Balancing secrecy and openness: getting it right and getting it wrong

Balancing the protection of sensitive information against openness is a perennial challenge for governments and their national security agencies. Too little disclosure can destroy public trust in institutions. Too much can undercut important capabilities that keep Australians safe.

The Australian defence organisation has struck this balance differently at different times over its history. Since the first principles review in 2016, Defence has come to view disclosure of information about its operations, policies, projects and directions as just creating risk, and so is reluctant to release anything not required by law.

A high point of this is the recent quarterly performance report of the acquisition part of Defence—which uses so much black ink to censor the text that a toner warning and reorder form should accompany the link to the document.

I suspect that much of the inked-out material on project implementation challenges and issues would be provided publicly in answers by Defence officials to senators’ questions at any estimates committee hearing. But it seems none of this can be provided to the public through an FOI process—an odd and telling indicator of the risk-averse mindset now governing Defence’s public engagement.

No doubt a lot of very similar information to that behind the wall of black ink will be in the next major projects report from the Australian National Audit Office. Defence must comply with the ANAO’s requests for information—and has less discretion to say no than it does when dealing with a member of the public or a journalist.

It’s now almost routine that we learn more about Australian defence matters through the US than from our own defence organisation—whether weapon system acquisitions or, even more recently, potential US military infrastructure plans for northern Australia. That’s embarrassing and wrong given our liberal democratic system of government.

Which makes what the Australian Signals Directorate did quietly back in March—without anyone outside the tech community seeming to notice—even more surprising than it would be on its own. ASD put a three-page description on its website of how it tangles with the enormously sensitive issue of whether to keep a software or system vulnerability it finds secret or to reveal it to vendors to get it fixed. The document sets out what ASD calls its ‘Responsible release principles for cyber security vulnerabilities’. It’s a welcome example of an agency disclosing how an activity of high public interest is conducted while also protecting sensitive classified information.

ASD is the Australian foreign intelligence agency charged with getting hold of others’ electronic signals and information when it can benefit Australia’s national security. But as Australia’s cybersecurity agency, ASD also has the role of providing advice to Australian government agencies, Australian businesses and people on how they can protect their electronic systems and information.

That means ASD is both the poacher and gamekeeper when it comes to the vulnerability of computers and other electronic devices, communications systems and networks—and all the software that operates on them.

How it balances these twin responsibilities when it comes to discovering software vulnerabilities is now clear—because that’s what the document on ASD’s website describes.

It’s a very readable, coherent set of principles, accompanied by two pages of decision flowcharts. It’s even written in plain English that people outside the cyber world can understand.

The publication of the principles is a bit of a contrast to the tech community’s experience with the introduction of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018—dubbed the anti-encryption law in commentary.

The fact that the powers in the act relate to serious criminal offences punishable by three or more years’ jail time, and are focused on access to particular persons’ communications, not systemic weaknesses, is still not well understood.

That’s primarily because, in the absence of solid public disclosure up front, the public narrative about the powers was led by understandably anxious and energised critics. That left the scope and intent of the act unclear, and Australia’s tech companies saw it as a risk to their businesses—including their exports.

In contrast, we know up front that when it comes to software bugs the ASD discovers, its ‘default position is to release information on vulnerabilities when [it] become[s] aware of them’, because one part of its mission is ‘making Australia the safest place to connect online’.

ASD will ‘retain a vulnerability’—that means not make it known to the relevant vendor—‘if the national interest in keeping it strongly outweighs the national interest in disclosing it’. That could be the case, ASD explains, if, for example, the information ‘can be used to gather foreign intelligence to prevent a terrorist attack’.

If it’s likely that a malicious actor (read state or non-state) could discover and exploit the vulnerability, ASD commits to disclose the vulnerability so it can be fixed.

When it decides not to tell the vendor about a vulnerability, ASD takes steps to protect Australian systems from being exploited—including by ‘releasing security advice that mitigates the weakness’. These ‘vulnerability decisions’ are subject to review by Australia’s inspector-general of intelligence and security, an official with the powers of a standing royal commission.

All of this adds up to a well-thought-through approach to assessing risks, and a strong bias towards protecting Australian systems operated by government, businesses and families. The fact that ASD has released the detail of how it makes these decisions is a positive step in building trust in this newly independent government agency.

This kind of disclosure, made outside the heat and light of a crisis or other event that spotlights the issue, shows a strong culture of accountability and an understanding that—at a time of declining trust in public institutions—demonstrated compliance with laws and ethics is necessary to retain the public’s support.

Maybe this culture of openness and disclosure can spread to other parts of Australia’s national security apparatus. A more informed and more supportive Australian public would be the result.