{"id":49605,"date":"2019-08-06T15:24:02","date_gmt":"2019-08-06T05:24:02","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=49605"},"modified":"2019-08-06T15:41:51","modified_gmt":"2019-08-06T05:41:51","slug":"balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/","title":{"rendered":"Balancing secrecy and openness: getting it right and getting it wrong"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"747\" class=\"alignnone size-full wp-image-49607\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/08\/caitlin-oriel-swfFFgnF6Y-unsplash-e1565068364843.jpg\" \/><\/figure>\n<p>Balancing the protection of sensitive information against openness is a perennial challenge for governments and their national security agencies. Too little disclosure can destroy public trust in institutions. Too much can undercut important capabilities that keep Australians safe.<\/p>\n<p>The Australian defence organisation has struck this balance differently at different times over its history. Since the <a href=\"http:\/\/www.defence.gov.au\/publications\/reviews\/firstprinciples\/Docs\/FirstPrinciplesReview.pdf\">first principles review<\/a> in 2016, Defence has come to view disclosure of information about its operations, policies, projects and directions as just creating risk, and so is reluctant to release anything not required by law.<\/p>\n<p>A high point of this is the recent <a href=\"http:\/\/www.defence.gov.au\/FOI\/Docs\/Disclosures\/378_1819_Documents.pdf\">quarterly performance report<\/a> of the acquisition part of Defence\u2014which uses so much black ink to censor the text that a toner warning and reorder form should accompany the link to the document.<\/p>\n<p>I suspect that much of the inked-out material on project implementation challenges and issues would be provided publicly in answers by Defence officials to senators\u2019 questions at any estimates committee hearing. But it seems none of this can be provided to the public through an FOI process\u2014an odd and telling indicator of the risk-averse mindset now governing Defence\u2019s public engagement.<\/p>\n<p>No doubt a lot of very similar information to that behind the wall of black ink will be in the next major projects report from the Australian National Audit Office. Defence must comply with the ANAO\u2019s requests for information\u2014and has less discretion to say no than it does when dealing with a member of the public or a journalist.<\/p>\n<p>It\u2019s now almost routine that we learn more about Australian defence matters through the US than from our own defence organisation\u2014whether weapon system acquisitions or, even more recently, <a href=\"https:\/\/www.abc.net.au\/news\/2019-07-29\/americas-push-to-expand-naval-facilities-in-northern-australia\/11354926\">potential US military infrastructure plans<\/a> for northern Australia. That\u2019s embarrassing and wrong given our liberal democratic system of government.<\/p>\n<p>Which makes what the Australian Signals Directorate did quietly back in March\u2014without anyone outside the <a href=\"https:\/\/www.zdnet.com\/article\/asd-reveals-rules-for-keeping-vulnerabilities-secret\/\">tech community<\/a> seeming to notice\u2014even more surprising than it would be on its own. ASD put a three-page description on its website of how it tangles with the enormously sensitive issue of whether to keep a software or system vulnerability it finds secret or to reveal it to vendors to get it fixed. The document sets out what ASD calls its \u2018<a href=\"https:\/\/www.asd.gov.au\/sites\/default\/files\/2019-07\/Responsible-Release-Principles-for-Cyber-Security-Vulnerabilities.pdf\">Responsible release principles for cyber security vulnerabilities<\/a>\u2019. It\u2019s a welcome example of an agency disclosing how an activity of high public interest is conducted while also protecting sensitive classified information.<\/p>\n<p>ASD is the Australian foreign intelligence agency charged with getting hold of others\u2019 electronic signals and information when it can benefit Australia\u2019s national security. But as Australia\u2019s cybersecurity agency, ASD also has the role of providing advice to Australian government agencies, Australian businesses and people on how they can protect their electronic systems and information.<\/p>\n<p>That means ASD is both the poacher and gamekeeper when it comes to the vulnerability of computers and other electronic devices, communications systems and networks\u2014and all the software that operates on them.<\/p>\n<p>How it balances these twin responsibilities when it comes to discovering software vulnerabilities is now clear\u2014because that\u2019s what the document on ASD\u2019s website describes.<\/p>\n<p>It\u2019s a very readable, coherent set of principles, accompanied by two pages of decision flowcharts. It\u2019s even written in plain English that people outside the cyber world can understand.<\/p>\n<p>The publication of the principles is a bit of a contrast to the tech community\u2019s experience with the introduction of the <em>Telecommunications and Other Legislation Amendment (<\/em><a href=\"https:\/\/www.legislation.gov.au\/Details\/C2018A00148\"><em>Assistance and Access<\/em><\/a><em>) Act 2018<\/em>\u2014dubbed the anti-encryption law in commentary.<\/p>\n<p>The fact that the powers in the act relate to serious criminal offences punishable by three or more years\u2019 jail time, and are focused on access to particular persons\u2019 communications, not systemic weaknesses, is still not well understood.<\/p>\n<p>That\u2019s primarily because, in the absence of solid public disclosure up front, the public narrative about the powers was led by understandably anxious and energised critics. That left the scope and intent of the act unclear, and Australia\u2019s tech companies saw it as a risk to their businesses\u2014including their exports.<\/p>\n<p>In contrast, we know up front that when it comes to software bugs the ASD discovers, its \u2018default position is to release information on vulnerabilities when [it] become[s] aware of them\u2019, because one part of its mission is \u2018making Australia the safest place to connect online\u2019.<\/p>\n<p>ASD will \u2018retain a vulnerability\u2019\u2014that means not make it known to the relevant vendor\u2014\u2018if the national interest in keeping it strongly outweighs the national interest in disclosing it\u2019. That could be the case, ASD explains, if, for example, the information \u2018can be used to gather foreign intelligence to prevent a terrorist attack\u2019.<\/p>\n<p>If it\u2019s likely that a malicious actor (read state or non-state) could discover and exploit the vulnerability, ASD commits to disclose the vulnerability so it can be fixed.<\/p>\n<p>When it decides not to tell the vendor about a vulnerability, ASD takes steps to protect Australian systems from being exploited\u2014including by \u2018releasing security advice that mitigates the weakness\u2019. These \u2018vulnerability decisions\u2019 are subject to review by Australia\u2019s inspector-general of intelligence and security, an official with the powers of a standing royal commission.<\/p>\n<p>All of this adds up to a well-thought-through approach to assessing risks, and a strong bias towards protecting Australian systems operated by government, businesses and families. The fact that ASD has released the detail of how it makes these decisions is a positive step in building trust in this newly independent government agency.<\/p>\n<p>This kind of disclosure, made outside the heat and light of a crisis or other event that spotlights the issue, shows a strong culture of accountability and an understanding that\u2014at a time of declining trust in public institutions\u2014demonstrated compliance with laws and ethics is necessary to retain the public\u2019s support.<\/p>\n<p>Maybe this culture of openness and disclosure can spread to other parts of Australia\u2019s national security apparatus. A more informed and more supportive Australian public would be the result.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Balancing the protection of sensitive information against openness is a perennial challenge for governments and their national security agencies. Too little disclosure can destroy public trust in institutions. Too much can undercut important capabilities that &#8230;<\/p>\n","protected":false},"author":766,"featured_media":49607,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[1972,38,301,934,1348],"class_list":["post-49605","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-australian-signals-directorate","tag-department-of-defence","tag-national-security-2","tag-transparency","tag-trust"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Balancing secrecy and openness: getting it right and getting it wrong | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Balancing secrecy and openness: getting it right and getting it wrong | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Balancing the protection of sensitive information against openness is a perennial challenge for governments and their national security agencies. Too little disclosure can destroy public trust in institutions. Too much can undercut important capabilities that ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2019-08-06T05:24:02+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-08-06T05:41:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/08\/caitlin-oriel-swfFFgnF6Y-unsplash-e1565068364843.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"747\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Michael Shoebridge\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Michael Shoebridge\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/08\/caitlin-oriel-swfFFgnF6Y-unsplash-e1565068364843.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/08\/caitlin-oriel-swfFFgnF6Y-unsplash-e1565068364843.jpg\",\"width\":1000,\"height\":747},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/\",\"name\":\"Balancing secrecy and openness: getting it right and getting it wrong | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/#primaryimage\"},\"datePublished\":\"2019-08-06T05:24:02+00:00\",\"dateModified\":\"2019-08-06T05:41:51+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b7802124e14835ff19b5c244e962849f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Balancing secrecy and openness: getting it right and getting it wrong\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b7802124e14835ff19b5c244e962849f\",\"name\":\"Michael Shoebridge\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9ad669e65739d5a3f4bbc0e839d8a6b8?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9ad669e65739d5a3f4bbc0e839d8a6b8?s=96&d=mm&r=g\",\"caption\":\"Michael Shoebridge\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/michael-shoebridge\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Balancing secrecy and openness: getting it right and getting it wrong | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/","og_locale":"en_US","og_type":"article","og_title":"Balancing secrecy and openness: getting it right and getting it wrong | The Strategist","og_description":"Balancing the protection of sensitive information against openness is a perennial challenge for governments and their national security agencies. Too little disclosure can destroy public trust in institutions. Too much can undercut important capabilities that ...","og_url":"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2019-08-06T05:24:02+00:00","article_modified_time":"2019-08-06T05:41:51+00:00","og_image":[{"width":1000,"height":747,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/08\/caitlin-oriel-swfFFgnF6Y-unsplash-e1565068364843.jpg","type":"image\/jpeg"}],"author":"Michael Shoebridge","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Michael Shoebridge","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/08\/caitlin-oriel-swfFFgnF6Y-unsplash-e1565068364843.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/08\/caitlin-oriel-swfFFgnF6Y-unsplash-e1565068364843.jpg","width":1000,"height":747},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/","url":"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/","name":"Balancing secrecy and openness: getting it right and getting it wrong | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/#primaryimage"},"datePublished":"2019-08-06T05:24:02+00:00","dateModified":"2019-08-06T05:41:51+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b7802124e14835ff19b5c244e962849f"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/balancing-secrecy-and-openness-getting-it-right-and-getting-it-wrong\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Balancing secrecy and openness: getting it right and getting it wrong"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b7802124e14835ff19b5c244e962849f","name":"Michael Shoebridge","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/9ad669e65739d5a3f4bbc0e839d8a6b8?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9ad669e65739d5a3f4bbc0e839d8a6b8?s=96&d=mm&r=g","caption":"Michael Shoebridge"},"url":"https:\/\/www.aspistrategist.ru\/author\/michael-shoebridge\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/49605"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/766"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=49605"}],"version-history":[{"count":11,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/49605\/revisions"}],"predecessor-version":[{"id":49617,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/49605\/revisions\/49617"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/49607"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=49605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=49605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=49605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}