Who leaked the idea of ASD spying on Australians, and why?

Mike Pezzullo's apparent thought bubble on domestic digital surveillance has been burst, but it foreshadows tense times ahead for Australia's new domestic security arrangements.
Written by Stilgherrian , Contributor

"Secret plan to spy on Aussies," The Sunday Telegraph headlined the story. "Two powerful government agencies are discussing radical new espionage powers that would see Australia's cyber spy agency monitor Australian citizens for the first time."

It was a "power grab" detailed in "top secret letters" proposing that the Australian Signals Directorate (ASD) be able to use its cyber offensive capabilities domestically.

"The Secretary of the Department of Home Affairs Mike Pezzullo first wrote to the Defence Secretary Greg Moriarty in February outlining the plan to potentially allow government hackers to 'proactively disrupt and covertly remove' onshore cyber threats by 'hacking into critical infrastructure'," the newspaper wrote.

"Under the proposal, seen by The Sunday Telegraph, Home Affairs Minister Peter Dutton and Defence Minister Marise Payne would tick off on orders allowing cyber spooks to target onshore threats without the country's top law officer [the attorney-general] knowing."

This would be a massive change.

The ASD, like its American and UK counterparts the National Security Agency (NSA) and the Government Communications Headquarters (GCHQ), has both a cybersecurity role and an international espionage and offensive cyber operations role. By law, those international powers can't be used domestically, although recent changes allow the ASD to conduct offensive operations against offshore cybercriminals as well as nation-state actors.

The Australian Security and Intelligence Organisation (ASIO) and the Australian Federal Police (AFP) are the agencies charged with tackling domestic threats. They already have their own cyber capabilities, which can be deployed once a warrant has been issued. They can also call upon the ASD for technical assistance if they need it.

The reported proposal in Pezzullo's letter is clearly intended to bypass the need for a warrant, and the need for the attorney-general to even be informed. It reportedly also includes coercive powers to force government agencies and private businesses to "comply with security measures", and for the ASD to have a "stronger role in support of the Home Affairs portfolio".

While The Sunday Telegraph says that "the proposal was compiled in a top secret ministerial submission signed by ASD boss Mike Burgess", he and the officials involved have been quick to deny that there was any real proposal on the table.

"There is no proposal to increase the ASD's powers to collect intelligence on Australians or to covertly access their private data," said a statement signed jointly by Burgess, Moriarty, and Pezzullo.

Cybersecurity and intelligence collection are "two distinct functions, technically and operationally".

"In the ever-changing world of cybersecurity, as officials we should explore all options to protect Australians and the Australian economy," they wrote.

"We would never provide advice to government suggesting that ASD be allowed to have unchecked data collection on Australians -- this can only ever occur within the law, and under very limited and controlled circumstances."

Government ministers have said there is no "formal proposal", and that it has not been discussed at the ministerial level.

"There is no plan by the government to allow the Australian Signals Directorate to collect intelligence against Australians, or to covertly collect private data," Foreign Minister Julie Bishop told ABC Radio on Monday.

"I don't see any national security gap, and I certainly believe the current laws safeguard the privacy of Australians but also keep Australians safe."

So if there was no "formal proposal", why did someone leak Pezzullo's alleged letter?

The Sunday Telegraph's characterisation of it being a "power grab" would seem to be spot on. Pezzullo has been at the centre of Australia's ballooning security apparatus for some time. It would be fair to describe him as ambitious.

As chief executive officer of the then Australian Customs and Border Protection Service, Pezzullo "emphasised the importance of border security not only as a security issue, but also as an economic concern", as Wikipedia puts it.

Then as secretary of the Department of Immigration and Border Protection (DIBP), Pezzullo oversaw the amalgamation of immigration and customs into a single, uniformed service, "recasting what had been seen as traditional immigration and border security institutions and doctrines".

Now Pezzullo is secretary of the significantly larger and more powerful Department of Home Affairs (DHA). His minister, as in DIBP, is Peter Dutton, a former Queensland cop who shares many of Pezzullo's views on toughening up domestic security, even if he does so more with simple zeal than any real intellectual heft.

ASIO and the AFP are also part of the home affairs ministerial portfolio as part of the reshuffle of responsibilities.

The prospect of a home affairs minister -- any home affairs minister -- having the power to play fast and loose and warrantless with the ASD's cyber skills is one that many traditionalists might find worrying.

The Sunday Telegraph quoted an anonymous government source as saying: "I am horrified. The only reason it's not going ahead with ease is because there are good people who didn't sign up to do this against Australian citizens."

On Monday, former secretary of the Department of Defence Paul Barratt was somewhat more blunt.

"The leak of highly classified material on the matter suggests to me that someone, somewhere in the system is deeply concerned by the prospect of Dutton placing us all in the Panopticon," Barratt tweeted.

Pezzullo's apparent thought bubble on domestic digital surveillance has been burst, at least for now. But it's a sign of interdepartmental tensions to come.

From July 1, while Australia's cybersecurity defences will be coordinated by the Australian Cyber Security Centre (ACSC) as part of the ASD, cybersecurity policy will be developed within DHA. It will be overseen, somehow, by the attorney-general.

It doesn't take a genius to see the potential here for, shall we say, tensions over who reports to whom, and who has final say over what -- and it's clear that there's at least some disagreement about how things should proceed.

Related Coverage

Committee recommends mandating ASD's 'Essential Eight' mitigation strategies

The Joint Committee of Public Accounts and Audit wants the government to include the additional four steps in its list of mandatory infosec strategies.

ASD calls on government chief executives to up their cybersecurity game

The Australian Signals Directorate's newly minted director has rejected the idea of a cybersecurity skills shortage, highlighting rather there's a need to ensure the people at the top of government departments are aware of the threats they face.

ASD to review Australia's cybersecurity and 'drive out known problems'

New Australian Signals Directorate chief Mike Burgess outlines his priorities for the restructured agency's next 12 months.

3 of the biggest threats facing governments and businesses, according to Akamai Technologies (TechRepublic)

Akamai Technologies' Tom Ruff explains three emerging threats that could be significant for startups, SMBs, enterprises, and governments, and what organizations can do to mitigate them.

3 ways to minimize cyberattack threats by reducing attack surfaces (TechRepublic)

Cybercriminals leverage attack surfaces as a way to penetrate an organization's infrastructure. Learn how to reduce attack surfaces and apply deceptive cyberdefenses.

GDPR data breach notification letter (Tech Pro Research)

Once the GDPR becomes enforceable on May 25, 2018, organizations everywhere will be subject to stiff fines and penalties for noncompliance. This download includes an overview of the information required.

Editorial standards