For decades, the government didn’t even acknowledge the existence of the organisation that eventually became the Australian Signals Directorate.

But while much of its work remains classified, the ASD’s profile is higher than it ever has been before because of the growing importance of information security and the ASD’s custodianship of the Australian Cyber Security Centre (ACSC).



This year has seen the ASD embark what is probably its biggest transformation in its more than seven decades of existence, according to its director-general Mike Burgess.

On 1 July, it entered a new era as an independent statutory agency mdash; the latest reflection that the organisation’s mandate has expanded far beyond its original signals intelligence role.

Although SIGINT for Australia’s military remains a fundamental duty of ASD, the organisation is also a key infosec guardian for government as well as being tasked with what it likes to describe as “offensive cyber operations”.

The changes to the legislative arrangements governing the ASD, Burgess says, are about giving it “the flexibility to attract, recruit, train, retrain the specialist staff that it was recognised we needed to do our job.” That job being “cyber security, signals intelligence and what we call ‘offensive cyber’,” he added.

“The best capability we have to do our missions is our people,” Burgess told Computerworld.

The ASD’s inaugural corporate plan, released in July, notes that “recruiting and retaining specialist staff has become increasingly difficult due to the private sector competing for the talent ASD needs”.

Demand for cyber-security skills continues to grow in Australia. Recruiter Robert Half’s 2018 Salary Guide lists cyber-security specialists as the technology position experiencing the highest demand, and the remuneration on offer reflects that.

Burgess says that although, even with the changes to its employment framework, the ASD is not in a position to match top-end private sector salaries, it can offer enticements that no other organisation in Australia can.

“We recognise we will not compete with the private sector on salary, but I've not yet met a person who does a career based solely on salary,” the director-general told Computerworld. “One of our value propositions and differences to the private sector, in our cyber security work and in [our] organisational work more broadly, is you can do work in ASD that actually clearly and truly does make a difference to our country’s national security.”

And it’s not just that, he added: “You can do work in ASD that actually would be illegal for you to do in the private sector.”

“Yes, you can have penetration testers, vulnerability assessors in the private sector, absolutely,” he explained. “But we do work, in our fullest mission, that actually would be illegal for others. We do that in the performance of our intelligence and offensive activity.” [See accompanying box at end.]

“We know from experience our staff love the work they do because they can see they are part of an organisation that makes a difference. That is actually a value proposition that generally works well for us,” Burgess said.

“Having said that, I won't dismiss the actual challenges that the competition in the market place puts on our workforce, and in part again that’s why ASD became a statutory independent agency mdash; so we have some more flexibility outside of the public service framework to attract, recruit, train, retain our specialist staff,” he added. “We will make some steps in that regard, but we will not be fully competitive with the private sector mdash; but that doesn't worry me.”

The ASD is governed by the Public Governance, Performance and Accountability Act 2013, which puts an onus on all Commonwealth entities to meet high standards of governance, performance and accountability.

With the transition to independence there is a heightened focus on the ASD having in place, “the proper processes and practices and discipline around business management and governance,” Burgess said.

Hazel Bennett, formerly chief operating officer at the CSIRO, joined ASD in July as deputy director-general, corporate and capability.

In early August, the ASD began seeking executives to fill the ranks of its newly created Corporate Division, led by Bennett. “It really is putting the focus on the business management discipline, so we can run an effective enterprise to do the missions that we’re being required to deliver on,” Burgess said.

Partnerships

In addition to recruitment and retention, the ASD has put a premium on building partnerships. Its corporate plan states it will seek to nurture “strong partnerships with the Australian national security community, its overseas intelligence partners, academia and industry”.

“While these partnerships have always been important to ASD, the strategic environment’s complexity and rate of change demand closer integration and collaboration,” the document added.

In terms of partnership building, “the bulk of what you see publicly will be through the ACSC,” Burgess said. The director-general added: “You would not be surprised to learn that we have many bits the details of which remain classified, but they're not just government-to-government. They’re also with industry, where we tap into industry expertise, but we don't broadcast it.

“Partnerships are a central plank of our strategy that enables us to do our work. We can’t do our work without effective partnerships on many fronts.”

One non-classified example is the ASD’s collaboration with the Australian National University. The ASD revealed in 2016 it would invest $12 million to help fund a joint facility at the ANU Research School of Computer Science and Mathematical Sciences Institute.

“There is a new building that will be opened early next year that is primarily around mathematics and other aspects of data science,” Burgess said. “The application of that... will be classified but actually the collaboration is unclassified, because we recognise the smart people are actually out there in the real world, and we need to tap into them.”

From the DSB to the ASD

Life as an independent agency is a significant change for an organisation whose very existence was once a closely guarded secret.

The ASD’s origins can be traced back to the Defence Signals Bureau, which began operations in November 1947. But the DSB (later: the Defence Signals Branch; later still: the Defence Signals Division) had roots that stretched back even earlier, to the Second World War signals intelligence units that supported the South-West Pacific campaign by decoding Japanese radio signals.

It was only in 1977 that Prime Minister Malcolm Fraser publicly acknowledged the existence of the Defence Signals Division, announcing that it would be “restyled” as the Defence Signals Directorate to reflect the “enhanced status” the 1974-77 Hope Royal Commission on Intelligence and Security recommended be accorded to it.

In his ministerial statement Fraser described the DSD as an “organisation concerned with radio, radar and other electronic emissions from the standpoint both of the information and the intelligence that they can provide and of the security of our own government communications and electronic emissions.”

Although the SIGINT role of the organisation has remained a constant, the growing importance of information security to government has seen “cyber” offence and defence increasingly become a key function of the ASD.

The information security role of the DSD expanded in a “dramatic” fashion in the 2000s, according to the ASD’s own summary of its history.

In 2009, a Defence White Paper said that the federal government had “decided to invest in a major enhancement of Defence's cyber warfare capability.” “A comprehensive range of expanded and new capabilities will maximise Australia's strategic capacity and reach in this field,” the paper stated.

Although many of those capabilities were “highly classified” they would include a “much-enhanced cyber situational awareness and incident response capability, and the establishment of a Cyber Security Operations Centre to coordinate responses to incidents in cyberspace.”

The CSOC would include a continuously staffed watch office and an analysis team. It would sit within the DSD, which, the white paper noted, already possessed “significant cybersecurity expertise”.

Although CSOC would sit within Defence and “be available to provide cyber warfare support” to Australian Defence Force operations, it would “be purpose-designed to serve broader national security goals”.

Those national security goals included assisting response to cyber incidents across government as well as critical private sector systems and infrastructure.

The CSOC was officially launched in early 2010.

A 2013 Defence White Paper revealed that the DSD would be renamed the Australian Signals Directorate, reflecting the national role that the organisation was playing in support of Australia’s security.

In January 2013 Prime Minister Julia Gillard announced that the government would launch the Australian Cyber Security Centre (ACSC). The ACSC, which launched in November 2014, was effectively an evolution of CSOC and alongside the ASD’s extensive cyber capabilities drew together the expertise of the Defence Intelligence Organisation, ASDIO, the CERT Australia, the Australian Federal Police, and the Australian Crime Commission (ACC).

The aim, the 2013 Defence White Paper said, was to “facilitate faster and more effective responses to serious cyber incidents, and provide a comprehensive understanding of the threat to Australian Government networks and systems of national interest.”

Independence day

Prime Minister Malcolm Turnbull in November 2016 announced that Michael L’Estrange and Stephen Merchant would conduct an independent review of the Australian intelligence community.

The government in July 2017 released the unclassified version of the L’Estrange Review, and included within it was a recommendation for a “significant change to the structure of the intelligence community in regard to the Australian Signals Directorate”.

Some 13 years earlier the Report of the Inquiry into Australian Intelligence Agencies (the ‘Flood Report’) had rejected any move to transform the ASD, still at that time named DSD, into an independent statutory authority. The Flood Report noted the inquiry had received a “small number of representations” calling for a change to the DSD in recognition of “its significance as a national asset and its powerful intelligence gather capabilities”.

Those views were “very much in the minority” and the 2004 report argued that the organisation was “appropriately positioned in Defence,” citing in particular the importance of the DSD’s SIGINT role to military operations.

The L’Estrange Review concluded, however, that the ASD’s “roles, responsibilities and interactions within government and with the non-government sector” had “broadened considerably since 2004”.

“In these new circumstances, our view is ASD would be better able to fulfil its vital responsibilities to the ADF, and would more effectively carry out its broader national role, through a structure that provides it with more autonomy within the Defence portfolio,” the report said.

“In our view, ASD will be better placed if it remains in the Defence portfolio but if it is in a position to operate with greater independence from the Department’s requirements, especially those in relation to its capacity to recruit, retain, train, develop and remunerate its specialist staff,” it added.

Continuing to operate within the Department of Defence’s employment framework would increase the risk of the ASD “losing additional critical talent, skills and capabilities”.

Before the enabling legislation was passed, the ASD sat within the Department of Defence with its director reporting to the defence minister through a deputy secretary and the department’s secretary.

“Given its increased national responsibilities especially in relation to cyber security and also mindful of the critical operational capabilities it provides to the Australian Defence Force (ADF), we recommend that ASD become a statutory authority within the Defence portfolio,” the L’Estrange Review said.

The head of the ASD should be appointed at a level of seniority equivalent to the directors-general of ASIO and the Australian Secret Intelligence Service, the review recommended.

Legislation should reaffirm the ASD’s role in supporting the ADF, the review added, but also “explicitly recognise its national responsibilities for cyber security, including the provision of advice to the private sector, and that it take formal responsibility for the Australian Cyber Security Centre”.

The review noted that Australian intelligence agencies were faced by a “range of challenges relating to the recruitment, retention, career management and training of their workforces”.

“These challenges derive partly from the rapid evolution of technology, the demand for technological expertise in the private sector and the long lead times in security clearance processes,” the review said.

“They also reflect the pressures on staff numbers as well as work cultures, career structures and public sector remuneration practices.”

Those challenges are particularly acute for those organisations, such as the ASD, “where highly specialised and technologically expert workforces are involved”.