Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018


Bills Digest no. 94, 2017–18

PDF version [327KB]

Cat Barker
Foreign Affairs, Defence and Security Section
26 March 2018

 

Contents

Purpose of the Bill

Structure of the Bill

Background

Australian Signals Directorate
Australian Cyber Security Centre
Previous consideration of ASD’s place in the Australian Intelligence Community
2017 Independent Intelligence Review
Establishing ASD as a statutory agency
Cybersecurity

Committee consideration

Senate Foreign Affairs, Defence and Trade Legislation Committee
Senate Standing Committee for the Scrutiny of Bills

Policy position of non-government parties/independents

Position of major interest groups

Financial implications

Statement of Compatibility with Human Rights

Parliamentary Joint Committee on Human Rights

Key issues and provisions

Establishing ASD as a statutory authority
Establishment of ASD and the role of Director-General of ASD (proposed Part 3A and other items)
Staff of ASD (proposed Part 5A)
Additional and expanded functions
Cybercrime (new function)
Information security (expanded function)
Protecting specialised technologies (new function)
Related amendments (cybercrime and information security)
Assumed identities

More significant consequential amendments

Complaints to the Inspector-General of Intelligence and Security by ASD employees
Work Health and Safety Act 2011
Disclosure of Australian Communications and Media Authority information to ASD
Taxation Administration Act 1953

 

Date introduced:  15 February 2018
House:  House of Representatives
Portfolio:  Defence
Commencement: Sections 1–3 the day after Royal Assent; Schedule 1 on 1 July 2018.

Links: The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page, or through the Australian Parliament website.

When Bills have been passed and have received Royal Assent, they become Acts, which can be found at the Federal Register of Legislation website.

All hyperlinks in this Bills Digest are correct as at March 2018.

Purpose of the Bill

The purpose of the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018 (the Bill) is to amend the Intelligence Services Act 2001 (the IS Act) to:

  • establish the Australian Signals Directorate (ASD) as an independent statutory agency (reporting directly to the Minister for Defence)
  • include among ASD’s statutory functions:
    • prevention and disruption of cybercrime and

    • protection of specialised technologies acquired in connection with the performance of certain other functions

  • provide legislative authority for the ASD to provide material, advice and other assistance relating to cybersecurity to prescribed persons and bodies (in addition to Commonwealth and state and territory government authorities).

The Bill also includes consequential amendments and transitional provisions.

Structure of the Bill

The Bill is presented in a single Schedule of four Parts:

Background

The Bill will implement recommendations of the 2017 Independent Intelligence Review (2017 Review). Background on the ASD, previous consideration of its place in the Australian Intelligence Community, and the 2017 review and recommendations is set out below.

Australian Signals Directorate

ASD is one of the six agencies that currently comprise the Australian Intelligence Community (AIC).[2] The AIC includes the Australian Security Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS), the Office of National Assessments, and three agencies within the Department of Defence: ASD, the Australian Geospatial-Intelligence Organisation (AGO) and the Defence Intelligence Organisation (DIO).

The beginnings of ASD date to World War II, when Australian Navy, Army and Air Force personnel from units that had previously operated independently were brought together to intercept and decode Japanese radio signals.[3] The Defence Signals Bureau commenced in 1947, its role being to ‘exploit foreign communications and be responsible for communications security in the armed services and government departments’.[4] The agency now known as ASD has evolved significantly since then, most recently to respond to the growth of the internet and associated threats to cybersecurity. ASD currently has two main sets of responsibilities:

  • signals intelligence—collecting, analysing and providing foreign signals intelligence to the Australian Defence Force and the Government to support military and strategic
    decision-making and
  • information security—providing advice and assistance to Australian governments, developing a better understanding of sophisticated cyber threats, and coordinating and assisting operational responses to cyber incidents of national importance.[5]

ASD’s functions were first legislated in 2001 with the enactment of the IS Act. While it has distinct statutory functions, ASD has remained part of the Department of Defence and its Director reports to the Minister for Defence through the Deputy Secretary Strategic Policy and Intelligence and the Secretary of the Department.[6]

Australian Cyber Security Centre

In January 2010, the Cyber Security Operations Centre (CSOC) was established in the Defence Signals Directorate (DSD, now ASD) to build a better understanding of threats associated with sophisticated cyber attacks and coordinate responses across the public and private sectors.[7] While it was housed in DSD, the CSOC also hosted liaison staff from other agencies and departments, including ASIO and the Australian Federal Police (AFP).[8] The CSOC became the Australian Cyber Security Centre (ACSC) in November 2014.[9] The ACSC has a similar mandate to the CSOC, but with a greater emphasis on information sharing and collaboration, with the ACSC serving as a ‘hub for greater collaboration and information sharing with the private sector, state and territory governments, academia and international partners to combat the full range of cyber threats’.[10] It also brought the cybersecurity capabilities of all the contributing agencies (ASD, the Computer Emergency Response Team (part of the Attorney-General’s Department), AFP, the Australian Criminal Intelligence Commission (ACIC), ASIO and DIO) together in a single location.[11]

Previous consideration of ASD’s place in the Australian Intelligence Community

The 2004 Inquiry into Australian Intelligence Agencies completed by Phillip Flood considered whether DSD (as it then was) should remain part of the Department of Defence or be established as a separate agency. Flood considered that the case had not been made for change:

The Inquiry received a small number of representations that DSD should be established as a statutory body in recognition of its significance as a national asset and its powerful intelligence gathering capabilities. These views were very much in the minority, and the Inquiry concluded that DSD was appropriately positioned in Defence. The importance of sigint [signals intelligence] support to military operations and the necessity of maintaining the closest possible links between DSD and the Australian Defence Force argue overwhelmingly that DSD should remain within the Defence portfolio. DSD’s activities are well regulated by the Intelligence Services Act, and the Inquiry received every indication that national customers are being well served by DSD.[12]

The issue is not mentioned in the report on the 2011 Independent Review of the Intelligence Community.[13]

2017 Independent Intelligence Review

The Flood Review recommended that in addition to standing review mechanisms (specifically the Inspector-General of Intelligence and Security (IGIS) and the Parliamentary Joint Committee on Intelligence and Security (PJCIS)), the AIC should be subject to ‘periodic external review every five to seven years’.[14] The 2017 Review, conducted by Michael L’Estrange and Stephen Merchant, with Sir Iain Lobban acting as an adviser, was the second such review to be completed since the Flood Review.

The June 2017 report recommended several significant reforms of the AIC and the bodies that oversee it, including the establishment of an Office of National Intelligence in the Prime Minister and Cabinet portfolio, setting up a Joint Capability Fund, and expanding the remit of the IGIS and the PJCIS to include the Australian Transaction Reports and Analysis Centre and the intelligence functions of the AFP, ACIC and the Department of Immigration and Border Protection (now the Department of Home Affairs).[15] It also recommended a comprehensive review of the Acts governing the AIC, including the IS Act.[16]

Establishing ASD as a statutory agency

The 2017 Review noted the conclusions reached by Flood in 2004, but considered that changes that have since taken place, and the need to recruit and retain specialist expertise, mean that ASD should now be made a separate statutory authority within the Defence portfolio:

ASD’s roles, responsibilities and interactions within government and with the non-government sector have broadened considerably since 2004. In these new circumstances, our view is ASD would be better able to fulfil its vital responsibilities to the ADF [Australian Defence Force], and would more effectively carry out its broader national role, through a structure that provides it with more autonomy within the Defence portfolio. We have reached this view in light of the range of ASD’s Defence support role and broader national responsibilities, the operational, workforce and other challenges that ASD faces (highlighted in Chapter 3), the role of SIGINT as a critical enabler for other intelligence agencies and ASD’s evolution as an independent intelligence service.

Our main focus in relation to this issue has been on how ASD is best structured to meet the range of its ongoing and evolving support for the ADF, its expanding interactions with other intelligence agencies and its developing national cyber security responsibilities. In our view, ASD will be better placed if it remains in the Defence portfolio but if it is in a position to operate with greater independence from the Department’s requirements, especially those in relation to its capacity to recruit, retain, train, develop and remunerate its specialist staff.

For ASD, the option of continuing to operate within the Department of Defence’s employment framework, even with some specific exemptions, is not the most effective way forward. It would increase the risk of losing additional critical talent, skills and capabilities ...[17]

On workforce issues, the reviewers noted earlier in the report that intelligence agencies were facing a range of challenges ‘relating to recruitment, retention, career management and training of their workforces’:

These challenges derive partly from the rapid evolution of technology, the demand for technological expertise in the private sector and the long lead times in security clearance processes. They also reflect the pressures on staff numbers as well as work cultures, career structures and public sector remuneration practices.

These challenges are particularly demanding where highly specialised and technologically expert workforces are involved. ASD is one such organisation. ASD has experienced a net reduction in its workforce over recent years. While the 2016 Defence White Paper has provided for significantly increased staffing numbers for Defence-intelligence related capabilities over the next decade, and for ASD in particular, the net reduction in ASD staff over recent years has presented significant challenges.[emphasis added][18]

While little detail has been made public, the PJCIS has noted its discussions with the defence intelligence agencies and ASD in particular about the challenges of recruiting and retaining skilled staff (including competition with the private sector), and how the agencies were responding, in its reviews of the administration and expenditure of the AIC.[19]

The 2017 Review recommended that ASD be made a statutory authority within the Defence portfolio, reporting directly to the Minister for Defence, and:

  1. the Head of ASD be appointed at a level of seniority equivalent to the Directors-General of the Australian Security Intelligence Organisation and the Australian Secret Intelligence Service;
  2. the existing organisational arrangements that integrate the support to military operations capability within ASD be reaffirmed and strengthened;
  3. a senior military officer be appointed as the principal ASD Deputy Director at a rank commensurate with the responsibilities and accountabilities of the role; and
  4. a dedicated joint ASD–Defence team be established to manage ASD’s transition to a statutory authority, drawing on relevant expertise within and outside of government, and reporting to the National Security Committee of Cabinet.[20]

The reviewers were comfortable with amendments being made to establish ASD as a statutory agency before the comprehensive review they recommended of the legislation governing the AIC is completed.[21]

Cybersecurity

The 2017 Review made several recommendations aimed at achieving a more coordinated and integrated approach to cybersecurity. These included:

  • ACSC should operate as part of ASD, with staff from other agencies seconded to the ACSC but retaining their existing organisational authorities and ability to access data, information and capabilities from their home agencies and
  • one minister should have primary responsibility for the ACSC and cybersecurity arrangements (currently responsibility for the ACSC is shared between the Attorney-General and the Minister for Defence).[22]

Of most relevance to the Bill, the Review recommended that ASD be given:

... a formal legislative mandate which reflects its role as the national information and cyber security authority, including functions to combat cyber crime and to provide advice to the private sector on cyber security matters. Broadening ASD’s mandate recognises the increasing difficulty of delineating state and non-state actors in cyberspace as well as the need to be able to shift scarce operational cyber resources to areas of greatest need.[emphasis in original][23]

The Bill will implement this recommendation. The Explanatory Memorandum also states that the Computer Emergency Response Team and its functions relating to cyber policy and security will be transferred from the Attorney-General’s Department to ASD (this will not require legislation).[24]

Committee consideration

Senate Foreign Affairs, Defence and Trade Legislation Committee

The Senate Foreign Affairs, Defence and Trade Legislation Committee (FADT Committee) reported on its inquiry into the Bill on 21 March 2018.[25] The Committee recommended that the Bill be passed. While it did not recommend any specific changes to the Bill, the Committee stated that the Government ‘may wish to consider whether any amendments to the bill, or additions to the [Explanatory Memorandum], are necessary to provide greater clarity’ to ASD staff, in light of matters raised in the course of its inquiry, notably by the Community and Public Sector Union (CPSU) (see ‘Position of major interest groups’ below).[26]

Senate Standing Committee for the Scrutiny of Bills

The Senate Standing Committee for the Scrutiny of Bills (Scrutiny of Bills Committee) raised two issues in relation to the Bill.

Proposed section 27N of the IS Act (inserted by item 27 of Schedule 1) will allow the Director-General of ASD to delegate, in writing, all or any of his or her functions or powers under proposed Part 5A to a staff member who holds, or is acting in, an Executive Level 1 or equivalent or higher position in ASD. The Scrutiny of Bills Committee requested the Minister’s advice as to why the delegation of powers was not limited to members of the Senior Executive Service.[27]

Items 36–43 of Schedule 1 will amend the Anti-Money Laundering and Counter-Terrorism Act 2006 (AML/CTF Act) so that ASD officials continue to have legislative authority to share information obtained from the Australian Transaction Reports and Analysis Centre (AUSTRAC) for certain purposes after the ASD becomes a separate statutory agency. Item 43 will insert proposed section 133BA of the AML/CTF Act to allow the Director-General of ASD to share AUSTRAC information with a foreign intelligence agency if he or she is satisfied that the agency has given appropriate undertakings about protection and use of the information, and that it is ‘appropriate, in all the circumstances of the case’ to share the information. The Scrutiny of Bills Committee requested the Minister’s advice as to why it is necessary and appropriate to provide the Director-General with broad discretion to share AUSTRAC information.[28] It also sought the Minister’s advice on whether the Bill might be amended to include guidance on the purposes for which AUSTRAC information may be shared with a foreign intelligence agency.[29]

Policy position of non-government parties/independents

The Australian Labor Party supports the Bill.[30] The Shadow Minister for Defence noted that the Bill was the subject of a Senate committee inquiry, and stated:

It's possible that as a result of that inquiry there might be amendments that come forth out of that process. If they do, we'd consider them in the Senate in the usual way. But, as a matter of principle, this is a bill which deserves support.[31]

At the time of publication of this Bills Digest, there was no public indication of the policy position of any other non-government parties and independents on the Bill.

Position of major interest groups

Four submissions were made to the FADT Committee’s inquiry into the Bill. Those submissions, from ASD, the Attorney-General’s Department, the IGIS and the CPSU, all supported the Bill.[32]

The CPSU’s submission stated that there was ‘strong staff support for ASD’s transition’ to a statutory agency, but that its members had expressed some concerns and reservations about their conditions of employment. The CPSU recommended:

  • ‘for abundant caution’, the Bill should be amended to explicitly state that the Defence Enterprise Agreement will transfer to the employees of the new ASD, and that the transfer of staff to the new agency will be dealt with under section 72 of the Public Service Act 1999 (which deals with machinery of government changes)
  • the Bill should be amended so that ASD employees are able to access the mechanisms provided by the APS Redeployment Policy if they are declared excess or potentially excess and
  • a consequential amendment should be made to the Maternity Leave (Commonwealth Employees) Regulations 2017 to include the new ASD as a prescribed authority for the purposes of section 5 of the Maternity Leave (Commonwealth Employees) Act 1973, so that female staff retain access to 12 weeks paid maternity leave under that Act.[33]

The IGIS’s submission noted that ASD’s transition to a statutory agency will not, of itself, have any impact on the IGIS’s oversight of the agency:

Having ASD staff employed under the Intelligence Services Act 2001 rather than the Public Service Act 1999 will have some consequential effects on IGIS jurisdiction including in relation to complaints and the addition of new functions for ASD will have an impact on the IGIS inspection program and scope for inquiries.[34]

The IGIS stated that the additional resources associated with those changes would be drawn from additional resources allocated to the IGIS in response to the 2017 Review.[35]

Financial implications

The Explanatory Memorandum states that the Bill will have no additional financial impact.[36] ASD’s submission to the FADT Committee stated that ASD and the Department of Defence will ‘continue to rely on the provision of corporate shared services to each other’.[37]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[38]

Parliamentary Joint Committee on Human Rights

The Parliamentary Joint Committee on Human Rights had not yet reported on the Bill at the time of publication of this Bills Digest.

Key issues and provisions

Establishing ASD as a statutory authority

Item 27 of Schedule 1 to the Bill will insert proposed Part 3A into the IS Act to establish ASD on a statutory basis and make provision for the appointment of a Director-General of ASD. Item 29 of Schedule 1 will insert proposed Part 5A into the IS Act to provide for the employment of staff and engagement of consultants and contractors. While there are some differences (some of which are noted below), proposed Parts 3A and 5A are largely modelled on Parts 3 and 5 of the IS Act respectively, which established ASIS on a statutory basis and provide for employment of staff and engagement of consultants by ASIS.

Establishment of ASD and the role of Director-General of ASD (proposed Part 3A and other items)

Item 2 of Schedule 1 will amend the definition of ASD in section 3 of the IS Act to omit the reference to ‘the part of the Defence Department known as’. Item 1 will amend the definition of agency head in the same section so that in relation to ASD it will mean the Director-General of ASD.

Item 27 will insert proposed Part 3A into the IS Act. Proposed subsection 27A(1) will provide that the organisation known as the Australian Signals Directorate is continued in existence in accordance with the IS Act.

Proposed section 27B will provide that there is to be a Director-General of ASD, that the
Director-General is to be appointed by the Governor-General by written instrument, and that before a recommendation is made to the Governor-General for the appointment of a person to that role, the Prime Minister must consult with the Leader of the Opposition in the House of Representatives. Item 103 of Schedule 1 is a transitional provision that will provide that the person who holds the position of Director of ASD immediately before 1 July 2018 is taken to have been appointed as Director-General of ASD for a term of six months and on the terms and conditions set out in Division 2 of Part 3A of the IS Act.

Proposed sections 27E—27N make further provision for matters relating to the Director-General of ASD. Of note, the Director-General:

  • will hold office on a full-time basis, for a period of no more than five years as specified by the Governor-General in the instrument of appointment; and may be re-appointed (proposed sections 27B and 27E and section 33AA of the Acts Interpretation Act 1901)
  • may be terminated by the Governor-General for misbehaviour or on the basis of physical or mental incapacity, and must be terminated in certain circumstances (including if he or she lacks, or has lost, an essential qualification) (proposed section 27H) and
  • will be able to delegate, in writing, all or any of his or her functions or powers under proposed Part 5A to a staff member who holds, or is acting in, an Executive Level 1 or equivalent or higher position in ASD (proposed section 27N).

Due to the definition of ‘staff member’ in section 3 of the IS Act, proposed section 27N will enable delegation of the Director-General of ASD’s functions under proposed Part 5A to consultants, contractors and persons made available to ASD by another person or authority to perform functions for the agency. Section 27 of the IS Act, which allows the Director-General of ASIS to delegate powers, specifically excludes delegations to consultants and contractors. It is not clear why the same approach has not been adopted for ASD.

Proposed section 27C will provide that the Director-General of ASD has control of ASD and its staff, and is responsible, under the Minister, for managing ASD and must advise the Minister in matters relating to ASD.

Proposed section 27D will require the Director-General of ASD to ‘consult regularly with the Leader of the Opposition in the House of Representatives for the purpose of keeping him or her informed on matters relating to ASD’.

Item 32 will insert proposed section 42A, which will require the Director-General to provide the Minister with a report on the activities of ASD for each financial year, as soon as practicable after 30 June of each year.

Staff of ASD (proposed Part 5A)

Proposed section 38A will allow the Director-General of ASD to employ such staff on behalf of the Commonwealth as he or she thinks necessary for the purposes of the IS Act. The Director-General will be able to determine the terms and conditions on which employees are employed, but only after consulting with the employees who are subject to the terms and conditions of the determination. Proposed subsection 38A(4) will provide that the Director-General may, at any time, terminate the employment of a person employed under section 38A, by written notice (a note points to the application of the Fair Work Act 2009). There is no equivalent to proposed subsection 38A(4) in the IS Act for ASIS. However, an equivalent provision was inserted into the Australian Security Intelligence Organisation Act 1979 in 2014.[39] The Explanatory Memorandum to the relevant Bill stated that while the power to terminate employees is an employer power at common law, including that power in legislation makes it clear that the head of ASIO does not need to rely on common law powers.[40]

In his second reading speech, the then Minister for Defence Personnel stated that having ASD employ staff outside the framework provided by the Public Service Act 1999:

... will provide the Australian Signals Directorate with greater flexibility to recognise the skills of its specialised workforce. This structure will reflect the need to retain those individuals with highly sought after skills, such as those with science, technology, engineering and maths qualifications.[41]

While ASD employees will not be employed under the Public Service Act:

  • proposed section 38F and proposed subsection 38H(2) will require the Director-General of ASD to adopt the principles of that Act in relation to the employment of employees and procedures relating to the consideration of staff grievances ‘to the extent to which the Director-General considers they are consistent with the effective performance of the functions of ASD’ and
  • proposed section 38G will provide that section 26 of the Public Service Act (which provides for voluntary transfers between agencies in the APS) applies in relation to ASD employees as if they were APS employees.

The CPSU supported the inclusion of provisions requiring the Director-General to adopt the principles of the Public Service Act.[42] The IGIS noted that the heads of ASIS and ASIO have equivalent obligations, and that in her experience ‘ASIS and ASIO adhere to this requirement and the employment related policies in the agencies are similar to those in the APS’.[43]

Proposed sections 38B and 38C will allow the Director-General of ASD to engage consultants and contracted service providers respectively to assist in the performance of ASD’s functions.[44]

Proposed section 38D will provide for the secondment of ASD employees for specified periods to bodies or organisations in Australia and overseas, by written arrangement. This would allow, for example, secondments of ASD employees to counterpart agencies overseas. ASD works closely with equivalent agencies in Canada, New Zealand, the United Kingdom and the United States.[45]

Proposed section 38E will provide for the secondment of officers, employees or other staff from other bodies or organisations in Australia and overseas to ASD, by written arrangement. While it will operate more broadly, this provision will have immediate relevance to the secondment of employees from other Commonwealth agencies to the ACSC. The 2017 Review recommended that the ACSC be part of ASD and that staff from other agencies should be seconded to the ACSC (while retaining access to data, information and capabilities of their home agencies).[46] The reviewers also considered:

Agencies, especially the Australian Criminal Intelligence Commission and AFP, should make a concerted effort to substantially strengthen their presence in the ACSC so that it is resourced with the expertise to cover the full spectrum of the national cyber security challenge, including cyber crime.[47]

Proposed section 38H will require the Director-General of ASD to establish procedures relating to the consideration of grievances of employees and former employees, and to determine the classes of ASD actions subject to those procedures. In doing so, the Director-General will be required to adopt the principles of the Public Service Act ‘to the extent to which the Director-General considers they are consistent with the effective performance of the functions of ASD’, and to consult with ASD employees.

Items 104–106 of Schedule 1 are transitional provisions that provide for the terms and conditions of employment of existing staff, the application of the Safety, Rehabilitation and Compensation Act 1988 to those staff, and the continuation of staffing procedures when the ASD becomes a statutory agency.

Additional and expanded functions

Section 7 of the IS Act sets out the functions of ASD. Items 8–13 of Schedule 1 to the Bill will amend section 7 to include a new function relating to cybercrime, expand ASD’s role in relation to information security to include provision of material, advice and other assistance to private sector and foreign entities, and include a new function of protecting specialised technologies acquired in the performance of certain other functions. Items 15, 17, 18 and 23 will make related amendments to sections 8 (ministerial directions), 11 (limits on agencies’ functions) and 13 (cooperation with other authorities in connection with performance of agency’s own functions) of the IS Act.

Cybercrime (new function)

Item 9 will repeal and replace paragraph 7(c) to provide that one of ASD’s functions is ‘to prevent and disrupt, by electronic or similar means, cybercrime undertaken by people or organisations outside Australia’. Cybercrime will be defined in section 3 of the IS Act, as amended by item 3, as meaning ‘activities that involve committing a serious crime by, or facilitated by, the use of electromagnetic energy, whether guided or unguided or both’. This broad definition will capture two categories of crimes—those committed against information and communications technology systems (such as hacking) and those that involve the use of technology to facilitate traditional offences (such as fraud). Serious crime is defined in section 3 as meaning conduct that, if engaged in within or in connection with Australia, would constitute an offence against an Australian law punishable by imprisonment for a period exceeding 12 months.

The Explanatory Memorandum states:

The new cybercrime function will permit ASD to use its technical expertise to combat serious crimes undertaken by people or organisations outside Australia, such as child exploitation and illicit narcotics [where they are committed or facilitated by the use of information and communication technologies]... Necessary preparatory activities for the purposes of preventing and disrupting cybercrime, including collecting intelligence on people or organisations committing serious crimes, will be undertaken under this function.[48]

Along with the amendments made by items 10 and 13 (outlined below), item 9 will give effect to the 2017 Review recommendation for ASD to be given ‘a formal legislative mandate which reflects its role as the national information and cyber security authority, including functions to combat cyber crime ...’.[49]

Information security (expanded function)

Currently, one of ASD’s functions (under paragraph 7(c) of the IS Act) is to provide material, advice and other assistance to Commonwealth and State authorities on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means.[50] As noted above, that paragraph will be repealed and replaced by the new cybercrime function. Item 10 will insert proposed paragraph 7(1)(ca), which will provide that one of ASD’s functions is to provide material, advice and other assistance to any person or body mentioned in subsection 7(2) on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means. Item 13 will insert proposed subsection 7(2) to provide that material, advice and other assistance may be provided to a Commonwealth authority, State authority, foreign person or entity (proposed paragraph 7(2)(c)), or any other person or body if certain circumstances apply to the material, advice or assistance or to the information in question (proposed paragraph 7(2)(d)). Proposed paragraphs 7(2)(c) and (d) are crafted around Commonwealth heads of power under the Constitution.

Along with the amendment made by item 9 (outlined above), items 10 and 13 will give effect to the 2017 Review recommendation for ASD to be given ‘a formal legislative mandate which reflects its role as the national information and cyber security authority, including functions to ... provide advice to the private sector on cyber security matters’.[51] In relation to the private sector, these amendments are of particular relevance to the work of the ACSC.

Protecting specialised technologies (new function)

Item 11 will insert proposed paragraph 7(1)(da) to provide that one of ASD’s functions is to protect specialised technologies acquired in connection with the performance of the functions listed in paragraphs 7(1)(a)–(d) (related to obtaining and communicating intelligence, preventing and disrupting cybercrime, providing assistance on information security, and providing assistance to and cooperating with the ADF). The Explanatory Memorandum states that this will allow ASD to ‘take more active measures to protect highly sensitive technologies and capabilities from being detected or compromised’.[52]

Related amendments (cybercrime and information security)

Section 8 of the IS Act requires the Ministers responsible for ASD, ASIS and AGO to issue written directions to the heads of those agencies requiring the agencies to obtain an authorisation under section 9 (ministerial authorisation), 9A (emergency authorisations from other ministers) or 9B (emergency authorisations from agency heads) before undertaking certain activities. Item 15 will insert proposed subparagraph 8(1)(a)(iii) to add activities for the specific purpose or including the specific purpose of preventing or disrupting cybercrime undertaken or enabled by an Australian to that list of activities. This will mean that ASD will be required to obtain an authorisation under section 9 of the IS Act where possible, or section 9A or 9B in an emergency, before undertaking an activity or series of activities for that purpose.

Section 11 of the IS Act sets several specific limits on the functions of ASD, ASIS and AGO. Subsection 11(1) provides that the agencies’ functions:

... are to be performed only in the interests of Australia’s national security, Australia’s foreign relations or Australia’s national economic well-being and only to the extent that those matters are affected by the capabilities, intentions or activities of people or organisations outside Australia.

Subsection 11(3) currently provides that this limitation does not apply to certain functions, including several of the ASD (among them, its existing information security function). Item 18 will amend subsection 11(3) so that the limit in subsection 11(1) will not apply to ASD’s performance of its new cybercrime function (proposed paragraph 7(1)(c)) or its expanded information security function (proposed paragraph 7(1)(ca)).

Subsection 11(2) provides that the agencies’ functions do not include the carrying out of police functions or any other law enforcement responsibilities, but that this does not prevent them performing certain functions. Item 17 will amend paragraph 11(2)(f) to make it clear that this limitation does not prevent the performance by ASD of its new cybercrime function (proposed paragraph 7(1)(c)).

Subsection 13(1) provides that subject to any arrangements made or directions given by the responsible Minister, an agency may cooperate with:

  • Commonwealth and State authorities and
  • authorities of other countries approved by the Minister as being capable of assisting the agency in the performance of its functions

so far as is necessary for or facilitates the performance by the agency of its functions. Item 23 will insert proposed subsections 13(4)–(6). Proposed subsection 13(4) will enable ASD, subject to any arrangements made or directions given by the responsible Minister, to cooperate with overseas authorities without specific prior ministerial approval, for the purposes of its expanded information security function (proposed paragraph 7(1)(ca)). Proposed subsections 13(5) and (6) will require the Director-General of ASD to provide the Minister with a written report about any significant cooperation under proposed subsection 13(4) as soon as practicable after each year ending on 30 June.

Assumed identities

In his second reading speech, the Minister for Defence Personnel stated that the Bill includes amendments to the Crimes Act 1914 to allow ASD employees to apply for assumed identities under Part IAC of that Act.[53] The assumed identities regime enables officers of law enforcement agencies, ASIO and ASIS to acquire and use false identities for certain purposes (such as intelligence collection).

The Minister indicated that currently, ASIS and ASIO operate assumed identities on ASD’s behalf, and the amendments would ‘increase transparency and accountability for the Australian Signals Directorate officers using assumed identities’.[54] The Bill does not include such amendments.

More significant consequential amendments

Part 2 of Schedule 1 to the Bill will make amendments to 17 other Acts that are consequential to the amendments to the IS Act in Part 1 of Schedule 1. The more significant of the consequential amendments are outlined below.

Complaints to the Inspector-General of Intelligence and Security by ASD employees

Section 8 of the Inspector-General of Intelligence and Security Act 1986 (IGIS Act) sets out the inquiry functions of the IGIS. Currently:

  • subsection 8(5) of the IGIS Act provides that the IGIS’s functions do not include inquiring into a matter in relation to which a complaint has been made by an employee of ASD, AGO, DIO or ONA to the extent that the matter is directly related to a matter relating to the agency’s employment of the employee and
  • subsection 8(6) provides that the IGIS’s functions include (subject to subsection 8(7)) inquiring into a matter in relation to which a complaint has been made by an employee of ASIO or ASIS to the extent that the matter is directly related to a matter relating to the agency’s employment of the employee.

Items 73–76 of Schedule 1 will amend subsections 8(5), 8(6) and 8(7) of the IGIS Act so that the IGIS’s functions will include inquiring into complaints made by ASD employees that relate to their employment. As ASD employees will no longer be APS employees, employment-related complaints will now be considered by the IGIS instead of the APS Commissioner or the Merit Protection Commissioner.[55]

As is currently the case in relation to ASIO and ASIS employees, this function of the IGIS will be limited by:

  • subsection 8(7), which as amended by item 76, will provide that the IGIS must not inquire into an employment-related complaint to the extent that the ASD employee can have the matter reviewed by a body constituted by, or including, persons other than the Director-General of ASD or ASD employees and
  • subsection 11(5), which as amended by item 77, will provide that the IGIS shall not inquire into an employment-related complaint made by an ASD employee in respect of action taken by ASD if the IGIS is satisfied:
    • the procedures of ASD relating to redress of grievances of ASD employees are adequate and effective
    • the complainant has not pursued those procedures as far as practicable or
    • the matters to which the complaint relates are not of sufficient seriousness or sensitivity to justify an inquiry into those matters.

Work Health and Safety Act 2011

Subsection 12C(1) of the Work Health and Safety Act 2011 (WHS Act) provides that nothing in that Act requires or permits a person to ‘take any action, or to refrain from taking any action, that would be, or could reasonably be expected to be, prejudicial to Australia’s national security’. Subsection 12C(2) provides that without limiting subsection 12C(1), the Director-General of Security (the head of ASIO), may, by written instrument, declare that specified provisions of the Act do not apply, or apply subject to specified modifications, in relation to people carrying out work for the Director-General. Subsections 12C(2A) and (2B) include equivalent provisions for the heads of ASIS and the Australian Border Force (ABF). Item 96 will insert proposed subsection 12C(2AA) into the WHS Act to make equivalent provision for the Director-General of ASD to make declarations. The Explanatory Memorandum states that this power is required due to ‘ASD subsuming additional security functions’ from ASIO and ASIS.[56]

As is currently the case for the heads of ASIO, ASIS and the ABF:

  • the Director-General of ASD will be required, in administering the ASD and making declarations, to take into account the need to promote the objects of the WHS Act ‘to the greatest extent consistent with the maintenance of national security’ (proposed subsection 12C(5A), inserted by item 98)
  • a declaration may only be made with the approval of the relevant minister, and has effect according to the terms of that approval (subsection 12C(3) as amended by item 97) and
  • declarations will not be legislative instruments (subsection 273B(2) as amended by item 99).

Disclosure of Australian Communications and Media Authority information to ASD

Section 59D of the Australian Communications and Media Authority Act 2005 (ACMA Act) allows an Australian Communications and Media Authority (ACMA) official authorised to do so by the Chair to disclose ‘authorised disclosure information’ to certain authorities, if the Chair is satisfied that the information will enable or assist the authority to perform or exercise any of its functions or powers.[57] Item 44 will insert proposed paragraph 59(1)(ka) into the ACMA Act to add ASD to the list of authorities to which information may be disclosed. While the amendment will apply more broadly, the Explanatory Memorandum indicates that it is required so that ACMA officials can continue providing information to the Computer Emergency Response Team, which will transfer from the Attorney-General’s Department to ASD.[58]

Taxation Administration Act 1953

Section 850-100 of the Taxation Administration Act 1953 allows the heads of ASIO and ASIS to declare in writing that taxation laws do not apply to specified entities (including but not limited to those agencies) in relation to one or more transactions. Item 91 will insert proposed subsection 850-100(3A) into the Taxation Administration Act so that the Director-General of ASD may also make such declarations.

 

[1].      These amendments will commence the later of 1 July 2018 and immediately after the commencement of Schedule 1 to the Privacy Amendment (Notifiable Data Breaches) Act 2017. As the Privacy Amendment (Notifiable Data Breaches) Act 2017 commenced on 22 February 2018, the amendments in Part 4 will commence on 1 July 2018.

[2].      The 2017 Review assessed that looking ahead, a more realistic frame of reference for the intelligence community would also include the Australian Criminal Intelligence Commission, the Australian Transaction Reports and Analysis Centre and parts of the Australian Federal Police and the Department of Immigration and Border Protection (now the Department of Home Affairs): M L’Estrange, S Merchant and I Lobban, 2017 Independent intelligence review, Department of the Prime Minister and Cabinet (PM&C), Canberra, June 2017, pp. 46–8.

[3].      Department of Defence, ‘About ASD: history’, Department of Defence website.

[4].      Ibid.

[5].      Department of Defence, ‘About ASD: signals intelligence (sigint) role’ and ‘About ASD: information security (infosec) role’, Department of Defence website.

[6].      L’Estrange, Merchant and Lobban, 2017 Independent intelligence review, op. cit., p. 8; Department of Defence, ‘ASD: partners: Defence Strategic Policy and Intelligence Group’ and ‘Defence organisational structure chart’, Department of Defence website.

[7].      J Faulkner (Minister for Defence), Cyber Security Operations Centre officially opened, media release, 15 January 2010; J Faulkner (Minister for Defence), Speech at the opening of the Cyber Security Operations Centre, Canberra [and] questions and answers, media release, 15 January 2010. The CSOC was an initiative of the Defence white paper 2009.

[8].      Faulkner, Cyber Security Operations Centre officially opened, op. cit.; Australian Cyber Security Centre (ACSC), ‘Frequently asked questions’, ACSC website.

[9].      T Abbott, Cyber security review, media release, 27 November 2014. The ACSC was initially announced in January 2013: J Gillard, Australian Cyber Security Centre, media release, 24 January 2013.

[10].    ACSC, ‘About the Australian Cyber Security Centre’, ACSC website.

[11].    Ibid; ACSC, ‘Frequently asked questions’, op. cit.

[12].    P Flood, Report on the inquiry into Australian intelligence agencies, Commonwealth of Australia, Canberra, 2004, p. 136.

[13].    R Cornall and R Black, 2011 Independent review of the intelligence community report, Commonwealth of Australia, Canberra, 2011.

[14].    Flood, Report on the inquiry into Australian intelligence agencies, op. cit., pp. 62–3.

[15].    L’Estrange, Merchant and Lobban, 2017 Independent intelligence review, op. cit., pp. 55–69; 82–8; 115–117.

[16].    Ibid., pp. 90–4.

[17].    Ibid., p. 70.

[18].    Ibid., pp. 49–50.

[19].    See for example PJCIS, Review of administration and expenditure no. 15 (2015–2016): Australian intelligence agencies, PJCIS, Canberra, June 2017, p. 22; PJCIS, Review of administration and expenditure no. 14 (2014–2015): Australian intelligence agencies, PJCIS, Canberra, February 2017, p. 22.

[20].    L’Estrange, Merchant and Lobban, 2017 Independent intelligence review, op. cit., p. 16 (Recommendation 6).

[21].    Ibid., p. 94.

[22].    Ibid., pp. 14–15 (Recommendation 3); see further pp. 64–6.

[23].    Ibid., p. 66.

[24].    Explanatory Memorandum, Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018 (ASD Bill).

[25].    Senate Foreign Affairs, Defence and Trade Legislation Committee, Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018 [provisions], The Senate, Canberra, 21 March 2018.

[26].    Ibid., pp. 11–12.

[27].    Senate Standing Committee for the Scrutiny of Bills, Scrutiny digest, 3, 2018, The Senate, 21 March 2018, pp. 15–16.

[28].    Ibid., p. 16.

[29].    Ibid., p. 17.

[30].    G Brodtmann, ‘Second reading speech: Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018’, House of Representatives, Debates, (proof), 28 February 2018, pp. 40–3; R Marles, ‘Second reading speech: Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018’, House of Representatives, Debates, (proof), 28 February 2018, pp. 43–44.

[31].    R Marles, ‘Second reading speech: Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018’, op. cit.

[32].    Australian Signals Directorate (ASD), Submission to Foreign Affairs, Defence and Trade Legislation Committee (FADT Committee), Inquiry into the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018, March 2018; Attorney-General’s Department (AGD), Submission to FADT Committee, Inquiry into the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018, 9 March 2018; Inspector-General of Intelligence and Security (IGIS), Submission to FADT Committee, Inquiry into the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018, 9 March 2018; Community and Public Sector Union (CPSU), Submission to FADT Committee, Inquiry into the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018, 9 March 2018.

[33].    CPSU, Submission to FADT Committee, op. cit., pp. 4–5.

[34].    IGIS, Submission to FADT Committee, op. cit., p. 4.

[35].    Ibid. Funding was allocated in February 2018 to expand the IGIS’s office from 17 to 55 full-time equivalent staff and for ‘commercial rent, IT systems and secure fit-out costs of new premises’: PM&C, Portfolio additional estimates statements 2017–18: Prime Minister and Cabinet portfolio, Commonwealth of Australia, Canberra, 2018, pp. 33–40.

[36].    Explanatory Memorandum, ASD Bill.

[37].    ASD, Submission to FADT Committee, op. cit., p. 4.

[38].    The Statement of Compatibility with Human Rights can be found in the Explanatory Memorandum to the ASD Bill.

[39].    The National Security Legislation Amendment Act (No. 1) 2014 repealed and replaced section 84 of the Australian Security Intelligence Organisation Act 1979.

[40].    Revised Explanatory Memorandum, National Security Legislation Amendment Bill (No. 1) 2014, p. 49.

[41].    M McCormack, ‘Second reading speech: Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018’, House of Representatives, Debates, 15 February 2018, p. 1611.

[42].    CPSU, Submission to FADT Committee, op. cit., p. 4.

[43].    IGIS, Submission to FADT Committee, op. cit., p. 6.

[44].    The definition of contracted service provider to be inserted into section 3 by item 3 of the Bill will mean that proposed section 38C extends to subcontractors.

[45].    Department of Defence, ‘ASD: partners: UKUSA allies’, Department of Defence website.

[46].    L’Estrange, Merchant and Lobban, 2017 Independent intelligence review, op. cit., p. 65.

[47].    Ibid.

[48].    Explanatory Memorandum, ASD Bill.

[49].    L’Estrange, Merchant and Lobban, 2017 Independent intelligence review, op. cit., p. 66.

[50].    State authority is defined in section 3 of the IS Act, and includes both state and territory authorities.

[51].    L’Estrange, Merchant and Lobban, 2017 Independent intelligence review, op. cit., p. 66.

[52].    Explanatory Memorandum, ASD Bill.

[53].    McCormack, ‘Second reading speech: Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018’, op. cit., p. 1611.

[54].    Ibid.

[55].    Explanatory Memorandum, ASD Bill.

[56].    Explanatory Memorandum, ASD Bill.

[57].    Authorised disclosure information is defined in section 3 of the Australian Communications and Media Authority Act 2005.

[58].    Explanatory Memorandum, ASD Bill.

 

For copyright reasons some linked items are only available to members of Parliament.

© Commonwealth of Australia

Creative commons logo

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.

Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.

Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library’s Central Enquiry Point for referral.