Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Foreign Affairs, Defence and Trade Legislation Committee
23/10/2019
Estimates
DEFENCE PORTFOLIO
Australian Signals Directorate

Australian Signals Directorate

[17.53]

CHAIR: I welcome Lieutenant-General John Frewen, Acting Director-General of the Australian Signals Directorate, and officers of ASD. Lieutenant-General, do you wish to make an opening statement?

Lt Gen. Frewen : Thank you. I will.

CHAIR: Do you have copies of that for distribution?

Lt Gen. Frewen : I do have a copy for you, Chair. I am conscious that you may wish to get straight to questions and that we only have a short time with you here today. I am mindful that we've had some changes in ASD's leadership. I would like to quickly introduce my colleagues and then say a few short remarks.

The committee would be aware that Mr Mike Burgess left ASD in September 2019 to commence as the Director-General of Security. I will act as the Director-General until a replacement has been identified. I'm joined today by Ms Rachel Noble, the head of the Australian Cyber Security Centre, who joined ASD in July 2019 from the Department of Home Affairs to replace Mr Alastair MacGibbon. There is also Ms Hazel Bennett, the Deputy Director-General of Corporate and Capability Group.

ASD first appeared before this committee 12 months ago. The intervening period has seen ASD deliver some significant work against its functions. Our foreign signals intelligence function has continued to deliver intelligence that meets the government's requirements and priorities. Our intelligence work has also continued to support a range of activities that protect the lives of Australians, including providing support for the overseas operations of the Australian Defence Force.

Australia continued to be targeted by a range of actors, who conducted persistent cyberoperations that pose significant threats to Australia's national security and economic prosperity. During the 2018-19 financial year, the Australian Cyber Security Centre responded to 2,164 cybersecurity incidents. In the first quarter of the current financial year, we have seen over 13½ thousand reports of cybercrime made to our new online cybercrime reporting tool, ReportCyber. This is an average of one report every 10 minutes.

As the committee may be aware, since being established as a statutory agency on 1 July 2018, ASD has made a concerted effort to be more transparent about our role and provide a better sense of what we do and why we do it. In August, we published our second corporate plan. Last week, we tabled our first unclassified annual report in accordance with the Public Governance Performance and Accountability Act 2013. While much of what we do needs to remain classified in order to protect our capabilities, we will continue to be as transparent as we can be. We look forward to assisting you today. Thank you.

CHAIR: Thank you.

Senator KITCHING: It is very nice to see you, General Frewen. Thank you for the ASD's time. I will start with some questions about the 2019 CyberCon. Days before CyberCon started, two speakers, Thomas Drake and Dr Suelette Dreyfus of the University of Melbourne, were withdrawn from speaking. The ABC has reported that they were told their talks were incongruent with CyberCon, despite being invited to speak months earlier. Mr Drake's presentation was to address national security and surveillance while Dr Dreyfus's talk explored the use of safe digital dropboxes for anticorruption whistleblowing. Did ACSC, a major sponsor of CyberCon, request the organisers to withdraw Thomas Drake and Suelette Dreyfus as conference speakers?

Ms Noble : Yes, we did. I made that decision.

Senator KITCHING: Had you read their papers prior to requesting the withdrawal?

Ms Noble : The advice that I made the decision on was a proposal for Dr Dreyfus and Mr Drake via VTC to have a panel with Edward Snowdon. That was the first proposal. At that point, my judgement was based on, I guess, the reputation of all of those speakers—that they are known public advocates for unauthorised disclosure or the leaking of classified information outside of legitimate whistleblowing or lawful whistleblowing schemes. So my concern was that, firstly, those presentations weren't consistent with the objectives of the conference, which is actually about cybersecurity and helping Australians raise their awareness and technical knowledge about cybersecurity issues. Secondly, my concern was that there was a risk that those speakers would express views that are inconsistent with Australian government laws and our processes and values.

Senator KITCHING: Thank you very much. I want to go to some questions about the attribution of responsibility for cyberattacks. I will give you a quote from the Minister for Home Affairs first from 12 October. He said:

In a democracy like ours we encourage freedom of speech, freedom of expression, thought etc. and if that is being impinged, if people are operating outside of the law, then whether they're from China or from any other country, we have a right to call that out.

Fergus Hanson, the director of the International Cyber Policy Centre at the Australian Strategic Policy Institute, whom I'm sure you know, points out that the attribution of cyberattacks has come out via media leak. He has cited unauthorised cyberbreaches of, for example, the Australian parliament, political parties, the ANU and military contractors et cetera. Does the Australian government have a formal decision-making framework for attributing responsibility for cyberattacks on Australia?

Ms Noble : Yes, it does.

Senator KITCHING: Can you go through that for me?

Ms Noble : The policy actually belongs to the Department of Home Affairs, and, from an Australian Cyber Security Centre perspective, we're the government techies. Our job in this role is to provide advice to those policy departments, from a technical point of view, about whether or not we have a level of confidence about who to attribute the attack to. From that perspective, it's a matter for the Department of Home Affairs and the Department of Foreign Affairs and Trade, largely, to then provide their advice to the government about how to weigh up economic interest, international relations and so forth. It's on that basis that the government will then make a final decision about whether to attribute publicly a cyber incident to a country.

Senator Reynolds: In addition to that, as Ms Noble has said, public attribution is just one of the many responses Australia has in its toolkit, and not all of Australia's responses to cyberincidents will be made public. The government publicly attributes when it's in our nation's interest to do so. It is very much on a case-by-case basis.

Senator KITCHING: Is it possible to table the policy document from Home Affairs? Or is it also from DFAT?

Ms Noble : My understanding is that the framework is classified.

Senator Reynolds: But that would be a question for Home Affairs, given the policy responsibility lies with them.

Senator KITCHING: The only reason I ask is that it's implemented by the ASD, as the techies, and I just thought you might have a copy of it. I'm happy to put it on notice and go back to Home Affairs. And, obviously, DFAT's here tomorrow, so I can certainly ask them. But you think it's classified, anyway?

Ms Noble : Yes, I'm pretty confident it is and I think it would be better to ask Home Affairs or DFAT.

Senator KITCHING: There was certainly attribution in a Reuters report that it was a state actor in the breach in Parliament House. Are you investigating how Reuters received that information?

Ms Noble : No.

Lt Gen. Frewen : We are not investigating that, no.

Senator KITCHING: Is anyone investigating that?

Lt Gen. Frewen : I'm not aware, Senator.

Senator KITCHING: Who would be responsible for investigating that?

Ms Noble : Normally leaks are referred on the basis that there's clear evidence that there's a classified document, for example, that's entered the public domain. In the Reuters article that you're referring to, I think the quote that I recall was quite general: 'I have heard from five senior officials that this is attributed to a certain state actor.' So, I think it would be very hard for us, or any one department, to refer that in the normal course of things, because there's insufficient information in that article to refer.

Senator KITCHING: It did attribute to China.

Ms Noble : If I recall the article correctly, the journalist claiming to have spoken to five officials didn't, for example, state very clearly that, 'I have access to a classified document from the department of X.' Even if a department were able to refer it, I can't imagine what the law enforcement would investigate on the basis of his claims in that article.

Senator KITCHING: But it wouldn't be government policy to speak to a journalist?

Ms Noble : No.

Senator KITCHING: Is that a risk?

Ms Noble : I think, speaking generally, that's always a risk, and I think, of course, it does happen from time to time.

Senator KITCHING: What are the instances in which you would attribute? Is there a threshold where you think, at 95 per cent, that's pretty certain, or—

Ms Noble : From a technical point of view, our input to that process is as I described earlier. Then it would be a matter for others to weigh up, as I said, other issues like economic interests, engagement, international relations and diplomacy. We, from a technical point of view, would want to have a very high level of confidence.

Senator KITCHING: Is 'very high' able to be given a percentage?

Ms Noble : More than 90 per cent; that's what I would characterise as very high. And we can, from time to time, have that level of confidence.

Senator KITCHING: Has there been an instance where you have attributed officially rather than a journalist being able to say they have spoken with five officials? I'm just trying to think over the last, let's say, calendar year. I'm thinking of the breach in December. Was there any official attribution?

Ms Noble : There has been a number of official attributions to a number of countries. I'm just looking at my notes here. I think the last time was in December 2018, which was an attribution that the Australian government joined in with other international partners. That's the most recent public attribution.

Senator KITCHING: Can I go to some specific instances around where ministers, or certainly parliamentarians, have claimed their social media accounts were hacked. In November 2017, Christopher Pyne, the then Minister for Defence Industries, claimed that his Twitter account had been hacked. My understanding is that he didn't make a public disclosure that he'd gone to the AFP, for example. I don't know whether he did or not, but he didn't say that he was going to. Does the ASD regard the hacking of a senior minister in a defence portfolio as a serious matter?

Ms Noble : Yes, we would, of course. And, unfortunately, from a technical point of view, it's probably surprisingly easy for bad actors or people with malicious intent to do exactly those sorts of things. In fact, in the first three months that we, in the ACSC, have run the ReportCyber portal, which allows all Australians to report incidents of criminality in cyberspace, we've received 13,650 reports in those first three months alone.

Senator KITCHING: Sorry, what was that figure?

Ms Noble : There were 13,650 reports in the first three months since its operation from 1 July. So this is sadly a common occurrence for everyday Australians, let alone people who are of high profile who do and will tend to be targeted more than others.

Senator KITCHING: There are a number of examples of this: there was Mr Pyne, there was Mr Hunt, Ambassador Hockey when he was Treasurer and Prime Minister Morrison claimed his Twitter account had been accessed in April 2016. What is the process? Should one go to the AFP to make a complaint?

Ms Noble : People can do that. They can also make a complaint directly to the police in their jurisdiction, or they can go to ReportCyber, which is an online portal, and make a report to us. We will refer that to the police jurisdiction for law enforcement to look at.

Senator KITCHING: Okay, so I'll leave that there. But could I go back to the attribution. In relation to the breaches of parliamentary security and the recent ANU breach, did you arrive at 90 per cent plus certainty?

Ms Noble : Yes.

Senator KITCHING: So that would mean you'd feel quite comfortable in attributing?

Ms Noble : That's not a decision for us. But, from a technical point of view, we have a very high level of confidence that we know which state actor was responsible for both of those incidents.

Senator KITCHING: So in those instances did you, as the techies, refer to DFAT or to Home Affairs?

Ms Noble : Yes. Those were decisions taken by the government on advice from all of us together—us, from a technical point of view, and then policy advice from Home Affairs and the Department of Foreign Affairs and Trade.

Senator KITCHING: So you advised both Home Affairs and DFAT?

Ms Noble : Yes.

Senator KITCHING: What did they do at that point?

Ms Noble : They provided advice to their ministers, as we would, and then it's a matter for ministers to consult about their view. A decision is subsequently taken by either the relevant minister or, indeed, the Prime Minister.

Senator KITCHING: Maybe I should address this to Minister Reynolds. Minister, are you aware whether that was a decision for the ministers or for Prime Minister in that case?

Senator Reynolds: What I can say, as I said before, is that public attribution is only one tool that the Australian government has to respond to these incidents. In this case, we publicly attribute when it's in our national interest to do so.

Senator KITCHING: And would you say that in both of those? There were two examples there; there was the ANU breach and the parliamentary breach.

Senator Reynolds: All I'm saying is that advice is received—

Senator KITCHING: The test applies to both?

Senator Reynolds: as Ms Noble has said, and then the government make the decision about public attribution in the national interest.

Senator KITCHING: Sorry, just say that last bit again.

Senator REYNOLDS: The government makes a decision about public attribution and whether it is in our nation's interests or not.

CHAIR: It's better sometimes not to let them know that we know.

Senator KITCHING: Wasn't it Sun Tzu—

Senator Reynolds: We've got more than one tool in our toolkit in terms of responses in the national interest.

Senator KITCHING: Sun Tzu said, 'All warfare is based on deception.' I won't take too much time, because we've got Defence Housing before the dinner break, but could I ask about Slack. The Australian Cyber Security Strategy from April 2016 promised to 'establish a layered approach to cyberthreat information sharing' through 'a co-designed online information sharing portal'. The 2020 Cyber Security Strategy paper A call for views reported:

An interim public-private communications platform has been established while a long term solution is created.

Is that right?

Ms Noble : Yes.

Senator KITCHING: Okay, good. Is the 'interim public-private communications' channel Slack? Are you using Slack?

Ms Noble : That's one of our channels. We have quite a number as we work towards a much richer and higher quality ability to share information, particularly with the private sector but also, importantly, with our state and territory governments. We have our cyber.gov.au website, where we make public advisories and threat information. We also have a partner portal. We have Slack, the one you mentioned, which is a cloud based proprietary instant messaging platform. We have an automated threat intelligence sharing capability. We also use email and other dissemination channels. The information-sharing portal that you mentioned is one of the initiatives that was funded in the Cyber Security Strategy 2016. It's an upgrade to the automated threat intelligence-sharing capability that we have now which will allow us to load more data into it. With the threat intelligence-sharing we have now, for example, we can only put in a certain amount of data and we can only put it in Excel spreadsheets, and we often have to share that detailed threat data separately via email. The portal will give us a significant upgrade to that so that the portal itself can have a much richer data set that is being provided automatically. That project is well under way and it will be complete by 30 June next year, which is within the four-year time frame of the forward estimates that the 2016 strategy gave us funding for.

Senator KITCHING: What's the cost over the forward estimates?

Ms Noble : We were given $2.98 million for that upgrade.

Senator KITCHING: Slack isn't encrypted. Are you using that for particular types of communication and using other methods or platforms or apps for other types?

Ms Noble : Yes. We have a number of channels through which we can provide people information, and Slack is one of those.

Senator KITCHING: What would you use Slack for? Are you using that internally on a secure system, if that makes sense?

Ms Noble : I'll have to check whether it's actually encrypted. What we put in Slack are what we call, in technical language, indicators of compromise. For example, if you're looking at source code for this application and you find in that source code the following string, then that string would indicate to you that there is a virus or malicious software operating on your computer. That little string that they might search for is something we would call an indicator of compromise, and that's what we use Slack for.

Senator KITCHING: The upgrade is over the forward estimates, so you'll be finished that in—

Ms Noble : By 30 June next year, 2020.

Senator KITCHING: You've had four years to do it. Is that because you've been availing yourselves of new technology? Why has it taken the four years?

Ms Noble : We've been prioritising our work. We've got a lot of channels through which we can already provide this threat intelligence-sharing information. So it's really been a matter of working through the projects we had on our list. This is going to be one of the last to land because we do have some capability at the moment. In the meantime, we've also done a lot of other initiatives to try and improve our information-sharing, for example. We literally have put out more than 20,000 reports in that period of time, and there are another 44,000 open service reports, for example. So we have a lot of work on our plate.

Senator KITCHING: I'm just looking up Slack in Wikipedia. It doesn't say that it's encrypted. Certainly if you go to their platform—which I'm not sure I'll be able to download, because this is a DPS machine and I don't think they let us download it, otherwise there would be many random applications on these computers—I think you just put in your work email and it says to try it for free. Are you able to take it on notice and see if—

Ms Noble : I certainly can get you more details on how it works.

Senator KITCHING: Thank you. Your cyber.gov.au website also says that you can share cyber threats through the news pages. I think those headings are for news, latest advice and latest threat advice. There have been two reports of latest advice since August 2018—is that correct?

Ms Noble : I'm not sure; I'd have to check the website myself.

Senator KITCHING: I might put some questions on notice about that.

Ms Noble : Sure.

Senator KITCHING: I might stop there. I was just going to compare with the UK's National Cyber Security Centre; it has a weekly update—but I'll put this all on notice. The other thing I would ask is: is it possible for those pages to be in real time?

Ms Noble : We try to keep our website as up to date as we can, with the best threat and advisories possible. But also we are trying to work on quality, as opposed to quantity, and so what you might not see, obviously, on our website, is threat advice going out into the public domain. The value of having these intelligence-sharing and information-sharing portals is that we are able to provide that kind of threat information in real time at a higher quality, which we find that the private sector and our state and territory government partners value more because it has that extra level of sensitive information that actually helps them protect their networks more. So we are shifting towards using those platforms to get that quality advice to them quickly.

Senator KITCHING: If the Slack channel is not encrypted, have any of the threats of compromise or the indicators of compromise been shared on that channel?

Ms Noble : Yes, they would have been—they have been.

Senator KITCHING: If it's not encrypted, is that problematic?

Ms Noble : I think my colleague was just describing to me that there is a level of protection by Slack, but I would like to get you the exact detail on notice.

Senator KITCHING: I might ask the minister for a private briefing!

Senator Reynolds: We'll take that on notice, but I'm sure something can be arranged, Senator Kitching.

Senator KITCHING: Lovely! Thank you. Thank you very much for your time. You do such good work. Thank you.

Ms Noble : Thank you.

ACTING CHAIR ( Senator Fierravanti-Wells ): Does that conclude—

Senator KITCHING: I don't have any more. I'm going to put some questions on notice, but not now.

ACTING CHAIR: That concludes the committee's examination of the Australian Signals Directorate. I thank the officers for their attendance. The committee will now move to its examination of Defence Housing Australia.