The federal government is facing multiple problems with its own security, including alarming claims from Parliament House whistleblowers just in time for Senate estimates.
The Australian National Audit Office reports the agency responsible for vetting public servants is not mitigating the risk of “insider threats” effectively. Meanwhile, its parliamentary oversight committee is concerned about security issues in diplomatic missions, including some ANAO found 10 years ago.
And yesterday, despite an expensive and long-running series of upgrades to safeguards on Capital Hill, parliamentary security guards have told Buzzfeed News they feel exposed by inadequate training and a cavalier attitude towards dealing with suspicious powders.
In the fourth such incident since November, when a guard casually taste-tested a random powder that turned out to be sugar, an envelope containing white powder arrived at the Prime Minister’s office last Friday while he was in Sydney. Buzzfeed’s sources allege guards and Australian Federal Police officers have repeatedly failed to follow official procedures, which include cordoning off the area and calling the fire brigade’s hazardous materials team.
Instead of locking down the area around the PM’s office and calling experts with proper safety equipment, the anonymous sources have claimed, the responders simply donned cheap cover-alls that provide no protection from hazardous materials and got out their own testing machine. The device has reportedly been put into use without formal training in its use or related safety procedures, and was originally intended only for use in the sealed mail-sorting room.
For a government whose ministers are big on keeping the community safe, the Commonwealth has a surprising list of long-standing issues with its own security in high profile places.
Security clearances unreliable
According to auditor-general Grant Hehir’s new report, security clearances in the Australian Public Service are not providing agencies with the assurance they should.
The Australian Government Security Vetting Agency is “not implementing the Government’s policy direction to share information with client entities on identified personnel security risks” and certain mandatory parts of the Protective Security Policy Framework related to personnel are not being followed.
The second finding applies to AGSVA and five agencies selected for the audit: the Attorney-General’s Department — which is responsible for the PSPF — Home Affairs, the Australian Radiation Protection and Nuclear Safety Authority, the Digital Transformation Agency, and the Australian Securities and Investments Commission.
Things haven’t improved enough for Hehir’s liking since June 2015, when ANAO found the establishment of centralised vetting through AGSVA in 2010 had delivered “mixed” results in terms of performance and efficiency, with expected annual savings of $5.3 million failing to materialise.
“AGSVA collects and analyses information regarding personnel security risks, but does not communicate risk information to entities outside the Department of Defence or use clearance maintenance requirements to minimise risk,” according to the new report.
“Since the previous ANAO audit, AGSVA’s average timeframe for completing Positive Vetting (PV) clearances has increased significantly.”
One positive note is that for other levels below PV, more processes are being completed within the benchmark timeframes than a few years ago.
Hehir notes the vetting unit, part of the Department of Defence, is trying to speed up its PV processing times and improve quality control. It is mainly hanging its hopes on a new IT system to do away with “inefficient processes and data quality and integrity issues” but that project isn’t due to finish until 2023.
“Selected entities’ compliance with PSPF personnel security requirements was mixed,” adds the simple version of his conclusion.
“While most entities had policies and procedures in place for personnel security, some entities were only partially compliant with the PSPF requirements to ensure personnel have appropriate clearances.
“None of the entities had fully implemented the PSPF requirements introduced in 2014 relating to managing ongoing suitability. In addition, entities did not always notify AGSVA when clearance holders leave the entity.”
Vetting resulted in 99.88% of clearances being granted without “additional risk mitigation” conditions in 2015-16 and 2016-17, despite “potential security concerns” coming up in a signifcant number of times.
“On rare occasions AGSVA minimised risk by denying the requested clearance level and granting a lower level, or avoided risk by denying a clearance,” ANAO reports. “In some cases identified concerns, which were accepted by AGSVA on behalf of sponsoring entities, should have been communicated to entities or managed through clearance maintenance requirements.”
A 2014 update to the protective security policy required AGSVA to update its consent forms so it could share information from the vetting process with the agency where the applicant hopes to work – which it has never done due to privacy legislation. It did not:
“Defence and AGD gave a commitment to Government in October 2016 that AGSVA would start sharing risk information in 2017–18.
“AGSVA updated its consent form in February 2017, but its revised form does not explicitly obtain informed consent to share information with entities. Consequently, AGSVA has not met the intent of the Government’s 2014 policy reform.”
On the other side, AGD, ARPANSA and DTA had not updated their own forms to obtain informed consent to share sensitive information with AGSVA.
In the five other agencies, the auditors found “plans, policies and procedures” related to personnel security were generally in place, but some had not been updated after the 2014 PSPF reforms. Fittingly, all of these documents are still a work in progress for the DTA; perhaps they are stuck in private beta testing.
“There was limited evidence of entities undertaking personnel security risk assessments to inform their plans, policies and procedures,” the report adds, and more worryingly:
“AGD, ASIC, Home Affairs and DTA did not have adequate controls and quality assurance mechanisms for ensuring their personnel have appropriate clearances. For each of these entities, a small number of current personnel were identified who did not hold required clearances.”
The PSPF allows waivers to eligibility requirements for clearances in some cases and temporary access so certain staff can start working before being cleared, which agencies use to get new staff at their desks sooner. “AGD, ARPANSA, ASIC and DTA had not fully complied with PSPF controls for eligibility waivers.”
The audit report adds that of the five, only DTA had failed to put in place mandatory arrangements for “managing ongoing suitability, including change of circumstances and contact reporting, and mandatory security awareness training” required by the PSPF.
“None of the entities had implemented the PSPF requirement to conduct an annual health check for clearance holders and their managers.”
Hehir makes eight recommendations and all six agencies agree to implement them where applicable. Other agencies should clearly take heed and make sure they are up to speed as well.
The key learnings for all agencies in this report cover government and risk management, ICT procurement, and implementation:
- “When procuring a major ICT system that will contain sensitive information, undertaking a thorough risk assessment prior to putting the system into production provides greater assurance that information will be appropriately protected.
- “Separating policy and operational functions can lead to implementation challenges. If these functions need to be separate, effective oversight arrangements should be established to avoid silos emerging.
- “Sometimes the risks of not sharing information are greater than the risks of sharing it. Entities should comply with privacy and information security requirements, but should not use these provisions as an excuse not to share pertinent information.
- “Policy owners should provide clear, user-friendly guidance and templates that make it easy to comply with policy requirements.”
Diplomats in danger
It’s not just up on Capital Hill and in major departments where security issues are evident, public servants representing Australia overseas are also at risk, according to ANAO’s parliamentary oversight committee.
The Joint Committee of Public Accounts and Audit wants the Department of Foreign Affairs and Trade to redouble its efforts to keep its staff and its diplomatic missions safe, after a follow-up audit last August found it had been slow to implement recommendations despite having many years to do so.
This may well come up in estimates as well. After holding an inquiry into the issues raised by the auditors, the JCPAA has concluded there was “poor coordination and a lack of consistency” in DFAT’s offshore security measures, despite the potential for “catastrophic” consequences, in the department’s own words.
“A number of issues identified were also characterised by inadequate monitoring and assurance,” adds its inquiry report, which makes eight recommendations.
“The Committee considers that the ANAO’s findings, and the persistence of ‘weaknesses relating to overseas security measures’ [in ANAO’s words], undermine the department’s credibility before parliamentary committees.”
The joint committee also gives a tip on how to please parliamentarians; its concerns were “exacerbated by responses which focussed on processes currently underway without clear commitments regarding timeframes” from DFAT.
The committee is waiting on word about a new departmental security framework that was expected in March but is yet to be finished, and notes pointedly that some of the gaps picked up last August were identified in February 2005.
“Inconsistencies identified by the ANAO in DFAT’s record-keeping, risk assessments and inspection arrangements have undermined the Committee’s confidence that measures are being appropriately deployed and monitored across posts,” the report states.
Leaders need to provide clear direction and effect cultural change, the MPs argue, and staff skills and capability must be strengthened in the relevant security-related areas. Inadequate IT infrastructure also makes another appearance, in this case limiting DFAT’s ability to be certain that all staff have received the required training.
“The Committee was advised that changes are being made to corporate and human resource processes but it was not clear how these improvements would provide for greater assurance. In light of this, the Committee requires further information from DFAT about work underway to address this deficiency.”
Cyber security is a key part of overall security these days, and the committee has put DFAT on notice once again regarding its compliance with the “essential eight” threat mitigation measures, and the need for all staff to be made aware of how they contribute to information security. The JCPAA wants to be assured that “all staff have the appropriate training to help protect DFAT’s networks from cyber threats” including those who are foreign citizens.
Incidentally, cyber security is also the topic of the first edition of a newsletter that aims to share knowledge between the auditing offices of Commonwealth nations, which is currently being produced by an editorial board made up of Grant Hehir and his counterparts from Fiji, Jamaica and Tanzania.
Cyber security other side of the coin
Keeping information safe becomes a more involved task all the time as cyber threats become more advanced, comments the inaugural newsletter’s guest editor Sir Amyas Morse, comptroller and auditor general of the United Kingdom civil service. Digital tools based on data sharing, analytics and so forth can be very useful to agencies, including audit offices, he points out, but the risks are rising at the same time.
“Cyber security is in many ways the other side of this coin,” Sir Amyas writes. “The recent global attacks have been a wake up call for many governments who, for good reasons, are seeking to use technology to innovate public service delivery.
“Our performance audits often recommend efficiency gains through automation, or improved decision making through using better information derived from the analysis of vast sets of data.
“However, I believe that when we encourage innovation, we should ensure this does not compromise security. I am sure you would agree this can be a difficult balance for governments to achieve.”