Tag Archive for: ASD

All the petshop galahs are asking: where’s the Independent Intelligence Review?

We are coming up to the first anniversary of Prime Minister Albanese announcing an Independent Intelligence Review and we are yet to know the results of that review.

On 22 September 2023, he said that:

This Independent Review will make sure that our intelligence agencies are best positioned to serve the Australian national interest, respond to future capability and workforce challenges, and continue to protect our security, prosperity and values.

A fine sentiment, to be sure, but where’s the public report? The review, completed by Heather Smith and Richard Maude, has not been released. Nor has the government’s response to their recommendations. We know it was received ahead of the 30 June 2024 schedule, as confirmed to the media last month, yet there has been nothing but silence since.

Sure, this is not an automatic process. Government needs to consider the totality of the classified report and come to a position on the reviewers’ recommendations—at least in principle. While also, in consultation with agencies, agreeing to a suitably unclassified report version for public release. But the previous review, authored by Michael l’Estrange and Steve Merchant, was announced in November 2016 and released nine months later.

Furthermore, this review was always going to be a challenging task with many of the ‘go-to’ sweeping recommendations made by past reviews no longer on the table. For example, there’s already been historic recent investments in the Australian Signals Directorate (ASD), Australian Secret Intelligence Service (ASIS) and the Australian Security Intelligence Organisation (ASIO).

Nor is there much appetite for big-picture structural moves given the changes of 2017–18, which created a host of new elements. Namely, the 10-agency National Intelligence Community itself, the Office of National Intelligence out of the Office of National Assessments and an independent ASD within the Defence portfolio, in addition to separate establishments of the Defence Intelligence Group and the Department of Home Affairs.

In these circumstances Smith and Maude’s recommendations can be expected to be more subtle and incremental. The likely smaller canvas lends itself to a lessened imperative for government action and response. But this would be a misjudgement given we are in a period of war, conflict and tension around the world, all supercharged by technological revolution.

Australia’s national intelligence capability is central to addressing our deteriorating strategic circumstances and there are significant developments buffeting the intelligence business. From quantum computing to hybrid warfare, the open-source revolution/evolution to social dislocation, and so on. The world changed significantly between the last review and this one.

In the last two months alone we’ve seen the terrorist alert level raised to probable, new foreign espionage arrests, allegations about foreign interference in Australia, announcement of a top-secret cloud computing initiative, change in ASD’s leadership and ASIO re-appointed as a permanent attendee at the National Security Committee of Cabinet after its unexplained removal prior to the review’s announcement. The pace of global change and its impact on Australia makes it important the review is released as soon as possible, and that Australians learn the government’s position and intentions.

Strategy documents and reviews are always at risk of being overtaken by significant, or a series of, events. But that’s usually after publication and during implementation. Prolonged delay here risks having the review out-of-date even before it is released. We’ve already seen not insignificant changes begin to occur within the NIC (absent an apparent connection to the review and its strategic roadmap), notably ASIO’s move back to the Attorney-General’s portfolio. Ad hoc changes threaten to strain the coherence of the vision that will have been laid out by the reviewers months ago, which have informed their recommendations.

The NIC needs a clear roadmap for the rest of the decade, to guide decision-making at the agency and community level. To leave the review on the shelf, either by deprioritising it or by declaring it too difficult, introduces unnecessary risks. While not impossible, the uncertainty of a review hanging over the NIC agencies makes proper long-term planning more difficult, at the very least.

Yes, one could imagine that ministers and officials are beavering away on the classified report’s implementation right now behind closed doors. I hope this is true, even if not otherwise apparent. Regardless, the public report should not be treated as an afterthought.

The public report will itself be a critical enabler of intelligence reform and transformation, given the reliance on the public for the NIC’s workforce recruitment and technology and industry partnerships, and through social licence. The latter becomes particularly important when addressing some of the thorny issues that we would expect to be in the report: new developments like AI, revamping the policy-intelligence interface and the use of intelligence to empower government decision-making more broadly, along with balancing strategic priorities internationally with persistent domestic threats must be dealt with promptly.

A public report is also central to holding government accountable for the implementation of recommendations. As I’ve pointed out separately, a full accounting for such implementation was not undertaken post-2017. It should be remedied this time around.

Additionally, an unclassified version of what is otherwise a necessarily very sensitive and restricted top-secret document is the best way of engaging not just with the public but with all the NIC’s staff, and officials across the broader bureaucracy. The implications of the review and its recommendations will apply much more broadly than just to a narrow coterie of NIC agency leaderships.

A checkup is always preferable to a postmortem. Now in its third iteration, Australia’s system of proactive independent intelligence reviews is invaluable and shouldn’t be undermined by avoidable delay. The Albanese government did well by instituting this latest review last year, but the job isn’t finished until the report and recommendations are made public. Then the hard work of implementation and accountability begins.

Can the ‘core’ and ‘edge’ of a 5G network really be separated?

The Australian government’s decision to ban ‘high-risk vendors’ from its 5G network build caused ripples not just through the Five Eyes community but in major markets where those high-risk vendors already have key customers. One such customer is Germany.

During a delegation to Germany that I joined in June 2019, it became apparent that the country was grappling with multiple tensions when it came to opening the door to a potential 5G vendor that others had considered to be a risk. The decisions (or deliberations, at least) of the Five Eyes countries have slowly become public.

Australia’s position on high-risk vendors was hardly new. And risk-based decisions about network operators weren’t new.

In 2012, the Australian government banned Chinese telecommunications company Huawei from taking part in building the National Broadband Network (NBN). However, 2012 is a long time ago and the public narrative (from government, at least) on restrictions on such vendors was quite different: there was none. There was no public statement, and no intelligence official publicly talked about the decision. The news dribbled out and was confirmed by National Security Adviser Margot McCarthy before a Senate estimates hearing in 2013. Importantly, she noted that it was a ‘risk based decision to exclude Huawei from the National Broadband Network’.

Trust and trade are also a hugely influential in determining when or even if decisions of this kind should be made public. At the time of the NBN decision, Australia’s largest trading partner was China. The lack of a public narrative could be explained away in the context of a trade relationship. Or it could be explained in the context of a different time, when the government narrative on such issues tended to be less direct.

The 2012 NBN decision also didn’t really spook our allies and certainly not Germany. The only ‘spooking’ (if there was such a thing) came from the US House intelligence committee, which had issued a damning report on two Chinese vendors and their trustworthiness. Distrust may have been a absent here in Australia but it was building in the US. There, arguments about trust were often interwoven with reports of the theft of intellectual property and indictments against Chinese nationals accused of spiriting out highly sensitive US secrets, commercial espionage, or both.

Even back then, a report from the US House intelligence committee expressed concerns about Chinese legislation compelling its citizens to cooperate with requests from the Chinese government: ‘[U]nder Chinese law, ZTE and Huawei would be obligated to cooperate with any request by the Chinese government to use their systems or access them for malicious purposes under the guise of state security.’

The extraterritorial operation of Chinese law is important. In 2018, Samantha Hoffman and Elsa Kania observed in ASPI’s The Strategist:

For Chinese citizens and companies alike, participation in ‘intelligence work’ is a legal responsibility and obligation, regardless of geographic boundaries.

This requirement is consistent across several laws on the protection of China’s state security. For instance, Article 7 of the National Intelligence Law (国家情报法) declares: ‘Any organisation and citizen shall, in accordance with the law, support, provide assistance, and cooperate in national intelligence work, and guard the secrecy of any national intelligence work that they are aware of. The state shall protect individuals and organisations that support, cooperate with, and collaborate in national intelligence work.’

In short, that could mean the Chinese government may influence, interfere with and have access to key assets of national interest—in this case, a telecommunications network.

In a public speech in October 2018, the head of the Australian Signals Directorate, Mike Burgess, explained why assessing the security risks of critical infrastructure like the 5G network is a vital part of ASD’s work:

The stakes could not be higher. This is about more than just protecting the confidentiality of our information—it is also about integrity and availability of the data and systems on which we depend …

Historically, we have protected the sensitive information and functions at the core of our telecommunications networks by confining our high-risk vendors to the edge of our networks.

But the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network.

ASD’s UK equivalent, GCHQ (General Communications Headquarters), seems to have formed a different view, which has been reflected in the UK government’s approach to 5G vendors. The UK agreed (many years ago) to having a Huawei ‘cell’ in the country that assesses Huawei code before it’s used. (Similar offers had been made by Huawei in Australia as far back as 2012 but weren’t taken up by the Australian government.)

The 5G network build is a matter for the UK government alone, and it’s perfectly entitled to make a decision different from those of its Five Eyes partners. News reports indicate that the 5G decision was subject to heated debate in cabinet, in which there was no uniform view on the question of excluding high-risk vendors. However, the debate marked the start of the ‘core versus edge’ public narrative, which could be convenient nuance for justifying the UK government’s approach.

So, where did all of this leave Germany? In June 2019, it appeared to be landing somewhere between the Australian and UK approaches.

Germany didn’t seem to want to adopt the direct Australian approach. One organisation we visited said, ‘Germany would never directly exclude a company in a procurement process.’ Some German organisations labelled the Australian decision as ‘geopolitical’. Often, talk moved on to China being regarded as less of a threat because it was not geographically close to Germany—which is odd given that the conduit of cyber has no borders.

Overwhelmingly, we heard that Germany wanted to be in a position to ‘trust and verify’ and that it would prefer to be able to determine (or perhaps exclude or control?) its vendors on that basis. However, when pressed to explain how this approach could ensure network security, when Chinese companies can be subject to their domestic law, and when German companies may be none the wiser, our German colleagues struggled to respond. Some shifted uncomfortably when we asked why an outright ban on high-risk vendors could not occur. They also spoke of a broader European strategy and said that no one country could dictate the procurement process, even though these decisions are supposed to be made at the national rather than EU level.

When we left Berlin on a very warm summer afternoon, our sense was that the Germans were no closer to a decision that would effectively manage the risks of allowing a high-risk vendor to be part of their 5G build. There was a sense of unease coupled with tension because they knew they had to act decisively.

Now, in early 2020, the autumn leaves have long since fallen and the pressure to act has no doubt been felt in the Bundestag. While the 5G build situation remains very fluid, the Christian Democratic Union (CDU) has, apparently, decided to allow Huawei to take part in Germany’s 5G bidding. This decision has been labelled a ‘Faustian bargain’, in that it’s suggested Chancellor Angela Merkel has put Germany’s short-term economic interests first at the possible long-term expense of international security.

It’s important to look at the actual ‘decision’ that the CDU leadership has made (or proposes to make). According to a document apparently endorsed by CDU leaders, they have adopted a variant of the ‘core versus edge’ approach. The document notes that:

[T]he core network must fulfil the highest security requirements …

[T]he government should also have increased security requirements for the peripheral 5G network without jeopardising the immediate transition to 5G …

[N]o company should have a presence in the network infrastructure higher than 50% by 2025, [or] in the case of non-European suppliers … a maximum of 30% of the periphery of the network.

It is implied that all core network suppliers should be European.

It has been suggested that the CDU’s decision to not exclude Huawei from Germany’s 5G build is based on evidence that commercial and trade interests have prevailed over security interests. Foreign Policy reports that major German companies are heavily reliant on the Chinese market, and, according to unnamed ‘German officials’, ‘Merkel was warned by Chinese leaders that an exclusion of the Shenzhen-based group [that is, Huawei] from the German 5G network would have serious consequences for bilateral economic ties.’

What’s clear is that Germany wants to pursue a different path, and that is its prerogative. To let many vendors compete in the procurement process for any critical infrastructure build is inclusive and in keeping with what we heard in June. The organisations we spoke to left us with the impression that outright exclusion wasn’t seen as the right thing to do.

In addition to trade considerations, another factor may have been the high degree to which Huawei has already partnered with Deutsche Telekom and other carriers in Germany, making the cost of replacing existing equipment considerable.

Germany’s decision to let Huawei take part in its 5G procurement process feeds into a broader EU issue about the degree to which collective security considerations should influence decisions made by national governments.

Indeed, there does seem to be tension between the German and EU interests. It’s unclear whether there can ever really be a unified approach to building a 5G network, particularly because each EU member state may have different incumbent providers that in turn have relationships with overseas vendors like Huawei.

As Germany moves through the 5G procurement process, it will be interesting to see how it will or won’t be influenced by the different approaches of other nations and whether it will be influenced by a broader EU approach to national security.

Will Germany decide that it’s neither the ‘core’ nor the ‘edge’ that matters and that security risks can be managed by limiting the level of participation of foreign network operators, as suggested in the CDU document? Irrespective of which path Germany takes, it’s bound to attract attention and be closely watched.