ASD has a long and proud tradition of adopting new technology and using it to drive better intelligence and security outcomes for the Australian Government.
Our development and use of Artificial Intelligence (AI) is no different. Through continued collaboration with our Five Eyes, industry and Academic partnerships we will ensure that our AI capabilities advance in step with the art of the possible.
This will drive improvements in quality, efficiency and timeliness across all aspects of our business, including the triage of large volumes of data to identify high value intelligence, the automation of routine tasks, and early detection of anomalous cyber activity.
To manage the use of AI in ASD, we have created a framework that incorporates a set of ethical principles which will govern how we function.
These principles include:
- Lawful and Appropriate use of AI consistent with the legislation, policies, processes and frameworks that govern our functions and protect the privacy of Australian citizens.
- Enabling Human Decision Making allows our workforce and customers to make informed decisions based on AI system outputs, and to maintain trust in AI systems.
- Reliable and Secure AI ensures that technologies continue to meet their intended purpose and remain protected from external interference.
- Accurate and Fair AI mitigates against unintended bias.
- Accountable, Transparent and Explainable AI to allow human oversight and control, with clear accountabilities enacted for all stages of the AI development life-cycle facilitating appropriate and proportionate operations.
Read more about ASD’s Ethical AI Framework and principles.
Responsible Release Principles for Cyber Security Vulnerabilities
The Australian Signals Directorate (ASD) is committed to making Australia the most secure place to connect online.
We are proud that our Australian Cyber Security Centre is the nation's premier cyber security authority. Its advice to governments, businesses and families is informed by ASD's other roles, which include gathering foreign intelligence and conducting offensive cyber operations in support of the Australian military.
As part of our work, we sometimes discover security weaknesses or vulnerabilities in technology that are unknown to the vendor and may pose a threat to Australians and Australian systems.
For many years, we have made these vulnerabilities known to vendors so they can patch or otherwise mitigate the threat to their systems and customers.
Our starting position is simple: when we find a weakness, we disclose it.
Occasionally, however, a security weakness will present a novel opportunity to obtain foreign intelligence that will help protect Australians. In these circumstances, the national interest might be better served by not disclosing the vulnerability.
The decision to retain a vulnerability is never taken lightly. It is only made after careful multi-stage expert analysis, and is subject to rigorous review and oversight.
Our decision-making framework is based on a single objective: ensuring the safety and security of Australia and Australians.
The process is guided by eight essential principles:
- Security first.
- The national interest.
- Assess the risk. ASD carefully considers the likelihood of a malicious actor being able to take advantage of the weakness. If we assess it is likely a malicious actor will discover and exploit the vulnerability, we will disclose the vulnerability so it can be fixed.
- Consider the consequences. ASD carefully considers the potential impact if the weakness is exploited by a malicious actor. Considerations would include who and what could be affected, and how much damage could be done.
- Mitigate the threat. If a vulnerability is retained, ASD will do all we can to protect Australian systems from being exploited. For instance, we might release security advice that mitigates the weakness.
- Responsible release. ASD works closely with vendors to ensure that patches and other mitigation measures are available before information on a vulnerability is made public.
- Regular review. ASD reviews all vulnerability retention decisions on an on-going basis. We do not ‘set and forget’. If the national security imperatives are no longer pressing, we will release the vulnerability.
- Rigorous oversight. All of ASD’s vulnerability decisions are subject to independent review by the Inspector-General of Intelligence and Security. ASD submits an annual report covering all vulnerability decisions to the Inspector-General. A copy of this report is also provided to the Minister for Defence.
ASD acts lawfully and ethically. We operate within the letter and the spirit of the law. Australians can be assured that each and every decision about a cybersecurity vulnerability is made meticulously and in the national interest.
Responsible release framework for cyber security vulnerabilities
