The Australian Signals Directorate (ASD) has published a document explaining its course of action upon identifying security vulnerabilities in IT systems.
Outlined in its Responsible Release Principles for Cyber Security Vulnerabilities, ASD explained that as part of its work, the department sometimes discovers security weaknesses or vulnerabilities in technology that are unknown to the vendor and could pose a threat to Australians or Australian systems.
ASD, which is an Australian Government agency and also responsible for the Australian Cyber Security Centre (ACSC), said it has made these vulnerabilities known to vendors for many years so they can patch issue patches to systems and customers.
"Our starting position is simple: when we find a weakness, we disclose it," it stated.
However it doesn't stop there, in fact the ASD affirmed that it does not always disclose such vulnerabilities to vendors, specifically when these could allow the agency to attain foreign intelligence.
"Occasionally, however, a security weakness will present a novel opportunity to obtain foreign intelligence that will help protect Australians," ASD said. "In these circumstances, the national interest might be better served by not disclosing the vulnerability.
"The decision to retain a vulnerability is never taken lightly. It is only made after careful multi-stage expert analysis, and is subject to rigorous review and oversight."
ASD's decision-making process is based on ensuring safety and security of Australians and Australia and it is based on eight principals:
- Security first: ASD’s default position is to release information on vulnerabilities when we become aware of them. Protecting Australians is our top priority.
- The national interest: We only retain a vulnerability if the national interest in keeping it strongly outweighs the national interest in disclosing it. This might happen if the weakness allows us to gather foreign intelligence that will prevent a terrorist attack, for example.
- Assess the risk: ASD carefully considers the likelihood of a malicious actor being able to take advantage of the weakness. If we assess it is likely a malicious actor will discover and exploit the vulnerability, we will disclose the vulnerability so it can be fixed.
- Consider the consequences: ASD carefully considers the potential impact if the weakness is exploited by a malicious actor. Considerations would include who and what could be affected, and how much damage could be done.
- Mitigate the threat: If a vulnerability is retained, ASD will do all we can to protect Australian systems from being exploited. For instance, we might release security advice that mitigates the weakness.
- Responsible release: ASD works closely with vendors to ensure that patches and other mitigation measures are available before information on a vulnerability is made public.
- Regular review: ASD reviews all vulnerability retention decisions on an on-going basis. We do not ‘set and forget’. If the national security imperatives are no longer pressing, we will release the vulnerability.
- Rigorous oversight: All of ASD’s vulnerability decisions are subject to independent review by the Inspector-General of Intelligence and Security. ASD submits an annual report covering all vulnerability decisions to the Inspector-General. A copy of this report is also provided to the Minister for Defence.