Director-general of the Australian Signals Directorate Rachel Noble PSM draws on a family history in the intelligence service to keep Australia cyber safe as the threat landscape grows more complex.

    Since World War II, the Australian Signals Directorate (ASD) has been tasked with intercepting signals and electronic communications from nefarious foreign entities.

    The government agency reports threats it has detected, which helps the government formulate foreign, defence and strategic policies.

    This intelligence also contributes to the protection of the Australian Defence Force (ADF) and its allies during armed conflict.

    An added mission for the ASD in the digital age is defending Australia’s networks in cyberspace, says Rachel Noble PSM, who became the organisation’s director-general in 2020.

    “When you’re really good at spying and you understand how to get into other people’s networks,” she says, “you learn along the way how you might also protect your own networks from people like us — that is, well-resourced intelligence agencies.”

    The ASD has both a defensive and an offensive role to play in cyberwarfare. The latter was bolstered in March 2022, when it was announced that the ASD’s offensive cyber capabilities would triple over the coming decade.

    “We have legal powers to actually go after people in cyberspace who are trying to do harm to Australians and Australian networks,” says Noble.

    She describes “harm” as falling into two broad categories. The first is cybercrime, with the theft and encryption of data used as a means of extortion. The second is the work of state actors who are engaged in espionage and are often on the hunt for intellectual property.

    “The foreign actors are seeking to spy on Australian companies, members of government and the military,” explains Noble.

    “They want to find out how your business operates. Often, they’re also interested in the influence a particular individual has and how they are connected to other influential individuals. They are very determined not to be discovered.”

    She notes that both types of threats have increased substantially in scale and sophistication over the past 10 years — adding that Australia’s wealth makes it an attractive target.

    “The first threat is easier to detect than the second,” she says. “The other will eventually reveal itself, but by then you’re having a very bad day.”

    Last year, under project REDSPICE, the ASD’s budget was increased by almost $10b to 2032 — a threefold increase that reflects the increasingly complex threat landscape.

    The Defence Strategic Review 2023, released by the federal government in April, details areas of priority for investment in defence capabilities over the next 10 years.

    It provides recommendations for obtaining advanced capabilities, such as support for Australia’s forthcoming nuclear-powered submarines.

    “The Defence Strategic Review speaks to the worsening strategic circumstances in the world,” says Noble.

    “The conflict between Russia and Ukraine is of concern to all democracies, and our absolute focus is on doubling down on the traditional parts of our business. We want to make sure that we deliver the best intelligence to the government so that they can make the best possible policy choices.”

    All in the family

    Prior to her current role, Noble was the head of the Australian Cyber Security Centre (ACSC), which sits within the ASD, and she has held senior roles at the Department of Home Affairs.

    Her distinguished career mirrors that of her father, Jim Noble. Growing up in Perth, Rachel Noble was completely unaware that her father was a cyber spy.

    He founded the Australian Defence Satellite Communications Station outside of Geraldton, WA — one of Australia’s key foreign signals intelligence sites.

    “Looking back, there was nothing that suggested to me that my dad was a cyber spy,” she says.

    “He made it so boring. When my sister and I would ask him what he did, he’d say, ‘I’m an electronics engineer.’ About halfway through those two words, we would switch off. I don’t know exactly when I started to have a better appreciation of what he was involved with, and maybe it wasn’t until I started working here [at ASD]. People would make reference to him and I would think, ‘Wow, my dad did that.’ He was, and is, a very highly regarded member of our organisation.”

    Noble has not been required to operate undercover as her father did. Two decades ago, ASD’s functions were laid out publicly for the first time with the Intelligence Services Act 2001.

    “It was hugely transformative for the ASD,” she says. “Before 2001, you couldn’t really read about what the ASD was doing. In some ways, it gave us permission to start to acknowledge publicly some of our functions.”

    Nonetheless, Noble’s work is incredibly sensitive and she must constantly distinguish between the classified and unclassified information stored in her memory when she speaks in a public setting.

    “Senate estimates is my least favourite part of the job,” she says. “It’s a bizarre experience and it can be hard to explain to those in the private sector what it’s like to be on television being asked about any aspect of your decision-making. It’s extremely challenging. I have a rule of thumb that I often remind myself of — I can talk about what we do, but not how we do it.”

    Despite the challenges, she says oversight mechanisms such as Senate estimates are critical for maintaining public trust in organisations such as the ASD.

    On the money

    One of the benefits of the ASD having a public profile is a much-improved ability to recruit talented personnel.

    “We see a strong correlation of when we do things publicly and people visiting our careers website, and clicking through to actually apply for jobs,” says Noble.

    To mark the ASD’s 75th anniversary last year, the Royal Australian Mint printed 50,000 50- cent coins with unique cryptographic codes. There are multiple layers of code on both sides of the coin, and a hidden message is revealed as each layer of code is solved. The coins sold out, the campaign went viral and the ASD received almost 10,000 job applications in a six-month period.

    “It was a great opportunity to tell our story and to demonstrate the fun we have,” says Noble. “That makes more people become curious about what the ASD may have to offer. It is a very cool place to work. You can do things at the ASD that wouldn’t be legal with any other employer in Australia: you can be a legitimate hacker.”

    Deep ties with defence

    During Noble’s tenure as assistant secretary of governance at the ADF, she oversaw the department’s governance and assurance framework. In her current role, Noble reports directly to Minister for Defence Richard Marles.

    The ASD became an independent statutory agency five years ago, however, its relationship with the ADF remains close. The agency’s funding comes from the Integrated Investment Program, which supports all of Australia’s military capabilities.

    “When the ASD was formed during WWII, its principal function was to intercept intelligence from the Japanese military and to rebroadcast those messages out to the Australian and Allied forces in our region,” says Noble.

    “This is a profoundly important role that we continue to play for the ADF. We move with them and ensure they have protection.”

    Noble received a Public Service Medal (PSM) for the contribution she made as the national security chief information officer and cyber policy coordinator.

    She operated within the Department of the Prime Minister and Cabinet and was responsible for improving information sharing in the national security community and coordinating whole-of-government cyber policies.

    In 2005, Noble was appointed deputy chief of facility at the satellite surveillance base Pine Gap. Located in the Northern Territory, the facility is jointly operated by Australia and the US.

    Needless to say, she cannot disclose anything about her work at the top-secret facility — other than to say it was a career highlight.

    “It was one of the most marvellous experiences, and it is a truly joint partnership between Australia and the US,” she says. “The open collaboration and spirit in which the operations are undertaken are world-class. I had the most delightful time living in the outback.”

    A typical posting at Pine Gap is two to three years, but Noble returned to Canberra after just one year. She was pregnant with her first child and her husband had been deployed to Iraq.

    She cared for her newborn with her parents close by and her husband came home after six months.

    Noble believes that defending Australia from hostile foreign forces needs to be a collective effort.

    “Everybody can play a role in denying adversaries access to our networks,” she says.

    “Simple things at the individual level — like having strong passphrases — is really important. Always use multi-factor authentication on services provided to you. And please, don’t do it later. Do it now.”

    Tips from Australia's leading cyber spy 

    1. “The first thing I would say is that a cyberattack can happen to you,” says Rachel Noble PSM, director-general of the Australian Signals Directorate. “The best thing you can do is be prepared. Following basic cyber hygiene practices will go a long way to protect an organisation from the vast majority of potential cyber incidents. There’s a lot of help out there from really credible organisations, including our own, to enable you to be asking the right questions of your IT team.” A good starting point is Questions for Boards to Ask About Cyber Security by the Australian Cyber Security Centre (ACSC):
    2. “Company directors are used to managing financial risks, and risk around data is something that’s got to be attended to at the top levels of the organisation. It requires a proper consideration of risk, balanced with resources apportioned to manage the risk. A business needs to reflect on where its most important data is stored. Are there backups to make the organisation more resilient?”
    3. “The best thing companies can do is conduct an internal exercise, even if it’s just a tabletop discussion about what you would do if a cyber incident occurred. Ask questions like: What will we do? Who will be accountable for which actions? How will we communicate with our customers? What are our obligations? Who do I need to report to? Who do I need to get help from? Do I have Rachel Noble and [the head of ACSC] Abi Bradshaw’s mobile numbers in my phone? I encourage CEOs and others to reach out to us ahead of time.”
    4. “If technology or ICT has not been a part of your career to date, then it is important to arm yourself with enough vocabulary to be able to ask questions of your chief information officer. If you don’t understand what your CIO is telling you, ask them to explain it in plain language. Don’t be afraid that you’re going to look silly or ill-informed. They should be able to communicate with you in a way that resonates with the business — that’s their job.”

    This article first appeared under the headline ‘Top Secrets’ in the July 2023 issue of Company Director magazine.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.