The Australian Signals Directorate (ASD) is committed to ‘making Australia the safest place to connect online’, working towards this goal through the use of foreign signals intelligence, offensive cyber operations and cyber security. The Australian Cyber Security Centre (ACSC) forms part of the ASD, allowing it to provide expert and trusted advice to governments and businesses.

Does the ASD always disclose cyber security vulnerabilities it discovers?

In its communication Responsible Release Principles for Cyber Security Vulnerabilities, ASD outlines how as part of its work, it will sometimes discover security weaknesses or vulnerabilities in technology that are unknown to the vendor and that may pose a threat to Australians and Australian systems.

While the default position of the ASD is to disclose such vulnerabilities in the interests of protecting Australia’s security, it states that occasionally “a security weakness will present a novel opportunity to obtain foreign intelligence that will help protect Australians. In these circumstances, the national interest might be better served by not disclosing the vulnerability”.

How does ASD assess whether a vulnerability should be disclosed?

The decision to not disclose a vulnerability is only made after a thorough multi-stage analysis is performed, which is guided by eight essential principles:

  1. Security first. ASD’s default position is to release information on vulnerabilities as it becomes available, in order to protect Australians and uphold Australia’s national security.
  2. The national interest. A vulnerability will only be retained if the national interest in keeping it strongly outweighs the national interest in disclosing it. For example, the weakness may allow for the gathering of foreign intelligence that can help to prevent a terrorist attack.
  3. Assess the risk. How likely is it that a malicious actor would be able to take advantage of the vulnerability?
  4. Consider the consequences. What is the potential impact if a weakness is exploited?
  5. Mitigate the threat. If a vulnerability is retained, ASD will take measures to prevent Australian systems from being exploited, e.g. releasing security advice that mitigates the weakness without directly disclosing it.
  6. Responsible release. ASD works closely with vendors to ensure that patches and other mitigation measures are available before information on a vulnerability is made public.
  7. Regular review. The decision to retain a vulnerability will be subject to ongoing review, and a vulnerability may be released if doing so no longer presents a significant national security threat.
  8. Rigorous oversight. ASD submits an annual report covering all vulnerability decisions to the Inspector-General of Intelligence and Security.