[BreachExchange] Australia: Security is not a dirty word

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 20 18:46:27 EST 2018


For over a decade, both of our major political parties, in the face of
uncertain times, have been going forth ‘getting tough on security’. It
would seem that General Melchett, Stephen Fry’s character from the 1980s
comedy classic Black Adder Goes Forth, must’ve been right when he declared,
‘Security is not a dirty word’. However, security became a really dirty
word for government last month when we had one of Australia’s biggest
breaches of cabinet security. Thousands of documents spanning nearly a
decade—nearly all classified—were sold off in two old filing cabinets at a
Canberra second-hand shop.

You could be forgiven for chuckling over the irony that at the same time
that our government was talking up new legislation to protect the country
from foreign interference, one department was giving the secrets away. All
jokes aside, the real problem is that the ‘The Cabinet files’ may not be a
‘one-off’ breach, but rather a symptom of the Commonwealth’s declining
investment in one of the less interesting but crucial elements of national
security: protective security policy.

Let’s not forget that as bad as the Cabinet files breach was, it also
revealed other security problems:

- The Australian Federal Police ‘lost’ national security files.
- Nearly 200 top secret, code word–protected documents that were supposed
to be collected by the Department of Finance were left behind in a locked
cabinet in the office of Senator Penny Wong during the transition of
government in 2013.

Just as the dust was settling over the Cabinet file’s, the Australian
government was struck by another embarrassing security breach. A classified
notebook and identification cards belonging to a Defence official were
found by a member of the public.

Our growing protective security problem isn’t isolated to physical or
information security either, as there are also long-term problems with
personnel security. In August last year, following the 2017 Independent
Intelligence Review, Kate Graysonhighlighted that the ‘the long delays in
security vetting for some of our key intelligence agencies are clearly
unacceptable’. John agreed but argued that decentralisation was not the
answer. While these delays had much to do with an increasing demand for
clearances, the problem had been present for many years with little in the
way of an effective policy response.

While Australia’s protective security has been tested recently and
certainly been found wanting, the problem originated with changes to
Australia’s protective security framework at the beginning of the decade.

In 2010, the Commonwealth embraced a paradigm shift in the government’s
protective security model that moved from a prescriptive compliance
approach under the Protective Security Manual to a risk management approach
under the Protective Security Policy Framework (PSPF).

The PSPF model provides guidance to government in identifying and managing
security risks to its personnel, intellectual property and assets. The
model was developed to build a secure information architecture across the
various tiers of Australian government. This information architecture was
supposed to create the security environment necessary for the conduct of
government business with the Australian public. In other words, it’s the
nuts and bolts for ensuring that government activities and confidential
information flows remain secure. However, the PSPF’s decentralised and less
prescriptive approach appears to have created some rather conspicuous
protective security gaps between agencies and other stakeholders in the
private sector.

Australia’s protective security policy environment has become increasingly
complex in recent years. As Australia increasingly relies on public–private
partnerships in defence and security, if the government’s security
arrangements stymie threats, those threats are likely to seek out
third-party contractors, who are probably easier marks.

The government seems to be fine with that. Minister for Defence Industry
Christopher Pyne says that the government can’t be held responsible for a
contractor’s lax security. But Pyne’s sentiments contradict the PSPF, which
specifies that ‘[government] agencies must ensure the contracted service
provider complies with the requirements of this policy and any protective
security protocols’.

Owing to the PSPF, training courses accredited by the Attorney-General’s
Department and delivered by the Protective Security Training College in
Canberra and the Australian Emergency Management Institute in Mt Macedon,
Victoria, aren’t offered any longer. Security practitioners argue that this
has led to a deskilling among government security professionals.

The risk-based model also led to a downsizing of the Protective Security
Coordination Centre, which was historically charged with formulating
security policy. More recently, the responsibilities have shifted to
Emergency Management Australia (EMA). With EMA’s transfer to the newly
established Home Affairs Portfolio, it now falls under the remit of
Minister Peter Dutton.

The incidents above tells us that Australia’s PSPF isn’t satisfying
government’s protective security requirements. More than a few commentators
and policymakers will be quick to argue that a fully digitised information
architecture—which would provide a tighter grasp on information flows—could
be the trick to improve security. However, there’s a broader imperative for
a reformed protective security doctrine.

At a time when the security threat is so diverse, the nation’s protective
security arrangements need to be independently reviewed as soon as
possible. Such a review would need to examine the full spectrum of
physical, information and personnel security policies that form the
framework of our protective security strategy. The terms of reference would
also need to address such issues as security cultures, awareness, training
and education.

To be very sure, finding and punishing the public servant responsible for
the Cabinet files’ will have no impact on national security, nor produce
any lasting improvement in security. The rot is entrenched in the system
and must be exorcised.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180220/55fcb834/attachment.html>

More information about the BreachExchange mailing list