Should the ASD Help Australian Companies Respond to a Cyber Security Attack?

According to an article, the head of the ASD, Rachel Nobel, is unhappy that she cannot force Australian companies to accept the ASD’s help when responding to cyber security attacks. Her comment was made at an inquiry into the Security Legislation Amendment (Critical Infrastructure) Bill, which would grant the ASD the power to defend critical infrastructure against cyber attacks under certain circumstances.

The problem? The ASD is primarily a spy agency. Who would have guessed that Australian companies don’t trust the ASD after the Snowden revelations? After the steady stream of legislation that grants the federal government far too much power? Why would anyone in their right mind trust spies?

According to, the Bill would allow the government to install programs, “access, add, restore, copy, alter or delete data”, alter the “functioning” of hardware or remove it entirely from premises.

In other words, a spy agency can do anything it wants on critical infrastructure networks and systems run by the private sector (and presumably the state governments’ public sector).

The ASD — the Australian Signals Directorate — is part of the Department of Defence, and its responsibilities include foreign signals intelligence, offensive cyber attacks against foreign entities, military support, and information security. The ASD is part of Five Eyes, the global spy network given public awareness by Edward Snowden. One has to question why the ACSC is even under the ASD.

The ASD has two irreconcilable responsibilities: Spy on foreign entities and protect Australia’s cyber security. For example, the ACSC — the Australian Cyber Security Centre, a department under the ASD — provides threat intelligence to partners. But what if an unknown software vulnerability can be used to attack a foreign entity? Will the ACSC publish this unknown software vulnerability to its partners? Or will the ACSC pass the vulnerability over to another department that can attack a foreign entity?

This is the problem: The ASD’s incentives lie elsewhere than Australia’s cyber security; they’re spies, and spies hoard data in order to win the arms race against foreign spies. This should be obvious. Australia’s cyber security will always come second to national security, which is part is the Road to Digital Serfdom, an overarching idea why government involvement in digital privacy / cyber security will always end in citizens’ rights being abused.

Another example of the ASD’s conflicting responsibilities is their banning two speakers at a cyber security conference in Melbourne. Apparently censorship should be added to ASD’s list of responsibilities. This was another win for the ASD’s foreign intelligence arm over its cyber security arm.

Likewise, it’s less clear why the ASD believes it’s more qualified than individual employees to respond to a cyber security attack. Or even if the ASD is more qualified than private sector companies that offer security incident response or forensic services. Why doesn’t the Bill only set out minimum standards for cyber security incident response, including staff skills? Why isn’t the interaction with a spy agency voluntary? Companies should not be forced to interact with a spy agency over cyber security.

Personally I advocate almost no government involvement in the private sector for cyber security. In my 15 years in the industry, government has done very, very little to improve the cyber security of companies. Board/CEO awareness of cyber security isn’t because of government. Better security services/tools isn’t because of government. One learns more about cyber security in one year working at a company than 3-4 years at university. Government doesn’t run training, conferences, and the flow of ideas between individuals in the industry. In fact, it’s well known that the government sends its employees to private sector run training sessions, because the government cannot offer the same level of knowledge.

In fact, spies have traditionally been a roadblock to to encryption and security. And now the government proposes to let the same people into our datacentres?