ASD leaves TikTok ban decisions in departmental hands

Signals agency avoids imposing its advice on government departments and telcos, but does adhere to its own advice.
Written by Chris Duckett, Contributor
Image: Asha Barbaschow/ZDNet

The Australian Signals Directorate (ASD) has said even though it provides technical advice on cybersecurity matters to the Australian government, it does not impose bans on apps or technology.

One particular issue has been whether apps like Wechat and TikTok pose a security threat for Australian government employees, and whether the apps should be allowed onto work devices.

"It is a matter for individual departments to make their own risk judgements weighed against the potential utility of the application for the proper running of their own organisations," the intelligence agency said in answer to a Senate Estimates Question on Notice.

In response to another question, ASD did say it provided technical advice to government, but has not undertaken a wide-ranging risk assessment.

"ASD has not undertaken a risk assessment the use of TikTok or Wechat for users that might face an increased risk of being targeted for espionage or foreign interference -- such as diaspora communities, think tanks, NGOs, or parliamentarians," it said.

Earlier in the month, Home Affairs said it conducted a review of TikTok, but only for internal staff use, and did not provide any governmental advice off the back of it.

Similarly, when questioned whether it had provided advice to Australian telcos Optus and TPG to implement Resource Public Key Infrastructure to help stop Border Gateway Protocol hijacks, ASD ducked responsibility.

"Cybersecurity of Australian telecommunications companies is a matter for them," it said.

However, should the Critical Infrastructure Bill pass through Parliament, the government could potentially be able to mandate such actions under a "positive security obligation". The Bill also introduces mandatory reporting to ASD from sectors deemed as critical infrastructure.

When introducing the Bill last week, Home Affairs Minister Peter Dutton said the requirement to report to the ASD was to a "comprehensive understanding of the cybersecurity risks to critical infrastructure assets".

"Through greater awareness, the government can better see malicious trends and campaigns, which would not be apparent to an individual victim of an attack. This will ensure that the government can appropriately advise and assist entities across the economy to better safeguard their assets from cyber attacks," he said.

Also contained within the Bill are last resort powers, which allow the government to step in to protect assets during or following a significant cyber attack.

In June, ASD said while cybersecurity was an important priority for government, it was not responsible for what government agencies did or didn't do.

"As individual Commonwealth entities are responsible for their assessment in light of their risk environment, questions regarding [Protective Security Policy Framework] implementation within an individual entity are best directed to that entity," it wrote.

Elsewhere in its responses, ASD said it has continued to use its offensive cyber powers against foreign cyber actors and offshore cyber criminals.

"Every offensive cyber mission is targeted and proportionate, supported by a strong framework of legislation and policy, and subject to ASD's oversight framework, including by the Inspector-General of Intelligence and Security," it said.

"ASD can use its technical expertise to combat serious crimes undertaken by people or organisations outside Australia, a such as child exploitation and illicit narcotics, committed or facilitated by, the use of electromagnet energy, whether guided or unguided or both."

The directorate would not be drawn on how much it spends on protecting its network, claiming it might "disclose sensitive information about ASD's systems and networks and its capability", but it did say it had fully implemented DMARC on its domains, as well as implemented its Essential Eight advice.

On the matter of a code replay flaw found within myGovID in September, ASD once again said it was a matter for another organisation.

"ASD facilitated passage of the researcher's findings to the ATO, and provided technical advice and assistance to the ATO on the implications of the vulnerability disclosure. The management of the disclosure issue is a matter for the ATO," it said.

In answers from other organisations, the Department of Health said it had spent AU$6.995 million on advertising the COVIDSafe app so far, but has not run any advertising since July 20.

Related Coverage

Editorial standards