From signals to cyber: Inside the transformation of the Australian Signals Directorate
- 25 October, 2018 09:20
ASD director-general Mike Burgess
For decades, the government didn’t even acknowledge the existence of the organisation that eventually became the Australian Signals Directorate.
But while much of its work remains classified, the ASD’s profile is higher than it ever has been before because of the growing importance of information security and the ASD’s custodianship of the Australian Cyber Security Centre (ACSC).
This year has seen the ASD embark what is probably its biggest transformation in its more than seven decades of existence, according to its director-general Mike Burgess.
On 1 July, it entered a new era as an independent statutory agency — the latest reflection that the organisation’s mandate has expanded far beyond its original signals intelligence role.
Although SIGINT for Australia’s military remains a fundamental duty of ASD, the organisation is also a key infosec guardian for government as well as being tasked with what it likes to describe as “offensive cyber operations”.
The changes to the legislative arrangements governing the ASD, Burgess says, are about giving it “the flexibility to attract, recruit, train, retrain the specialist staff that it was recognised we needed to do our job.” That job being “cyber security, signals intelligence and what we call ‘offensive cyber’,” he added.
“The best capability we have to do our missions is our people,” Burgess told Computerworld.
The ASD’s inaugural corporate plan, released in July, notes that “recruiting and retaining specialist staff has become increasingly difficult due to the private sector competing for the talent ASD needs”.
Demand for cyber-security skills continues to grow in Australia. Recruiter Robert Half’s 2018 Salary Guide lists cyber-security specialists as the technology position experiencing the highest demand, and the remuneration on offer reflects that.
Burgess says that although, even with the changes to its employment framework, the ASD is not in a position to match top-end private sector salaries, it can offer enticements that no other organisation in Australia can.
“We recognise we will not compete with the private sector on salary, but I've not yet met a person who does a career based solely on salary,” the director-general told Computerworld. “One of our value propositions and differences to the private sector, in our cyber security work and in [our] organisational work more broadly, is you can do work in ASD that actually clearly and truly does make a difference to our country’s national security.”
And it’s not just that, he added: “You can do work in ASD that actually would be illegal for you to do in the private sector.”
“Yes, you can have penetration testers, vulnerability assessors in the private sector, absolutely,” he explained. “But we do work, in our fullest mission, that actually would be illegal for others. We do that in the performance of our intelligence and offensive activity.” [See accompanying box at end.]
“We know from experience our staff love the work they do because they can see they are part of an organisation that makes a difference. That is actually a value proposition that generally works well for us,” Burgess said.
“Having said that, I won't dismiss the actual challenges that the competition in the market place puts on our workforce, and in part again that’s why ASD became a statutory independent agency — so we have some more flexibility outside of the public service framework to attract, recruit, train, retain our specialist staff,” he added. “We will make some steps in that regard, but we will not be fully competitive with the private sector — but that doesn't worry me.”
The ASD is governed by the Public Governance, Performance and Accountability Act 2013, which puts an onus on all Commonwealth entities to meet high standards of governance, performance and accountability.
With the transition to independence there is a heightened focus on the ASD having in place, “the proper processes and practices and discipline around business management and governance,” Burgess said.
Hazel Bennett, formerly chief operating officer at the CSIRO, joined ASD in July as deputy director-general, corporate and capability.
In early August, the ASD began seeking executives to fill the ranks of its newly created Corporate Division, led by Bennett. “It really is putting the focus on the business management discipline, so we can run an effective enterprise to do the missions that we’re being required to deliver on,” Burgess said.
In addition to recruitment and retention, the ASD has put a premium on building partnerships. Its corporate plan states it will seek to nurture “strong partnerships with the Australian national security community, its overseas intelligence partners, academia and industry”.
“While these partnerships have always been important to ASD, the strategic environment’s complexity and rate of change demand closer integration and collaboration,” the document added.
In terms of partnership building, “the bulk of what you see publicly will be through the ACSC,” Burgess said. The director-general added: “You would not be surprised to learn that we have many bits the details of which remain classified, but they're not just government-to-government. They’re also with industry, where we tap into industry expertise, but we don't broadcast it.
“Partnerships are a central plank of our strategy that enables us to do our work. We can’t do our work without effective partnerships on many fronts.”
One non-classified example is the ASD’s collaboration with the Australian National University. The ASD revealed in 2016 it would invest $12 million to help fund a joint facility at the ANU Research School of Computer Science and Mathematical Sciences Institute.
“There is a new building that will be opened early next year that is primarily around mathematics and other aspects of data science,” Burgess said. “The application of that... will be classified but actually the collaboration is unclassified, because we recognise the smart people are actually out there in the real world, and we need to tap into them.”
From the DSB to the ASD
Life as an independent agency is a significant change for an organisation whose very existence was once a closely guarded secret.
The ASD’s origins can be traced back to the Defence Signals Bureau, which began operations in November 1947. But the DSB (later: the Defence Signals Branch; later still: the Defence Signals Division) had roots that stretched back even earlier, to the Second World War signals intelligence units that supported the South-West Pacific campaign by decoding Japanese radio signals.
It was only in 1977 that Prime Minister Malcolm Fraser publicly acknowledged the existence of the Defence Signals Division, announcing that it would be “restyled” as the Defence Signals Directorate to reflect the “enhanced status” the 1974-77 Hope Royal Commission on Intelligence and Security recommended be accorded to it.
In his ministerial statement Fraser described the DSD as an “organisation concerned with radio, radar and other electronic emissions from the standpoint both of the information and the intelligence that they can provide and of the security of our own government communications and electronic emissions.”
Although the SIGINT role of the organisation has remained a constant, the growing importance of information security to government has seen “cyber” offence and defence increasingly become a key function of the ASD.
The information security role of the DSD expanded in a “dramatic” fashion in the 2000s, according to the ASD’s own summary of its history.
In 2009, a Defence White Paper said that the federal government had “decided to invest in a major enhancement of Defence's cyber warfare capability.” “A comprehensive range of expanded and new capabilities will maximise Australia's strategic capacity and reach in this field,” the paper stated.
Although many of those capabilities were “highly classified” they would include a “much-enhanced cyber situational awareness and incident response capability, and the establishment of a Cyber Security Operations Centre to coordinate responses to incidents in cyberspace.”
The CSOC would include a continuously staffed watch office and an analysis team. It would sit within the DSD, which, the white paper noted, already possessed “significant cybersecurity expertise”.
Although CSOC would sit within Defence and “be available to provide cyber warfare support” to Australian Defence Force operations, it would “be purpose-designed to serve broader national security goals”.
Those national security goals included assisting response to cyber incidents across government as well as critical private sector systems and infrastructure.
The CSOC was officially launched in early 2010.
A 2013 Defence White Paper revealed that the DSD would be renamed the Australian Signals Directorate, reflecting the national role that the organisation was playing in support of Australia’s security.
In January 2013 Prime Minister Julia Gillard announced that the government would launch the Australian Cyber Security Centre (ACSC). The ACSC, which launched in November 2014, was effectively an evolution of CSOC and alongside the ASD’s extensive cyber capabilities drew together the expertise of the Defence Intelligence Organisation, ASDIO, the CERT Australia, the Australian Federal Police, and the Australian Crime Commission (ACC).
The aim, the 2013 Defence White Paper said, was to “facilitate faster and more effective responses to serious cyber incidents, and provide a comprehensive understanding of the threat to Australian Government networks and systems of national interest.”
Prime Minister Malcolm Turnbull in November 2016 announced that Michael L’Estrange and Stephen Merchant would conduct an independent review of the Australian intelligence community.
The government in July 2017 released the unclassified version of the L’Estrange Review, and included within it was a recommendation for a “significant change to the structure of the intelligence community in regard to the Australian Signals Directorate”.
Some 13 years earlier the Report of the Inquiry into Australian Intelligence Agencies (the ‘Flood Report’) had rejected any move to transform the ASD, still at that time named DSD, into an independent statutory authority. The Flood Report noted the inquiry had received a “small number of representations” calling for a change to the DSD in recognition of “its significance as a national asset and its powerful intelligence gather capabilities”.
Those views were “very much in the minority” and the 2004 report argued that the organisation was “appropriately positioned in Defence,” citing in particular the importance of the DSD’s SIGINT role to military operations.
The L’Estrange Review concluded, however, that the ASD’s “roles, responsibilities and interactions within government and with the non-government sector” had “broadened considerably since 2004”.
“In these new circumstances, our view is ASD would be better able to fulfil its vital responsibilities to the ADF, and would more effectively carry out its broader national role, through a structure that provides it with more autonomy within the Defence portfolio,” the report said.
“In our view, ASD will be better placed if it remains in the Defence portfolio but if it is in a position to operate with greater independence from the Department’s requirements, especially those in relation to its capacity to recruit, retain, train, develop and remunerate its specialist staff,” it added.
Continuing to operate within the Department of Defence’s employment framework would increase the risk of the ASD “losing additional critical talent, skills and capabilities”.
Before the enabling legislation was passed, the ASD sat within the Department of Defence with its director reporting to the defence minister through a deputy secretary and the department’s secretary.
“Given its increased national responsibilities especially in relation to cyber security and also mindful of the critical operational capabilities it provides to the Australian Defence Force (ADF), we recommend that ASD become a statutory authority within the Defence portfolio,” the L’Estrange Review said.
The head of the ASD should be appointed at a level of seniority equivalent to the directors-general of ASIO and the Australian Secret Intelligence Service, the review recommended.
Legislation should reaffirm the ASD’s role in supporting the ADF, the review added, but also “explicitly recognise its national responsibilities for cyber security, including the provision of advice to the private sector, and that it take formal responsibility for the Australian Cyber Security Centre”.
The review noted that Australian intelligence agencies were faced by a “range of challenges relating to the recruitment, retention, career management and training of their workforces”.
“These challenges derive partly from the rapid evolution of technology, the demand for technological expertise in the private sector and the long lead times in security clearance processes,” the review said.
“They also reflect the pressures on staff numbers as well as work cultures, career structures and public sector remuneration practices.”
Those challenges are particularly acute for those organisations, such as the ASD, “where highly specialised and technologically expert workforces are involved”.
The Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018 was introduced into the House of Representatives in February this year and passed by the Senate in late March; it received Royal Assent on 11 April, with its key provisions taking effect on 1 July.
It was that legislation which established the ASD as an independent statutory authority and gave its director-general the power to employee people outside the framework of the Public Service Act 1999.
“This will provide ASD with greater flexibility to recognise the skills of its specialised workforce,” the explanatory memorandum accompanying the bill said. “This structure will reflect the need to retain those individuals with highly sought after skills, such as those with STEM (science, technology, engineering and maths) qualifications.”
It also provided for the ACSC, along with CERT Australia, to be transitioned to the newly independent ASD.
In December last year, Turnbull announced Burgess would take the reins at the ASD as the organisation’s inaugural director-general. Burgess came to the role from Telstra, where he was chief information security officer, but prior to that he led the DSD’s information security division from 2008 to 2013.
ASD’s life as a statutory authority began less than four months ago, so it’s still “early days” in terms of seeing a measurable impact from the changes, Burgess said.
However he added: “I will say at the moment we have no trouble attracting people to ASD; so it's not like we've got a problem getting people who want to come and work here. We still do have some problems on how effectively we can bring them through a security clearance process.” (The ASD relies on the Australian Government Security Vetting Agency, which for a number of years has struggled with demand for its services.)
“Having said that, because we have the Australian Cyber Security Centre now part of ASD, we have the ability to bring people on before they get a Top Secret clearance,” he said. “We've got a lot of opportunity and work to be done on the cyber security side, and actually work that can be done in preparation for people coming through to work in the highly classified side; we have some latitude there.”
“Our trajectory is we're going in the right direction, but I won't underestimate the amount of work we have to do to get it right,” Burgess said.
Bennett described the current process as the ASD “running at two paces”.
“We’re clearly continuing to do business as usual — we continue to recruit, we continue to work out how to put adverts for positions and run recruitment processes — at the same time as now trying to stand up more tailored processes that will attract the kind of people we want,” she told Computerworld.
“Previously we’ve run very much to a general government flavour of recruitment; it’s perhaps looked and felt a bit less specific to ASD. We’re now thinking about the ways we can do things differently — go into universities differently, conduct different kinds of forums where, in addition to doing great cyber challenges, we can also have a few people around talking about the job prospects, and trying to see if can entice people at that point.”
“It's a bit two-paced at the moment, continuing to do what we've done but getting ready for a different future,” she added.
New recruits and new recruiting
Bennett said the ASD has been looking at how to broaden its horizons when it comes to recruitment
She said that organisations sometimes unnecessarily limit themselves to a smaller pool of candidates by seeking “a fully formed, STEM qualified IT technologist” fresh out of a university.
“We want to have people based on aptitude in some roles; we don’t need to have them going through university,” she said. “We've got to be a lot smarter about how we pick up people through vocational degrees, etc., and that's really where we're doing quite a bit of thinking — we don't need the fully formed package.”
“Technology itself is changing,” she added. “So when people say you need STEM — an awful lot of the kind of work that we also need to do picks up on almost the psychological side of being able to look at data. It’s much more [about] the interface of people with data. That’s classical critical thinking skills. You don’t necessarily need to be a deep technologist to drive technology.”
“Let’s really focus on the capability we need, not necessarily just the qualification,” Bennett said.
Part of the effort will not just be seeking out talented individuals but raising the profile of ASD as a potential career pathway. “They might just look at it as another three letter acronym, and not really think about who are we — ‘Can I have a career with these people?’” she said.
“We don’t have the answers yet, but we’re starting to really engage and think differently about how we do this attraction.”
At the same time, the organisation is thinking about how it retains people.
“If we're going to a different pool to recruit, we need to be different internally to make their work with us, their time with us, successful in retention,” Bennett said.
“One of the things that makes ASD such a successful organisation is we actually do have a diverse range of people who come from a whole range of backgrounds and walks of life,” Burgess said.
“We are able to recruit a whole range of people,” he added. “Some of our best analysts have degrees in medieval history. It's not because they’re medieval history experts; it’s because they clever, curious-minded, intelligent people, who can apply themselves to problems in a different way.
“Diversity as skill set and thinking matters in our business, and long before diversity was rightly called out as a hot topic, this organisation had done it. Not because it was a design; it’s just for some reason we figured out a long time ago that clever, curious-minded people actually make good cryptologic people.”
Overall, Burgess said that he considers the ASD today as being “at the end of the beginning” of its new era. “We’ve transitioned to a statutory agency, but that's not the end — that's where it now begins. We’re making progress,” the director-general concluded.
In April 2016 as part of the unveiling of the government’s National Cyber Security Strategy, Prime Minister Malcolm Turnbull confirmed that Australia possessed an “offensive cyber capability” that could be used to retaliate against attacks.
“While cyber security measures sit at the forefront of our response to cyber threats, defensive measures may not always be adequate to respond to serious cyber incidents against Australian networks,” Turnbull said.
“The government can draw on a range of options to respond, such as law enforcement, diplomatic, or economic measures,” he added.
Turnbull said the offensive cyber capability is “housed in the Australian Signals Directorate” and “provides another option for government to respond.”
“Acknowledging this offensive capability adds a level of deterrence,” he said. “It adds to our credibility, as we promote norms of good behaviour on the international stage; and, importantly, familiarity with offensive measures enhances our defensive capabilities as well.”
In November that year, Turnbull revealed that the ASD was supporting cyber operations against Islamic State.
Australia had conducted air strikes against the group but the fight “is also conducted through cyber space,” the then-PM said.
“While I won’t, for obvious reasons, go into the details of those operations, I can say that they are being used, that they are making a real difference in the military conflict and that all offensive cyber activities in support of the [Australian Defence Force] and our allies are subject to the same rules of engagement which govern the use of our other military capabilities in Iraq and Syria, such as our F-18 Hornets.”
In mid-2017 the government said that for the first time the ASD’s offensive capabilities would be used to target “organised offshore cyber-criminal networks”.
“The use of offensive cyber capabilities is one of the options the government is pursuing as part of a broader strategy to prevent and shut down safe havens for offshore cyber criminals,” said Liberal MP Dan Tehan, who at the time was the minister assisting the prime minister for cyber security.