Risky Business - Feature interview: ASIO Director General Mike Burgess on encryption and access

Episode Date: August 26, 2024

Mike Burgess is the director general of ASIO. But the thing about Mike is he’s actually a cybersecurity guy. He joined ASD, Australia’s NSA, back in 1995 when it was... still the Defence Signals Directorate. He was there for 18 years before he bounced out to the private sector for a while to work as the CISO for Australia’s largest telco, Telstra. In 2017 he returned to ASD to run it, and in 2019 he was appointed director general of ASIO. Back in April, Burgess made a series of comments on the topic of encrypted messaging during a Press Club speech in Canberra. Our right to privacy, he said, is not absolute, and he implied that if certain providers didn’t start helping Australian authorities out a little more, he’d use some of the provisions in Australia’s Assistance and Access bill to force them to provide access to certain content. So I reached out to organise this interview to get some more detail from him about exactly what sort of cooperation he’s seeking and why.

Transcript
Discussion (0)
Starting point is 00:00:00 Hey everyone and welcome to this special feature interview. My name's Patrick Gray. What you're about to hear is an interview I did last Thursday with the Director-General of ASIO, Australia's domestic intelligence agency. But before I get going, I realise that most people, in fact, listening to this interview are not going to be from Australia. So very briefly, I'm going to explain what ASIO, the Australian Security Intelligence Organization, actually is. So basically, ASIO has two roles. It counters foreign threats within Australian borders, like espionage, state-sponsored stuff, but it also does counterterrorism work. In the USA, these functions are fulfilled by the FBI, but here it's ASIO. But unlike the FBI, ASIO officers don't carry guns. If they need to kick some doors down, they rely on federal and state police services for that.
Starting point is 00:00:58 And they also have a counterterrorism responsibility as well. So that's the gist. ASIO, a domestic-focused intelligence organisation, you know, tracking foreign spies and terrorist organisations and sometimes individuals as well. Mike Burgess is the Director-General of ASIO. He's five years into that role and has just been reconfirmed for another five-year term.
Starting point is 00:01:22 But the thing about Mike is he's actually a cyber security guy. He joined ASD, which is our NSA, back in 1995 when it was still the Defense Signals Directorate. He was there for 18 years before he bounced out to the private sector for a while, even working as the CISO for Australia's largest telco, Telstra. And he did some consulting around that time as well. In 2017, he returned to ASD to run it, and in 2019, he was appointed the Director General of ASIO. So, why am I interviewing him now?
Starting point is 00:01:59 Back in April, Mike made a series of comments on the topic of encrypted messaging during a press club speech. Our right to privacy, he said, is not absolute. And he implied that if certain providers didn't start helping Australian authorities out just a little bit more, he would activate some of the provisions in Australia's assistance and access bill to force them to provide technical capabilities that would allow them access to certain content. So I reached out to organise this interview, and it did take months to get some time with him. But the idea is I really just wanted to get some more detail from him about exactly what sort of cooperation he's seeking and why. As you'll hear, the thing that seems to be irritating him is certain messaging providers not helping ASIO access
Starting point is 00:02:45 content like group chats where violent acts are being planned. ASIO can still get the material it needs, but to do so it needs to expend considerable human resources or use expensive implants to get that job done when really providers could help out when ASIO has already shown that they're trying to access this material on solid grounds. He argues that's a problem. Funnily enough, I mentioned Telegram's impunity in this interview. And then two days later, Pavel Durov, who is Telegram's founder, got arrested in France on charges relating to all of the crime and CSAM stuff that happens on the app. Not so much, you know, arrested over a failure to provide access. But yeah, it's still amazing timing.
Starting point is 00:03:30 But I'll drop you in here where Mike talks a bit about the history of wiretapping. I do hope you enjoy this interview. And a quick note, I couldn't post this one to YouTube because images of the room where Mike was when we did this interview can't be published for security reasons. So this is an audio only interview. But yeah, here is Mike Burgess. So long before the internet, and even when the internet started, because I realize it goes back a fair way now, there was a world of telephone systems. So circuit switch, telephone networks, copper wires, principally coax cables, then along
Starting point is 00:04:05 came satellite links well before fibre optics came along. In that world, under law, it was always permissible to do interception, put crocodile clips or alligator clips, depending on your religion of animal, on the wires, record that, listening to calls, under warrant. Of course, there are many other things that could be called out of that access to who's calling who on the telephone who's faxing who on which fax machine all of that was accessible under law now we've moved to a digital world from circuit switch to packet switch ip networks telephony is different we're now in the world of the internet and the richness and strength and benefits that gives us the way people communicate completely different IP networks, telephony is different. We're now in the world of the internet and the richness
Starting point is 00:04:45 and strength and benefits that gives us. The way people communicate completely different too when the phone was attached to the wall via some copper wires. Lawful requirements still to access when we have a warrant. We still want to get access to communications. Of course, we've lived in a world where everything's connected. Privacy is important. Security is important. And there has been a rush in a good way to makes it, by design, impossible for those providers to provide us lawful access to the communications of an individual that we have a warrant for. So there's the difference. There's the challenge. I would hope most of your audience would recognise we live in a country where rule of law and
Starting point is 00:05:42 privacy is lost when you're committing a crime or you're actively engaged in a threat to security. Of course the warrants get provided to telephone networks, they can give us the bit pipes but they don't control the communications like they used to. We need cooperation from industry to have lawful access which is targeted and proportionate. It is not about breaking the internet or putting in place vulnerabilities that criminals or other nation states could randomly exploit at scale. So the world has changed. The laws in this country are sufficient. So to be clear also I'm not asking for a change of law. I'm asking for those message providers, the big tech companies,
Starting point is 00:06:26 to cooperate with us to find a way to do it securely, not break the internet. Now, of course, we have legislation in place, the Assistance and Access Bill of 2018, you know, passed. It was controversial in some circles at the time because, you know, it certainly gives the government a lot of leeway in terms of the types of, you know, capabilities that it can demand technology providers engineer into their products. That said, so far, the way that bill has been used, and we know this thanks to reporting and oversight on those powers, and we also know thanks to freedom of information requests that have shown us the law enforcement guides that have been distributed to law enforcement agencies and intelligence agencies in Australia which instruct them on what they can and can't do under the Act,
Starting point is 00:07:13 we know that it's been on the pretty tame side, right? You seemed to be intimating during your press club remarks that this was going to change and that indeed maybe even a technical capability notice had been issued under the Act. Is that the case? Have we actually got to the point where some of the more powerful parts of that Act are about to be put to use? I'm only going to speak for my agency here. I wouldn't speak for our law enforcement colleagues. That's a matter for them. But from my agency's point of view, and I'm on the public record of saying it's almost all of our targets that we have now are using messaging apps or platforms which have end-to-end encryption, which makes that straight readability from interception much more difficult. It's worse than that when we have violent extremists sitting in chat groups, actually exchanging material on how to kill people or disrupt the power grid, for example. We can't get access to that through interception means, and we have to spend a whole lot of other
Starting point is 00:08:17 effort going elsewhere. That is a reality of the world, I agree. We still need effective interception. So yes, my organization will be using the law to try and get help from companies that are not choosing to help us at this stage. We will do that in private with the companies. Their response is a matter for them and their lawyers. What happens next, we'll take it from there. And that's not to be critical of anyone. That's just we've got the laws and we must use them because the circumstance of our threat environment is such
Starting point is 00:08:53 I'm compelled to give it a go. If I can't get cooperation, then that's a matter that we will then decide next steps with the government. So I'd imagine in the case of chat groups, the alternative way there would be more along the lines of a human sort of infiltration into that, into those sorts of groups. I mean, that might be what someone listening to this might think, which is, well, hey, can't you do some shoe leather, you know, intelligence work and get yourself into those circles of trust another way? I mean, that's sort of what has,
Starting point is 00:09:23 what a lot of agencies have had to do, isn't it, over the last sort of five years as more and more of this stuff gets harder to intercept? I'm very happy to acknowledge that getting a human source or getting a source in close to the people that are talking is actually a viable means, but you'd appreciate that is actually not as easy as it sounds. I know people will like to watch the movies and things. In a matter of minutes, you can get a human source in place. So yes, it's one possibility. It's not the most effective possibility.
Starting point is 00:09:53 And we are in a threat environment now where people are going to violence with little or no warning and little or no planning. You can't rely on that. And we've had cases where it's just a matter of luck, not our good work, where people have actually not been killed. We know this is going to happen and come a Royal Commission, I can guarantee you it's going to find if only the agencies had the corporations of these platforms or these providers will be a recommendation. We need a range of methods. And again, to remind people here,
Starting point is 00:10:25 we're not asking for mass surveillance, we're asking for targeted or proportionate assistance, where we have a case that is justifiable to an authorising officer, in our case, the Attorney General, to get that level of intrusion. We just need the cooperation. So I'd argue the case is there to have more than one way of doing it, because in this
Starting point is 00:10:46 threat environment, our country needs it. Okay. So speaking on that, okay, when I think about companies that have a presence here, you might look at your Facebooks, you might look at your Apples and these type of companies. Sure, they have a presence in Australia. What about some of these platforms, Telegram, Signal? They're not based here. We don't really have that much leverage. We've got limited leverage on American companies and next to zero
Starting point is 00:11:12 leverage over some of these other platforms. So, I mean, how do you even begin to even start planning how you could deal with an issue like that and try to get the sort of access that you want? Yeah. Yes, I agree with your premise there. There are some companies that are not Australian or based in Australia that allows us to have direct legal reach. Of course, we do have arrangements in place with the United States government that allows our lawful access request to be recognised in the US system. Obviously, the details of how that's done, I leave to our US friends and others. And yes, there are countries which are not in that position. You'd appreciate, or I'd acknowledge that's a much more difficult issue. Got to start with
Starting point is 00:11:58 what we can do and who we can talk to, because we're seeing these extremists and these spies using systems where we do have legal ability to have this conversation. But I recognize there are other areas where that's more difficult that shouldn't stop us from doing this. I mean, I suppose one of the reasons I asked that question is I've always felt that ultimately where an agency like yours will get the best results is by going after the platform vendors. In this case that would mostly be Apple and Google, makers of the Android and iOS because that gets you to the operating system which gets you to everything on the device. Yet when we first started speaking you were
Starting point is 00:12:38 very much couching this in terms of speaking to the messaging platforms not so much the device and operating system vendors. Yeah, that's a good call out, Patrick. I see where you're going with that one. So let me give you a little bit more colour to that because yes, that is one way of doing it. But I come back to, we're Australia's security service, subject to law, subject to significant oversight, which is the equivalent of a full-time Royal Commission viewing everything we do, which is appropriate, no complaints. If you were to take the approach of get the cooperation of the mobile device providers to get into the kernel, that's where we start getting into a position, which even I'm prepared to admit to your audience,
Starting point is 00:13:20 is that gives you access to everything. I'm not asking for that because I do recognize my workforce would recognize they love living in a country where you do have a right to privacy unless of course you're breaking the law. That starts to get to a more difficult position of you know people in your audience group saying hang on sec, what else can they get access to? And how do we be assured they're not getting access only to the communications they seek? Because I'd also acknowledge, you know, companies like Apple and others are quite right to point out the world is different to the alligator clip example I gave earlier. When you get access to a phone these days, you're not just getting access
Starting point is 00:14:05 to two people talking to each other, you're getting a person's life in a very rich kind of way. I'm up for that debate about in the law being specific and open about what we're after so people can be clear that we don't have legal ability to get other stuff that they might think you'd get if you had full access to an operating system. So what's the mechanism then? Say we're talking about a group of violent extremists who are planning violent acts over something like a signal group chat. Unless you're getting the cooperation of either the platform vendor or Signal themselves,
Starting point is 00:14:43 you're not really going to get anywhere with that, right? So this all becomes a case of what's the chain of action that eventually results in this access? And, you know, both from a technical point of view and also from a legislative point of view, because frankly, I mean, I just don't see it, right? And that's why I'm curious when you come out and you talk about this sort of access to various messaging platforms, I can think of some where I can envisage the chain. In the case of an organization like Meta running WhatsApp, I could see how under the current laws and through various means you might be able to get somewhere on that. But when it comes to the other things, again, Telegram, Signal, apps like that, I mean, what is the chain of action that results in you getting what you want here? Well, you kind of asked me to give away a lot of our secret sauce, and I won't do that in full detail, other than the generic level in which you said. So you're absolutely right in the case of Signal example. You're either
Starting point is 00:15:38 at the corporation Signal or you're on the device. Yes, I could acknowledge to your audience, we have the legal ability to get a computer access warrant that allows us to get on a device. One of the benefits, though, of advances in security, that is getting harder. That is a good thing for our society, that actually the security of these devices is getting harder. Of course, I still have legal ability to seek a warrant for computer access, including a mobile device, and we do invest in capabilities to do that. I guess my question was more about under the sort of AA bill paradigm, right? What is the legal process that would result in them being more cooperative, rather than the current status,
Starting point is 00:16:23 which is that you're going to need to spend a gargantuan amount of taxpayer money to get access to those devices. You know, the AA bill and some of the provisions in it are much more about, you know, forcing essentially some of these vendors to do more cooperation. I'm just wondering how a legal framework like that could be used when we're talking about, you know, apps that are based outside our jurisdiction and are indeed pretty hostile to, you know, the United States legal system as well. Well, for some apps, it does allow us to use that legal process. And, you know, they might see it as forcing. I'd see it as, if you're operating in this country, you're subject to the rule of the laws of this land, and you should comply with the rules of the law of this land if you don't want to.
Starting point is 00:17:03 You don't, you have a right not to operate in this land. Now, that gets us into a whole different world of censorship of which apps you can run in a country, and it's something really I'd hope we would avoid because that's kind of not really a good answer, is it? Well, this is why I was asking about Signal, because they do not have operations here, yet millions, presumably, of Australians use this application. So that's why I was just wondering how something, even like the AA bill, if you were
Starting point is 00:17:29 to exercise all of the powers within it, would it even help? What would be the steps? So I'd recognise, Patrick, there'll be cases where the laws won't help us. And then that allows me to have a conversation with governments about, well, that's not going to help me in these cases. Some of those will be companies like Signal that you quite rightly argue we're not going to have success with. Some of them are companies we might be able to. It's up to them whether they choose to operate within the law in Australia. Then there's a private conversation I would have with government about, well, what do we need or what are we prepared to live without? I believe I've got a strong case to maintain a capability in this space and you hit the nail on the head because one alternative is if we don't get the corporations of companies,
Starting point is 00:18:18 then we will get increased investments, which allows us to work around them. I think that will be a waste of taxpayers' money and I'm looking for help. I recognise some companies won't want to help us. That's one of the kind of beautiful dilemmas of the internet and all its benefits. With those great benefits come some great downsides and that's where all us Australians who vote and elect members of parliament get to have a say and our politicians get to have a say about how this should work and what investments my agency should get. So I'm not looking for a fight, I'm looking for cooperation. I recognise some companies won't cooperate, then that allows me to have a conversation with government about what else we might need to continue to have the right
Starting point is 00:19:02 capability to address the threats we're dealing with, which is my job. Are you surprised that there hasn't been a similar legislative push in the United States? Because I think it's reasonable for people to point to Australia and say, okay, you've passed this bill that allows you to effectively coerce various technology companies into doing things, even though they're based in the United States. They might have a presence here, but that's essentially what the bill does. And there's no similar legislation in the country where these technology firms tend to be. What's your response to people pointing that out?
Starting point is 00:19:39 Yeah, it's a correct thing to point out. I would encourage them, though, to think about it in terms of every country, depending on their situation, will have their own way of approaching this problem. The United States, I recognise, is a centre of technical excellence and some of our big tech companies that we all know and love are actually US-based companies and the US government and law enforcement and intelligence will deal with them in the way they choose to within their own country's national interests. Some of that may not play out in public.
Starting point is 00:20:10 We just have to accept that. So we'll each have a different approach, just like China has a different approach. Because if any of us on this podcast would think the Chinese government doesn't have full access to every encrypted messaging app operating in China. You're kidding yourselves. People might want to reflect on that for a moment as well. But then each country will do it its own way and set its own condition. So yes, Australia is different to the US and different to the UK, although we're a lot similar. How we choose to prosecute this is different. As the head of the
Starting point is 00:20:45 security service, I went to the press club with Rhys Kershaw, the Commissioner of the Australian Federal Police, to present a case. We're looking for cooperation from companies. I've had a couple of them start to talk to us. That's a positive because talking is a good place to be. Of course, if I get to a legal impediment or no cooperation, what happens next? Might be a matter for courts, although I don't think I'd go there. It's a matter for me as the head of the service to discuss with government what I might need if I can't get what I want or what they're prepared to accept if I can't get what I want. Do you think perhaps Australia's status as somewhat of a middle power is significant at all in all of this? Because I've always thought that, okay, while Australia doesn't have the leverage over the US technology sector that the US does, it seems that at least it's a respected jurisdiction
Starting point is 00:21:41 and that things that happen here, other countries might look at it and say, well, gee, we might want to do that as well. And you might start to see, I mean, indeed, we've seen, you know, similar proposals in the United Kingdom. I'm unsure of the status of them, to be honest. I can't remember. But, you know, do we think that it's like we do this and in the hope that others will join us? There is part of that. I think we're doing it first and foremost for our own national interests. I recognise sometimes we do things like the 5G decision that then kind of had a similar influence in other countries, but we didn't do it for that. We did it for managing
Starting point is 00:22:14 our own national interests, just as we're doing here. The UK actually have some very good laws in place in this regards that actually give them some levers to pull on corporation. Best left for the UK to explain how they choose to use that or not. I do think we have influence, but we're doing this for our national interest because our job is to protect Australia and Australians with threats to security. And part of how we do that is through use of intrusive powers, including interception and computer access warrants. The best way we do that is with cooperation with the private sector under law, under warranted authorisation, and with substantial oversight to make sure we're not doing the wrong thing
Starting point is 00:22:55 by the people we protect. I mean, one thing to point out about the AA bill is one of the reasons it exists was to allow the companies to cooperate in the first place in ways that were previously somewhat problematic. I mean, I think that's an aspect of the bill that's lost on some people who've commented on it. Yeah, absolutely. And whilst I could be critical of that, I don't want to be because that debate is a great thing about our country that people can actually freely challenge the government and the security service about what we want and have a sensible debate, as opposed to people saying the internet would break and Australian companies would go bankrupt. None of that happened as a result of that law being passed.
Starting point is 00:23:35 Now, you've alluded to it several times at the Press Club and through this interview that the reason you're having this conversation now, some six years after the AI bill was passed, is because of changes to the threat environment. I mean, is that the case? Is it the changes to the threat environment or the uptake of this type of encrypted messaging, or is it both? Can you apportion this more to one or the other, or what's your thinking there? It is actually both. We've always had a threat environment, but there's an uptick in that across the board of espionage, foreign interference, and politically motivated violence.
Starting point is 00:24:10 And there has been, as you'd expect, a natural uptake of end-to-end encryption. Not because people have gone out and said, I must use that. It's embedded more and more in the everyday things they've been using over the last seven years. So it's a natural progression done primarily for good reasons, but it's having an impact on us at a time when our threat environment is where it's at. And listeners here shouldn't assume we've not been successful. Yes, we've had some great successes, but some of that work required to do it is actually highly inefficient, which means we're
Starting point is 00:24:44 not putting our resources across everywhere else where we might get a benefit, and therefore where the risks we take as a country are increased in my mind. Okay. Now, would you expect, and I know that this is a difficult question for you, but I would still like your opinion on this. Would you expect that we might see similar moves in the United States from the authorities there, like the FBI, to get more cooperation out of the tech sector? Because it seems like that relationship is, at least for a large portion of the US tech sector,
Starting point is 00:25:19 like that's a pretty broken relationship. We can thank certain intelligence leaks from 2013 for that. But would you expect that there's going to be some movement on that? Because we have been hearing for a very long time now that going dark is a very big problem for law enforcement, a very big problem for domestic counterterrorism investigations and, you know, keeping the community safe. And yet we have not seen any movement there. I mean, I don't know quite how to explain that myself. I just wondered if you had some thoughts on it you could share with us. It's another great question. I mean, firstly, explain it. It's the United States of America, and much as I love them, how can you
Starting point is 00:25:55 explain that complex, rich, great mate of a society? They'll do their own way. Obviously, I have to be respectful of our US counterparts because they're very important partners they are doing it their own way it doesn't get much public fanfare you don't see public spats between the big tech companies and law enforcement and intelligence I think that's highly appropriate they're having professional conversations and what they actually do day to day is not shared with us and I'm okay with that so I think they'll found they're finding their own way of doing it you're right to pull out the kind of you know the leaks of information that kind of questioned
Starting point is 00:26:37 cooperation between the private sector and governments I think that's why oversight is important that's why I think the public debate on this matter is important. I'm not looking to do anything sly and sinister. I want to do this in the open in terms of transparency under law and acknowledgement that we're cooperating to provide great capabilities that protect the privacy of lawful citizens whilst allowing law enforcement and my service to have lawful access when the conditions are right and justifiable to the appropriate officer and with oversight of a royal commission standing on top of us. I think the conditions are right. I think the world has moved on since those times. And I'm okay and comfortable that we're having this debate in public. And you say you've spoken with these tech companies and they're actually communicating with you now. Are they being receptive or do you think you're going to need to break out
Starting point is 00:27:30 a technical capability notice under the Assistance and Access Bill? Some of them are being helpful. Smaller number at this stage are not. I will use the law to the full effect to try and get what I need. If I can't get it then that's a private conversation with government so until it becomes a court battle with someone trying to
Starting point is 00:27:52 fight a TCN that is I'd imagine well sure and that is a matter for them and if they choose to do it that way all power to them they're allowed to do that under our law and I'm not going to stop them from doing that and I will go in it with a justifiable position from my point of view. Where the courts land is where the courts land. We'd respect that decision and then I'd have private conversations with government. But at this stage you're telling us that your agency has not issued a technical capability notice. I'm not going to comment on that. I think I'm giving you a strong hint about what we will be doing if we can't get the corporation. And that's not me being funny, Patrick. I genuinely
Starting point is 00:28:30 think the first person should know that we're doing that should be the company that we've said, we've got to this point, we'd like to serve you with this notice. I'd like that to be done in private with them, not around them, because I don't think that's helpful. Because even though that might be a difficult moment, I still want to be professional about these matters with these companies out of respect for them. Okay. Well, I know we've got a hard stop in two minutes, so I'm going to wrap it up there. Mike Burgess, thanks a lot for joining us to do this interview, and I hope we can do it again one day. Thanks, Patrick. It's great to speak to you again. That was Mike Burgess, the Director General of ASIO there.
Starting point is 00:29:10 So what do you think? Is ASIO's position reasonable or should technology providers keep their hands off our bits? As usual, you can yell at me for being a bootlicker on Mastodon. I'm riskybusiness at infosec.exchange or on zitter where i'm just risky business and i look forward to your correspondence and i hope you enjoyed listening to that interview but until next time i've been patrick gray thanks for listening

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.