Risky Business - Feature interview: ASIO Director General Mike Burgess on encryption and access
Episode Date: August 26, 2024Mike Burgess is the director general of ASIO. But the thing about Mike is he’s actually a cybersecurity guy. He joined ASD, Australia’s NSA, back in 1995 when it was... still the Defence Signals Directorate. He was there for 18 years before he bounced out to the private sector for a while to work as the CISO for Australia’s largest telco, Telstra. In 2017 he returned to ASD to run it, and in 2019 he was appointed director general of ASIO. Back in April, Burgess made a series of comments on the topic of encrypted messaging during a Press Club speech in Canberra. Our right to privacy, he said, is not absolute, and he implied that if certain providers didn’t start helping Australian authorities out a little more, he’d use some of the provisions in Australia’s Assistance and Access bill to force them to provide access to certain content. So I reached out to organise this interview to get some more detail from him about exactly what sort of cooperation he’s seeking and why.
Transcript
Discussion (0)
Hey everyone and welcome to this special feature interview. My name's Patrick Gray.
What you're about to hear is an interview I did last Thursday with the Director-General of ASIO, Australia's domestic intelligence agency.
But before I get going, I realise that most people, in fact, listening to this interview are not going to be from Australia. So very
briefly, I'm going to explain what ASIO, the Australian Security Intelligence Organization,
actually is. So basically, ASIO has two roles. It counters foreign threats within Australian
borders, like espionage, state-sponsored stuff, but it also does counterterrorism work. In the USA, these functions are fulfilled by the FBI, but here it's ASIO.
But unlike the FBI, ASIO officers don't carry guns.
If they need to kick some doors down, they rely on federal and state police services for that.
And they also have a counterterrorism responsibility as well.
So that's the gist.
ASIO, a domestic-focused intelligence organisation,
you know, tracking foreign spies and terrorist organisations
and sometimes individuals as well.
Mike Burgess is the Director-General of ASIO.
He's five years into that role
and has just been reconfirmed for another five-year term.
But the thing about Mike is he's actually a cyber security guy. He
joined ASD, which is our NSA, back in 1995 when it was still the Defense Signals Directorate.
He was there for 18 years before he bounced out to the private sector for a while,
even working as the CISO for Australia's largest telco, Telstra.
And he did some consulting around that time as well.
In 2017, he returned to ASD to run it,
and in 2019, he was appointed the Director General of ASIO.
So, why am I interviewing him now?
Back in April, Mike made a series of comments on the topic of encrypted messaging during a press club speech.
Our right to privacy, he said, is not
absolute. And he implied that if certain providers didn't start helping Australian authorities out
just a little bit more, he would activate some of the provisions in Australia's assistance and
access bill to force them to provide technical capabilities that would allow them access to
certain content. So I reached out to organise this interview, and it did take months to get some time with him.
But the idea is I really just wanted to get some more detail from him about exactly what sort of cooperation he's seeking and why.
As you'll hear, the thing that seems to be irritating him is certain messaging providers not helping ASIO access
content like group chats where violent acts are being planned. ASIO can still get the material
it needs, but to do so it needs to expend considerable human resources or use expensive
implants to get that job done when really providers could help out when ASIO has already shown that they're
trying to access this material on solid grounds. He argues that's a problem. Funnily enough, I
mentioned Telegram's impunity in this interview. And then two days later, Pavel Durov, who is
Telegram's founder, got arrested in France on charges relating to all of the crime and CSAM
stuff that happens on the app. Not so much, you know, arrested over a failure to provide access.
But yeah, it's still amazing timing.
But I'll drop you in here where Mike talks a bit about the history of wiretapping.
I do hope you enjoy this interview.
And a quick note, I couldn't post this one to YouTube
because images of the room where Mike was when we did this interview
can't be published for security reasons. So this is an audio only interview. But yeah, here is Mike Burgess. So long before the
internet, and even when the internet started, because I realize it goes back a fair way now,
there was a world of telephone systems. So circuit switch, telephone networks, copper wires,
principally coax cables, then along
came satellite links well before fibre optics came along. In that world, under law, it was
always permissible to do interception, put crocodile clips or alligator clips, depending
on your religion of animal, on the wires, record that, listening to calls, under warrant.
Of course, there are many other things that could be
called out of that access to who's calling who on the telephone who's faxing who on which fax machine
all of that was accessible under law now we've moved to a digital world from circuit switch to
packet switch ip networks telephony is different we're now in the world of the internet and the
richness and strength and benefits that gives us the way people communicate completely different IP networks, telephony is different. We're now in the world of the internet and the richness
and strength and benefits that gives us. The way people communicate completely different too when
the phone was attached to the wall via some copper wires. Lawful requirements still to access when we
have a warrant. We still want to get access to communications. Of course, we've lived in a world
where everything's connected. Privacy is important. Security is important. And there has been a rush in a good way to makes it, by design, impossible for those providers
to provide us lawful access to the communications of an individual that we have a warrant for.
So there's the difference.
There's the challenge.
I would hope most of your audience would recognise we live in a country where rule of law and
privacy is lost when you're committing a crime or you're actively engaged in a
threat to security. Of course the warrants get provided to telephone networks, they can give us
the bit pipes but they don't control the communications like they used to. We need
cooperation from industry to have lawful access which is targeted and proportionate. It is not about
breaking the internet or putting in place vulnerabilities that criminals or other
nation states could randomly exploit at scale. So the world has changed. The laws in this country
are sufficient. So to be clear also I'm not asking for a change of law. I'm asking for those message
providers, the big tech companies,
to cooperate with us to find a way to do it securely, not break the internet.
Now, of course, we have legislation in place, the Assistance and Access Bill of 2018,
you know, passed. It was controversial in some circles at the time because,
you know, it certainly gives the government a lot of leeway in terms of the types of, you know, capabilities that it can demand technology providers engineer
into their products. That said, so far, the way that bill has been used, and we know this thanks
to reporting and oversight on those powers, and we also know thanks to freedom of information
requests that have shown us the law enforcement guides that have been distributed to law enforcement agencies and intelligence
agencies in Australia which instruct them on what they can and can't do under the Act,
we know that it's been on the pretty tame side, right? You seemed to be intimating during your
press club remarks that this was going to change and that indeed maybe even a technical capability notice had
been issued under the Act. Is that the case? Have we actually got to the point where some of the
more powerful parts of that Act are about to be put to use?
I'm only going to speak for my agency here. I wouldn't speak for our law enforcement colleagues.
That's a matter for them. But from my agency's point of view, and I'm on the public record of saying it's almost all of our targets that we have now are using messaging apps or platforms which have end-to-end encryption, which makes that straight readability from interception much more difficult. It's worse than that when we have violent extremists sitting in chat groups,
actually exchanging material on how to kill people or disrupt the power grid, for example.
We can't get access to that through interception means, and we have to spend a whole lot of other
effort going elsewhere. That is a reality of the world, I agree. We still need effective interception.
So yes, my organization will be using the law to try and get help from companies that
are not choosing to help us at this stage.
We will do that in private with the companies.
Their response is a matter for them and their lawyers.
What happens next, we'll take it from there.
And that's not to be critical of anyone.
That's just we've got the laws and we must use them because the circumstance of our threat environment is such
I'm compelled to give it a go.
If I can't get cooperation, then that's a matter
that we will then decide next steps with the government.
So I'd imagine in the case of chat groups,
the alternative way there would be more along the lines of a human sort of infiltration into that,
into those sorts of groups. I mean, that might be what someone listening to this might think,
which is, well, hey, can't you do some shoe leather, you know, intelligence work and
get yourself into those circles of trust another way? I mean, that's sort of what has,
what a lot of agencies have had to do,
isn't it, over the last sort of five years as more and more of this stuff gets harder to intercept?
I'm very happy to acknowledge that getting a human source or getting a source in close to the people
that are talking is actually a viable means, but you'd appreciate that is actually not as easy as
it sounds. I know people will like to watch the movies and things.
In a matter of minutes, you can get a human source in place.
So yes, it's one possibility.
It's not the most effective possibility.
And we are in a threat environment now where people are going to violence
with little or no warning and little or no planning.
You can't rely on that.
And we've had cases where it's just a matter of luck, not
our good work, where people have actually not been killed. We know this is going to
happen and come a Royal Commission, I can guarantee you it's going to find if only the
agencies had the corporations of these platforms or these providers will be a recommendation.
We need a range of methods. And again, to remind people here,
we're not asking for mass surveillance,
we're asking for targeted or proportionate assistance,
where we have a case that is justifiable
to an authorising officer, in our case, the Attorney General,
to get that level of intrusion.
We just need the cooperation.
So I'd argue the case is there
to have more than one way of doing it, because in this
threat environment, our country needs it.
Okay.
So speaking on that, okay, when I think about companies that have a presence here, you might
look at your Facebooks, you might look at your Apples and these type of companies.
Sure, they have a presence in Australia.
What about some of these platforms, Telegram, Signal?
They're not based here. We don't
really have that much leverage. We've got limited leverage on American companies and next to zero
leverage over some of these other platforms. So, I mean, how do you even begin to even start
planning how you could deal with an issue like that and try to get the sort of access that you
want? Yeah. Yes, I agree with your premise there. There are some companies that are not Australian or
based in Australia that allows us to have direct legal reach. Of course, we do have arrangements
in place with the United States government that allows our lawful access request to be recognised
in the US system. Obviously, the details of how that's done,
I leave to our US friends and others. And yes, there are countries which are not in that position.
You'd appreciate, or I'd acknowledge that's a much more difficult issue. Got to start with
what we can do and who we can talk to, because we're seeing these extremists and these spies
using systems where we do have
legal ability to have this conversation. But I recognize there are other areas where that's
more difficult that shouldn't stop us from doing this. I mean, I suppose one of the reasons I asked
that question is I've always felt that ultimately where an agency like yours will get the best
results is by going after the platform vendors. In this case that would mostly be Apple and Google, makers of the
Android and iOS because that gets you to the operating system which gets
you to everything on the device. Yet when we first started speaking you were
very much couching this in terms of speaking to the messaging
platforms not so much the device and operating system vendors.
Yeah, that's a good call out, Patrick. I see where you're going with that one. So let me
give you a little bit more colour to that because yes, that is one way of doing it.
But I come back to, we're Australia's security service, subject to law, subject to significant
oversight, which is the equivalent of a full-time Royal Commission viewing everything we do, which is appropriate, no complaints. If you were to take the approach of
get the cooperation of the mobile device providers to get into the kernel,
that's where we start getting into a position, which even I'm prepared to admit to your audience,
is that gives you access to everything. I'm not asking for that because I do
recognize my workforce would recognize they love living in a country where you do have a right to
privacy unless of course you're breaking the law. That starts to get to a more difficult position of
you know people in your audience group saying hang on sec, what else can they get access to?
And how do we be assured they're not getting access only to the communications they seek?
Because I'd also acknowledge, you know, companies like Apple and others are quite right to point out
the world is different to the alligator clip example I gave earlier. When you get access to
a phone these days, you're not just getting access
to two people talking to each other, you're getting a person's life in a very rich kind of
way. I'm up for that debate about in the law being specific and open about what we're after
so people can be clear that we don't have legal ability to get other stuff that they might think
you'd get if you had full access to an operating system.
So what's the mechanism then?
Say we're talking about a group of violent extremists who are planning violent acts over
something like a signal group chat.
Unless you're getting the cooperation of either the platform vendor or Signal themselves,
you're not really going to get anywhere with that, right? So this all becomes a case of what's the chain of action that eventually results in this access?
And, you know, both from a technical point of view and also from a legislative point of view,
because frankly, I mean, I just don't see it, right? And that's why I'm curious when you come
out and you talk about this sort of access to various messaging platforms, I can think of some where I can envisage the chain.
In the case of an organization like Meta running WhatsApp, I could see how under the current laws and through various means you might be able to get somewhere on that.
But when it comes to the other things, again, Telegram, Signal, apps like that, I mean, what is the chain of action that results in you getting what you want here? Well, you kind of asked me to give
away a lot of our secret sauce, and I won't do that in full detail, other than the generic level
in which you said. So you're absolutely right in the case of Signal example. You're either
at the corporation Signal or you're on the device. Yes, I could acknowledge to your audience,
we have the legal ability to get a computer access warrant that allows us to get on a device.
One of the benefits, though, of advances in security, that is getting harder. That is a
good thing for our society, that actually the security of these devices is getting harder. Of
course, I still have legal ability to seek a warrant for
computer access, including a mobile device, and we do invest in capabilities to do that.
I guess my question was more about under the sort of AA bill paradigm, right? What is the
legal process that would result in them being more cooperative, rather than the current status,
which is that you're going to need to spend a gargantuan amount of taxpayer money to get access to those devices. You know, the AA bill
and some of the provisions in it are much more about, you know, forcing essentially some of
these vendors to do more cooperation. I'm just wondering how a legal framework like that could
be used when we're talking about, you know, apps that are based outside our jurisdiction and are indeed pretty
hostile to, you know, the United States legal system as well. Well, for some apps, it does
allow us to use that legal process. And, you know, they might see it as forcing. I'd see it as,
if you're operating in this country, you're subject to the rule of the laws of this land,
and you should comply with the rules of the law of this land if you don't want to.
You don't, you have a right not to operate in this land.
Now, that gets us into a whole different world of censorship
of which apps you can run in a country,
and it's something really I'd hope we would avoid
because that's kind of not really a good answer, is it?
Well, this is why I was asking about Signal,
because they do not have operations here,
yet millions, presumably, of Australians use this application. So that's why I was just wondering how something, even like the AA bill, if you were
to exercise all of the powers within it, would it even help? What would be the steps?
So I'd recognise, Patrick, there'll be cases where the laws won't help us. And then that allows me to
have a conversation with governments about, well, that's not going to help me in these cases. Some of those will be companies like Signal that you quite rightly argue we're not going to
have success with. Some of them are companies we might be able to. It's up to them whether they
choose to operate within the law in Australia. Then there's a private conversation I would have
with government about, well, what do we need or what are we prepared to live without?
I believe I've got a strong case to maintain a capability in this space and you hit the
nail on the head because one alternative is if we don't get the corporations of companies,
then we will get increased investments, which allows us to work around them.
I think that will be a waste of taxpayers' money
and I'm looking for help. I recognise some companies won't want to help us.
That's one of the kind of beautiful dilemmas of the internet and all its benefits. With those
great benefits come some great downsides and that's where all us Australians who vote and
elect members of parliament get to have a say and our politicians get to have a say about how this should work and what investments my agency should get. So I'm not looking for a fight,
I'm looking for cooperation. I recognise some companies won't cooperate, then that allows me
to have a conversation with government about what else we might need to continue to have the right
capability to address the threats we're dealing with,
which is my job.
Are you surprised that there hasn't been a similar legislative push in the United States?
Because I think it's reasonable for people to point to Australia and say, okay, you've
passed this bill that allows you to effectively coerce various technology companies into doing
things, even though they're based in the United States. They might have a presence here, but
that's essentially what the bill does. And there's no similar legislation in the country where these
technology firms tend to be. What's your response to people pointing that out?
Yeah, it's a correct thing to point out. I would encourage them, though, to think about it in terms of every country, depending on their situation,
will have their own way of approaching this problem.
The United States, I recognise, is a centre of technical excellence
and some of our big tech companies that we all know and love
are actually US-based companies
and the US government and law enforcement and intelligence
will deal with them in the way they choose to within their own country's national interests.
Some of that may not play out in public.
We just have to accept that.
So we'll each have a different approach, just like China has a different approach.
Because if any of us on this podcast would think the Chinese government doesn't have
full access to every
encrypted messaging app operating in China. You're kidding yourselves. People might want to reflect
on that for a moment as well. But then each country will do it its own way and set its own
condition. So yes, Australia is different to the US and different to the UK, although we're a lot
similar. How we choose to prosecute this is different. As the head of the
security service, I went to the press club with Rhys Kershaw, the Commissioner of the Australian
Federal Police, to present a case. We're looking for cooperation from companies. I've had a couple
of them start to talk to us. That's a positive because talking is a good place to be. Of course, if I get to a legal impediment or no cooperation, what happens next?
Might be a matter for courts, although I don't think I'd go there.
It's a matter for me as the head of the service to discuss with government what I might need
if I can't get what I want or what they're prepared to accept if I can't get what I want. Do you think perhaps Australia's status as somewhat of a middle power is significant at all
in all of this? Because I've always thought that, okay, while Australia doesn't have the leverage
over the US technology sector that the US does, it seems that at least it's a respected jurisdiction
and that things that happen here, other countries might look at it and say, well, gee, we might want to do that as well.
And you might start to see, I mean, indeed, we've seen, you know, similar proposals in the United Kingdom.
I'm unsure of the status of them, to be honest.
I can't remember.
But, you know, do we think that it's like we do this and in the hope that others will join us?
There is part of that.
I think we're doing it first and foremost for our own national interests. I recognise sometimes we do things like the 5G decision that then kind of had
a similar influence in other countries, but we didn't do it for that. We did it for managing
our own national interests, just as we're doing here. The UK actually have some very
good laws in place in this regards that actually give them some levers to pull on corporation.
Best left for the UK to explain how they choose to use that or not.
I do think we have influence, but we're doing this for our national interest because our job is to protect Australia and Australians with threats to security.
And part of how we do that is through use of intrusive powers,
including interception and computer access warrants.
The best way we do that is with cooperation with the private sector under law, under warranted
authorisation, and with substantial oversight to make sure we're not doing the wrong thing
by the people we protect. I mean, one thing to point out about the AA bill is one of the reasons
it exists was to allow the companies to cooperate in the first place in ways that were previously
somewhat problematic. I mean, I think that's an aspect of the bill that's lost on some
people who've commented on it. Yeah, absolutely. And whilst I could be critical of that, I don't
want to be because that debate is a great thing about our country that people can actually freely
challenge the government and the security service about what we want and have a sensible debate, as opposed to people saying the internet
would break and Australian companies would go bankrupt.
None of that happened as a result of that law being passed.
Now, you've alluded to it several times at the Press Club and through this interview
that the reason you're having this conversation now, some six years after the AI bill was
passed, is because
of changes to the threat environment. I mean, is that the case? Is it the changes to the threat
environment or the uptake of this type of encrypted messaging, or is it both? Can you apportion this
more to one or the other, or what's your thinking there? It is actually both. We've always had a
threat environment, but there's an uptick in that across the board
of espionage, foreign interference, and politically motivated violence.
And there has been, as you'd expect, a natural uptake of end-to-end encryption.
Not because people have gone out and said, I must use that.
It's embedded more and more in the everyday things they've been using over the last seven
years.
So it's a natural progression done primarily for good reasons,
but it's having an impact on us at a time when our threat environment is where it's at.
And listeners here shouldn't assume we've not been successful. Yes, we've had some great successes,
but some of that work required to do it is actually highly inefficient, which means we're
not putting our resources across
everywhere else where we might get a benefit, and therefore where the risks we take as a country
are increased in my mind. Okay. Now, would you expect, and I know that this is a difficult
question for you, but I would still like your opinion on this. Would you expect that we might see similar moves in the United States from the authorities there,
like the FBI, to get more cooperation
out of the tech sector?
Because it seems like that relationship is,
at least for a large portion of the US tech sector,
like that's a pretty broken relationship.
We can thank certain intelligence leaks from 2013 for that. But would you expect
that there's going to be some movement on that? Because we have been hearing for a very long time
now that going dark is a very big problem for law enforcement, a very big problem for domestic
counterterrorism investigations and, you know, keeping the community safe. And yet we have not
seen any movement there. I mean, I don't know quite how to explain that myself. I just
wondered if you had some thoughts on it you could share with us. It's another great question. I mean,
firstly, explain it. It's the United States of America, and much as I love them, how can you
explain that complex, rich, great mate of a society? They'll do their own way. Obviously,
I have to be respectful of our US counterparts because
they're very important partners they are doing it their own way it doesn't get much public fanfare
you don't see public spats between the big tech companies and law enforcement and intelligence
I think that's highly appropriate they're having professional conversations and
what they actually do day to day is not shared
with us and I'm okay with that so I think they'll found they're finding their own way of doing it
you're right to pull out the kind of you know the leaks of information that kind of questioned
cooperation between the private sector and governments I think that's why oversight is
important that's why I think the public debate on this matter is important. I'm not looking to do anything sly and sinister. I want to do this in the open in terms of transparency under law and acknowledgement that we're cooperating to provide great capabilities that protect the privacy of lawful citizens whilst allowing law enforcement and my service to have lawful access when the conditions
are right and justifiable to the appropriate officer and with oversight of a royal commission
standing on top of us. I think the conditions are right. I think the world has moved on since
those times. And I'm okay and comfortable that we're having this debate in public.
And you say you've spoken with these tech companies and they're actually communicating with you now.
Are they being receptive
or do you think you're going to need to break out
a technical capability notice
under the Assistance and Access Bill?
Some of them are being helpful.
Smaller number at this stage are not.
I will use the law to the full effect
to try and get what I need.
If I can't get it then that's a
private conversation with government so until it becomes a court battle with someone trying to
fight a TCN that is I'd imagine well sure and that is a matter for them and if they choose to do it
that way all power to them they're allowed to do that under our law and I'm not going to stop them
from doing that and I will go in it with a justifiable position
from my point of view. Where the courts land is where the courts land. We'd respect that decision
and then I'd have private conversations with government. But at this stage you're telling
us that your agency has not issued a technical capability notice. I'm not going to comment on
that. I think I'm giving you a strong hint about what we will
be doing if we can't get the corporation. And that's not me being funny, Patrick. I genuinely
think the first person should know that we're doing that should be the company that we've said,
we've got to this point, we'd like to serve you with this notice. I'd like that to be done
in private with them, not around them, because I don't think that's helpful. Because even though that might
be a difficult moment, I still want to be professional about these matters with these
companies out of respect for them. Okay. Well, I know we've got a hard stop in two minutes,
so I'm going to wrap it up there. Mike Burgess, thanks a lot for joining us to do this interview,
and I hope we can do it again one day. Thanks, Patrick. It's great to speak to you again.
That was Mike Burgess, the Director General of ASIO there.
So what do you think?
Is ASIO's position reasonable or should technology providers keep their hands off our bits?
As usual, you can yell at me for being a bootlicker on Mastodon. I'm riskybusiness at infosec.exchange or on zitter where i'm just risky business and
i look forward to your correspondence and i hope you enjoyed listening to that interview
but until next time i've been patrick gray thanks for listening