Cabinet Files: the pebble in the pond that will reshape APS protective security

By Stephen Easton

July 13, 2018

Secretary of Prime Minister and Cabinet Martin Parkinson arrives for the COAG meeting at Parliament House in Canberra, Friday, April 1, 2016. Australian Prime Minister Malcolm Turnbull is today meeting with Premiers and Chief Minister for the Council of Australian Governments. (AAP Image/Lukas Coch) NO ARCHIVING

Ric Smith’s report into the accidentally-sold cabinet papers from PM&C is a ‘human error’ prevention plan that goes far beyond any single agency.

Australian Federal Police investigators blamed human error inside the Department of the Prime Minister and Cabinet, rather than criminal or malicious intent, for a collection of cabinet papers being left inside a filing cabinet, later to end up with ABC news reporters, via an op-shop customer.

Secretary Martin Parkinson has released some details of the AFP investigation, which finished in March, around the same time as he received a report by former public servant and ambassador Ric Smith on how PM&C should improve its security.

“I have personally dealt with and sanctioned a number of officers for their roles in this security breach,” Parkinson reports. “Given the personal nature of sanctions, I will not be commenting further on these.”

Nor will the AFP report be made public. Parkinson said it found “a culmination of human errors in the record-keeping, movement, clearance and disposal of document storage containers by PM&C in February 2016” led to the security breach.

On the other hand, he is hoping Smith’s 28 recommendations achieve “the widest possible awareness” throughout the APS and said he had “wholeheartedly” accepted all of them.

One interesting idea is that delegated security advisers should consider tapping the expertise of PM&C’s behavioural economics team to develop “nudges” to encourage better security practices among staff. Smith also says the internal security team should be more proactive and run “random but frequent internal security checks, and periodic independent audits of staff security, with an emphasis on the storage of classified information”.

The report groups the 28 points under five themes:  PM&C’s operating environment; protective security governance arrangements; PM&C’s documented practices, systems and procedures; culture, training and behaviours; and implications for the rest of the APS.

For the whole public service, Smith decided all agency heads should be “advised” to have a look at their own security and proposed the Attorney-General’s Department and Australian Signals Directorate should both play more active whole-of-government roles in this area.

Smith wrote that his findings would mesh with “broader changes and transformation” already happening in the department, and commented that it had “generally sound” security arrangements although they should be modernised and updated. He comments in the introductory passage:

“‘Protective security’ is a term which embraces the security of people, assets, systems, information and  documents. Breaches of protective security may arise from activities or failures across a wide spectrum – ranging from espionage to carelessness and error, to assault on individuals, and attacks on property and assets.

“While the impact of breaches can be especially severe at the level of National Security, the importance of failings at any level should not be underestimated.

“They can affect government efficiency and inhibit frank consideration of policy or operational options. They can also erode confidence in the Public Service within both the Government and the Opposition, in the Australian community at large and among foreign governments with whom Australia works. Protective security is therefore critical to the functioning of government.”

Parkinson said his executive board was monitoring implementation of Smith’s prescriptions and “security performance” metrics through monthly reports.

“My Department has been working in recent months to implement these recommendations and I have established a dedicated team to strengthen PM&C’s protective security practices, procedures and culture,” Parkinson states.

Along with the unspecified “sanctions” to specific staff members, the secretary says he has “given strong direction to all PM&C officers on their responsibilities to manage and report potential sources of security failures” and, of course, they had “responded positively” to the changes catalysed by the breach.

Parkinson reports that some of the internal reforms so far include:

  • Digital tracking of “the movement, custodianship and disposal of secure cabinets” and a new “protocol for handling secure cabinets” with compliance audits to check it is being followed.
  • New security training for new starters, existing staff and managers.
  • Revision of policies, guidelines and procedures “to ensure they are clear and fit-for-purpose” following a review of the department’s Security Risk Assessment.
  • A cultural change program “to embed a strong protective security culture” in the department.

The incident has made waves felt throughout the APS, according to the head of its main central agency.

“It is important that the Australian Public Service heeds the lesson of this incident and this has been the subject of attention at the Secretaries Board,” states Parkinson. “Each Secretary across the APS has reviewed his or her security arrangements, drawing on what we have learnt from the incident.”

“The Attorney-General’s Department will henceforth collate and disseminate lessons learnt from system success and failures across the Service, and work with agencies to encourage and support best practice protective security.”

“The Australian Signals Directorate will support this by facilitating further exchanges of information on cyber security.”

AGD secretary Chris Moraitis also has a new role: to “regularly highlight protective security issues at Secretaries Board meetings to ensure a comprehensive response across all agencies” and Parkinson also says he accepts personal responsibility for trying to stop such an incident happening again:

“As I have indicated previously, I am deeply concerned that such an extraordinary lapse of security could occur.

“I am committed to ensuring that such an unauthorised disclosure does not happen again and that the lessons from this are disseminated and absorbed across the entire Australian Public Service.

“We have spent the last few months since receiving the AFP and Smith Reports reinforcing our protective security culture in PM&C and this will remain an issue of ongoing focus for me and for our entire Department.”

The department was probably pleased it was the national broadcaster and not one of its commercial rivals that obtained the papers. Within the media industry, the ABC received a lot of criticism for not doing more with the documents, before letting the Australian Security Intelligence Organisation take control of the situation and, eventually, return the papers to PM&C.

About the author
Inline Feedbacks
View all comments

The essential resource for effective
public sector professionals