen only by the Inspector-General of Intelligence and Security and the Minister for Defence.

The GCHQ process, similar to the Australian process, is largely internal to the intelligence agencies and requires no public reporting. However, it has one major difference to the NSA and ASD. In the U.S. and Australia, it is the foreign SigInt agencies that hold the key decision-making positions. In the UK it is the domestic cyber agency that holds the key role (the CEO of the NCSC, currently Ciaran Martin, is the final arbiter on the decision to disclose or retain). Since the NCSC's primary role is to keep the UK cyber-safe, it is likely that national cyber-safety will have edge over foreign cyber incursion potential. 

It should be noted, however, that despite the different roles, the NCSC is actually part of GCHQ; and while this has obvious advantages in information sharing, there is potential for a conflict of interests.

There is one further difference between the NSA and GCHQ approach compared to that of the ASD. Both the NSA and GCHQ say they will not even consider disclosing a vulnerability that has been shared with them by a foreign partner -- that is, shared between each other. This is likely a reflection of the long-standing information sharing agreements between the U.S. and the UK.

There is no such 'sharing' exclusion in the ASD process. This doesn't mean it doesn't exist in practice. With few details, no transparency and only internal reporting described in the process, there is little opportunity to know what actually happens.

Related: Microsoft Proposes Independent Body to Attribute Cyber Attacks 

Related: Microsoft Calls for Cyber Geneva Convention 

Related: Shadow Brokers Release More NSA Exploits

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.