By Mike Burgess
Changes in the global economy are bringing with it a wealth of opportunities for Australia, but we need to be open-eyed on the potential threats to our most important interests, says Mike Burgess, director-general of the ASD.
I’ve had two careers in the Australian Signals Directorate – the first starting in 1995, the other in 2018.
In 1995, the Defence Signals Directorate, as it was known then, was a highly secretive organisation. My own family didn’t really know what I did. In fact, at that point in time, few people had even heard of the directorate.
Early in 1995, I spotted a geeky-sounding telecommunications job advert in a newspaper. Some of you may just remember those days, when online wasn’t yet a thing and jobs were found in the newspaper.
Other than mentioning Defence, the advert did not mention the Defence Signals Directorate. And when I called the telephone number, the person at the other end answered with no more than “hello”. No mention of who they were – an awkward start to a very rewarding 18 years.
When I returned in January this year, ASD was a completely different place. It was emerging from the shadows and cyber was central to that.
ASD’s role in cyber security was well known and the government had chosen to be more transparent about sensitive aspects of ASD’s capabilities. Things like offensive cyber, which had never been discussed before.
And in July this year, ASD became a statutory agency in the Defence portfolio. In effect, ASD had come out of the shadows. And that’s the way I intend it to stay.
In keeping with this, ASD tweeted for the first time today, “Long time listener, first time caller”.
While DSD operated legally and ethically in 1995, there was no specific legislation governing the directorate until the Intelligence Services Act came into force in 2001. Today the Intelligence Services Act and the Parliament’s trust in us is our licence to operate.
ASD began its life in 1947 as the Defence Signals Bureau. Our organisation and our mission-focused culture was born out of the dark days of World War 2, when timely, high-quality signals intelligence often made the difference between victory or defeat.
During World War 2, the Central Bureau’s Fleet Radio Unit Melbourne was charged with intercepting, decoding and reporting on Japanese naval communications with great effect.
After war’s end, the signals intelligence units were quickly disbanded but the Australian Government realised the importance of foreign signals intelligence and communications security – and our heritage of code maker–code breaker began.
So, what hasn’t changed?
In all that time – our core missions have not changed.
We have always been both a foreign intelligence and a security agency. The combination of our ‘poacher’ and ‘gamekeeper’ roles has proven itself again and again.
Organisations that know how to exploit foreign communications, like ASD, are best positioned to protect our own national interests, particularly given the nature of today’s cyber threat.
Our partners in the US, UK, Canada and New Zealand take the same approach for the very same reason. Offence informs defence and defence informs offence – or to put it another way, to best catch a thief, you will need to think like one (or perhaps, be one).
The 2017 Independent Intelligence Review recognised the importance of this, noting it is essential to have a seamless connection between the Australian Cyber Security Centre and the Australian Signals Directorate. That is why today the centre is part of ASD.
ASD’s purpose is to defend Australia from global threats and help advance Australia’s national interests. We do this by mastering technology to inform, protect and disrupt.
Informing – by the covert acquisition of foreign information not publicly available (known in our business as SIGINT, signals intelligence)
Protecting – by comprehensively understanding the cyber threat, providing proactive advice and assistance to improve the management of cyber risk by government, business and the community
Disrupting – by applying our offensive cyber capabilities offshore, to support military operations, counter-terrorism, counter cyber espionage and serious cyber-enabled crime.
Coming out of the shadows doesn’t mean that we will be able to talk about the detail of our operations. Some things will need to remain classified out of necessity.
But it is important that the Australian public know that ASD operations make a real difference every day when it comes to defending Australia from global threats.
It is also important the Australian public trust us. Hence my talk here tonight. ASD operates within the law and for the best interest of Australians.
For example, our counter-terrorism analysts track the communications of extremists who pose threats to our national security. These are clever, curious people who master technology to develop cutting-edge techniques that identify previously-unknown terrorists.
“Our analysts also work hard to secure intelligence leads against offshore criminals who threaten Australian interests. Signals intelligence has helped disrupt major shipments of narcotics into Australia.”
While I can’t share the details here, I can tell you that our intelligence has been used by ASIO, the AFP and others to disrupt attacks that were in advanced stages of planning – here in Australia and against Australian interests abroad.
Our analysts also work hard to secure intelligence leads against offshore criminals who threaten Australian interests. Signals intelligence has helped disrupt major shipments of narcotics into Australia.
And our linguists and analysts have identified key pieces of information that help government agencies secure the safe release of Australian citizens who have been taken hostage overseas.
In a military context – signals intelligence is used to support military operations, enable the war fighter, and protect Defence personnel and assets deployed in harm’s way. And our offensive cyber operators are working closely with military planners to generate cyber effects that disrupt Daesh in the Middle East.
On the cyber security front – our staff in the Australian Cyber Security Centre work around the clock to protect business and the community from the malicious cyber activity targeting our networks. Their objective is to make Australia the safest place to connect online by fostering national cybersecurity resilience.
ASD helped the national census get back online and establish that no data relating to Australians had been compromised. We also provided technical advice to make sure the same-sex marriage survey could be conducted securely.
We bring our intelligence and cyber expertise together to hunt for cyber intrusions on Australian networks. Over the last 12 years, we have discovered some of the most sophisticated cyber threats affecting a range of Australian interests.
We have identified and dealt with hackers on government networks, across the private sector through to academia. Without our efforts, these threats would have certainly been left unchecked and caused major damage to Australian interests.
When you start putting all these examples together, you can understand why our workforce is proud to work at ASD. Why I am proud to lead this great organisation. It’s an organisation of professional, intelligent, curious-minded people who work hard to defend Australia from global threats.
While I am on people, let me briefly talk about the importance of diversity and inclusion and how important initiatives such as the 100 days for change catalyse us all into making practical changes to improve gender equality.
I am proud of the fact that currently 56% of ASD’s senior executive roles are held by women; that’s a 25% improvement since I started in January. This result should be the norm and while I can note this achievement I would also note overall ASD is not where it should be.
Only 34% of our overall positions are held by women. We must do better and we will. We must have full access to the brightest minds across our society. Limiting ourselves is ludicrous.
As part of the 100 days for change initiative:
I have appointed ASD’s inaugural diversity and inclusion adviser
ASD’s enterprise level committees have gender diversity
all ASD civilian roles are flexible, accommodating part-time or full-time working arrangements.
A small but important start – I’m confident we will address this gap.
So, what else hasn’t changed?
“We have no interest in the communications of everyday Australians.”
There is another, even more important, aspect of our mission that hasn’t changed.
Given that ASD’s foreign intelligence capabilities are inherently intrusive, there are special protections that apply to the communications of Australian persons.
These protections apply regardless of where Australians are in the world.
This principle, also enshrined in the Intelligence Services Act, underpins ASD’s operations. It is ingrained in all the decisions we make. As a foreign intelligence service, protecting the privacy of Australian citizens will remain a core tenet of how ASD operates.
The media allegation that ASD was proposing to “spy on Australians” earlier this year could not be further from the truth.
ASD is both a foreign intelligence and a cyber security agency. We care about the threats posed by people and organisations outside of Australia. And we help protect Australian interests from cyber threats. Foreign signals intelligence and cyber security are two separate activities informed by the capabilities of each. We have no interest in the communications of everyday Australians.
ASD’s values haven’t changed – these were put in place over 12 years ago while Steve Merchant was the Director. Values matter – rules guide us when people are watching, values guide us when they’re not.
ASD has five values:
we make a difference
we strive for excellence
we belong to a great team
we are audacious in concept
we are meticulous in execution.
While the articulation of each value is clear, our word picture for each value matters – it says a lot about the people who choose to work at ASD.
‘We make a difference’ is all about giving our customers, those we serve, a critical edge. Critical information and activities that affect operations and policy.
‘We strive for excellence’ is about seeking and fostering talent, being committed and enthusiastic, flexible and responsive – being world class in all we do.
‘We belong to a great team’ is recognition we succeed through teamwork and partnerships, recognising each other’s contribution, supporting and caring for each other and valuing contribution from everyone.
‘We are audacious in concept’, this is about the work that we do, which by its very nature requires ASD staff to operate in the slim area between the difficult and the impossible – and it’s bloody hard.
To be successful, we have to do what others think is impossible.
Last but not least, ‘we are meticulous in execution’. This is about precision and always acting legally and ethically. Being accountable to the public through government for everything we do and managing our risks effectively.
Let me be clear, and say again, we have no interest in the communications of everyday Australians. My workforce are Australians too, and we would not stand for it.
So, what has changed?
The 2017 Independent Intelligence Review has introduced significant change to the Australian intelligence community. While the review found agencies highly capable and staffed by skilled officers of great integrity, a central theme of their report provided a pathway to a higher level of collective performance.
A major recommendation was the Office of National Intelligence be established and that is well underway today with the Director-General of Intelligence, Nick Warner, in place. No single agency in the National Intelligence Community operates in isolation – partnerships and collaborating are critical to our collective success.
In addition to the establishment of ONI, the review also recommended a significant change to the positioning of ASD in the community.
Given ASD’s increased national responsibilities and expertise in cyber security and also mindful of the critical operational capabilities we provide to the Australian Defence Force, the review recommended ASD become a statutory agency within the Defence portfolio reporting directly to the Minister for Defence.
In addition to becoming a statutory agency, the review noted ASD’s priority role of supporting the ADF and recommended the appointment of a senior military officer as the principal Deputy Director-General, and in February this year LTGEN John Frewen was appointed in this role.
The review further recommended:
ASD take formal responsibility for the Australian Cyber Security Centre, and
ASD’s legislative mandate be amended to include the provision of cyber security advice to businesses and the community and provide the legal function to prevent and disrupt serious cyber-enabled crime offshore.
These changes are significant. The ambition and expectations of our ministers are high, and I am confident your expectation is the same.
What else is changing in our world? Firstly, technology
While our values have not changed, technology has. Throughout our history, ASD has reinvented ourselves every decade or so to stay ahead of changes in communications technology.
But over the past decade, technology – the so-called “fourth industrial revolution” – has changed every aspect of our lives. From how we work, shop, manage our money and digest our information, to how we meet our life partners, raise and educate our children, and fight our wars.
We live in a technology-enabled, connected world. With this comes great opportunity and benefits to society and our economy. The rate of change and adoption of technology is unprecedented.
Everything is being digitised, everything is being connected and everything is being controlled by software. And there is no doubt, the full potential of connectivity, technology and software are yet to be fully realised.
However, these same benefits represent a significant risk.
We’ve all witnessed the wholesale theft of data and disruption to business globally in recent years.
For the last 10 years, the intelligence and security world has been focused on dealing with the problem of data theft. Industrial espionage and criminal gangs making serious money.
As the full potential of technology, connectivity and software are further realised, I think it is time we also turn our mind equally to integrity and availability and I will touch on this later.
The successful identification and management of cybersecurity risks across the community, businesses and governments is critically important.
In recent years, we have also seen the increasing use of encryption – an indispensable tool for protecting everything from our bank transactions to national security information.
But this has also presented challenges when it comes to uncovering the secrets of those who pose a threat to Australia’s national security.
In particular, criminals who commit serious offences, who don’t want to be found, hiding in dark places.
Strong encryption is vital to the prosperity of the technology-enabled world we live in, however make no mistake, criminals also benefit from the encryption that protects our very lives.
The ‘internet of things’ is starting to shape all of our lives. From a foreign intelligence perspective, these technologies will provide new ways to detect and track threats. But they also present a much wider surface area to think about from a cyber security and safety perspective.
Cloud, mobility and applications have challenged assumptions about whether geography is meaningful on the internet. Certainly, our targets are finding it easy to obscure their location and identity by using anonymising technologies, like VPNs and the dark web.
From all these benefits and risks, there is also an increase in complexity for those who work in cyber security, foreign intelligence and effects – our world is far more challenging today than in was in 1995, let alone 1947.
Our people are key to mastering technology. We have some of the best and brightest who span several generations, from all walks of life, not just engineers like me – including a large chunk of frighteningly clever millennials. A diversity of talent and a talent of diversity.
Gaining the ability to flexibly recruit, train and retain our specialist staff is one of the major reasons why ASD became a statutory agency.
Strategic and economic power is shifting east. As are the centres of expertise for technology, research and development.
This brings with it a wealth of opportunities for Australia as we advance our digital economy and trade relationships.
However, it also changes the industrial base we rely on for critical infrastructure. We will need to be open-eyed on the potential threats that any significant change of this kind poses to Australia’s most important interests.
It would be naive to think we can manage these strategic and technology risks by holding back change. Like everything, it is a question of finding the right balance between leveraging all the advantages that these new shifts bring – and protecting Australians, our values and our way of life.
These twin themes of technological and strategic economic shifts can be seen in the government’s recent decision to prohibit telecommunications carriers from using high-risk vendors in 5G networks.
This decision, which was not taken lightly, was supported by technical advice from my agency, all elements of my agency. Our intelligence and offensive cyber experts that led the formation of our cyber security advice. Offence informs defence.
Our starting point was that, if 5G technology delivers on its promise, the next generation of telecommunications networks will be at the top of every country’s list of critical national infrastructure.
5G is not just fast data, it is also high-density connection of devices – human to human, human to machine and machine to machine – and finally it is much lower signal latency or speed of response.
5G technology will underpin the communications that Australians rely on every day, from our health systems and the potential applications of remote surgery, to self-driving cars and through to the operation of our power and water supply.
The stakes could not be higher. This is about more than just protecting the confidentiality of our information – it is also about integrity and availability of the data and systems on which we depend. Getting security right for our critical infrastructure is paramount.
Historically, we have protected the sensitive information and functions at the core of our telecommunications networks by confining our high-risk vendors to the edge of our networks.
But the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network.
In consultation with operators and vendors, we worked hard this year to see if there were ways to protect our 5G networks if high-risk vendor equipment was present anywhere in these networks.
At the end of this process, my advice was to exclude high-risk vendors from the entirety of evolving 5G networks.
This is a good example of ASD’s changing role. We are no longer an agency which solely provides best practice advice to network administrators.
We have an important role in advising government how to best navigate major technology and strategic shifts – based on our poacher-gamekeeper expertise. Our work is informed by us mastering technology.
Our trusted adviser role is new and not just for government – providing trusted, timely advice to government, business and the community on cyber security is one my staff and I take seriously and one the Australian Cyber Security Centre will lead on.
We need a different set of capabilities today to face these threats
The big strategic and technology shifts will also pose challenges to our intelligence capabilities and the way we apply them to address emerging threats.
The internet makes it very easy for our targets to use technology to deliberately obscure their location. They are also harder to find as a result of the volume and complexity of the internet.
Indeed, for most internet-based communications, someone’s geographic location is often difficult to discern, regardless of whether the user is trying to evade detection or not.
As a result, fundamental geographic distinctions which have provided the basis for determining where ASD could collect foreign intelligence have now become meaningless.
Determining who was a legitimate offshore foreign intelligence target used to be straightforward when the world’s communications were carried by analogue signalling from point A to point B along copper wires or satellites. That’s no longer true.
In those days a phone was fixed to the wall and its location was a certainty. So, we could reliably identify foreign communications according to the country code and city code of the phone number. And we could quickly narrow down potential threats requiring investigation based on phone numbers belonging to known targets.
In contrast, today’s internet communications don’t always display obvious markers indicating the country or city that the communication originated from. Nor can we assume that a communication is foreign just because it has come from a server overseas. For example, it is not unusual for social media messages between two Australians to transit an offshore server.
As I said earlier, ASD has no interest in communications involving everyday Australians. What ASD cares about is identifying foreign threats to Australia, whether they be:
terrorist threats
cyber threats
foreign espionage or interference.
And one of the most powerful ways to detect such threats is to look for communications that exhibit well-known attributes. It’s the equivalent of creating an electronic fingerprint to identify foreign intelligence.
For example, ASD might build an electronic signature associated with a piece of malware it has seen used overseas and then use this fingerprint to detect this malware being targeted against Australia.
Or ASD might determine communication attributes associated with a certain terrorist group that it can use to detect when these terrorists are communicating online.
These techniques can be used to unambiguously identify potential foreign threats requiring further investigation. They are in effect a marker for foreign intelligence – even in the absence of information that tells us exactly where in the world the communications came from.
In this respect, these techniques are just as powerful as pinpointing foreign intelligence as a phone number belonging to a foreign intelligence target was 30 years ago.
Today, our world is far more complex.
Finally, to the changing world of cyber security
“Technology, connectivity and software hold much promise, but we shouldn’t just look at the benefits – what are the vulnerabilities, what are the risks?”
My assessment is that progress is being made slowly across the world and at home in Australia.
I am concerned many are still distracted by complexity and hype around cyber security. Knowing the value of your data and the digital services you rely on is important and IT hygiene does matter.
While it is pleasing to see businesses talking about cyber security, I am bemused about many businesses getting excited by data analytics, AI, machine learning. More worryingly I’ve heard of board rooms in Australia contemplating the prospect of hacking back to defend themselves against potential attacks.
That should not be part of any organisation’s cyber security strategy; that would be an illegal act here in Australia.
An obligation to protecting corporate assets does not extend to breaking the law. No board or company should spend a dollar on getting advice on hacking back. I’d recommend you assure yourself you have identified and are managing your cyber security risks effectively.
If you are contemplating this, please speak to the Australian Cyber Security Centre, we can either help you focus on what matters, or in the case where your cyber security strategy is world class, we may be able to help you further.
In the majority of hacking cases we investigate, I can tell you the root cause is a known problem with a known fix. ASD’s Essential Eight is advice that makes a real difference when applied.
Now I know for some organisations, the Essential Eight might not always be possible in legacy IT environments. That’s OK, but make sure you then understand your risk, how and when it can be addressed.
Large organisations cannot cry victim in 2018, cyber incidents are foreseeable events.
Technology, connectivity and software hold much promise, but we shouldn’t just look at the benefits – what are the vulnerabilities, what are the risks? This will require my agency to do what it has done for the last 70 years.
As both a poacher and gamekeeper, we know that offence informs defence and defence informs offence. ASD’s strength and capability come from mastering technology and its application.
As the world and the technology continues to change, so must ASD continue to adapt and change.
It is important the Australian public understand why changes are necessary. That would be difficult to do if ASD were to continue to be highly secretive about the nature of its role.
So, expect us to be clearer about how this agency protects Australian interests and any changes to our enabling capabilities.
Of course we will continue to protect many secrets. We will lose our ability to defend from global threats if capabilities are known to those who would do us harm.
Nonetheless, it is important that ASD is transparent about its role, and the protections that apply to Australian citizens. And that these protections are clear on the face of our legislation.
So, as my second career at ASD commences, I want to finish up by relating all this back to a couple of ASD’s core values.
We pride ourselves on being “audacious in concept”. This means we operate in the slim area between the difficult and the impossible.
But we place equal store in the promise that “we are meticulous in execution”. And that means that we always act legally and ethically.
And we are accountable to the government and people of Australia every day to honour this undertaking.
This is an edited version of a speech delivered by Mike Burgess, Director-General ASD, to the National Security Dinner at the Australian Strategic Policy Institute, Canberra, on 29 October 2018.
No comments:
Post a Comment