13 July 2018

Smith Review on APS Security

The Department of the Prime Minister and Cabinet (PMC) has released the report by Ric Smith AO PSM on his review of the Department's 'security procedures, practices and culture, including the implications for the Australian Public Service more broadly'. It

The review followed publication by the ABC of a webpage called "The Cabinet Files", which featured a series of classified Commonwealth documents provided by a third party, reportedly found in a locked filing cabinets at a second-hand furniture shop in Canberra. Publication occasioned much schadenfreude across the APS.

The ABC comments 'Hundreds of top-secret and highly classified cabinet documents have been obtained by the ABC following an extraordinary breach of national security'.
The Cabinet Files is one of the biggest breaches of cabinet security in Australian history and the story of their release is as gripping as it is alarming and revealing. 
It begins at a second-hand shop in Canberra, where ex-government furniture is sold off cheaply. The deals can be even cheaper when the items in question are two heavy filing cabinets to which no-one can find the keys. They were purchased for small change and sat unopened for some months until the locks were attacked with a drill. Inside was the trove of documents now known as The Cabinet Files. 
The thousands of pages reveal the inner workings of five separate governments and span nearly a decade. 
Nearly all the files are classified, some as "top secret" or "AUSTEO", which means they are to be seen by Australian eyes only. 
But the ex-government furniture sale was not limited to Australians — anyone could make a purchase. 
And had they been inclined, there was nothing stopping them handing the contents to a foreign agent or government.
The Australian Federal Police (AFP) lost nearly 400 national security files in five years, according to a secret government stocktake contained in The Cabinet Files. 
The Department of Prime Minister and Cabinet regularly audits all government departments and agencies that have access to the classified documents to ensure they are securely stored. 
The missing documents are not the same files the ABC has obtained. 
The classified documents lost by the AFP are from the powerful National Security Committee (NSC) of the cabinet, which controls the country's security, intelligence and defence agenda. 
The secretive committee also deploys Australia's military and approves kill, capture or destroy missions. 
Most of its documents are marked "top secret" and "AUSTEO", which means they are to be seen by Australian eyes only.
The Department states it referred the matter to the Australian Federal Police for investigation into how these documents left the Commonwealth's possession; it is reasonably evident that the documents came from within PMC.

The Terms of Reference for the Smith review were
At 12 noon on Wednesday 31 January, the ABC published a webpage called "The Cabinet Files". The webpage referenced a series of classified Commonwealth documents provided to the ABC by a third party, reportedly following the purchase of locked filing cabinets at a second-hand furniture shop in Canberra. 
The Secretary of the Department of the Prime Minister and Cabinet (PMC) has referred this matter to the Australian Federal Police (AFP) for investigation into how these documents left the Commonwealth's possession. The Secretary has confirmed that it is reasonably evident that the documents came from within PMC. 
As part of the response to this incident, the Secretary has commissioned Mr Ric Smith AO PSM to undertake an independent review of PMC's security procedures, practices and culture, including the implications for the Australian Public Service more broadly. 
In order for it to effectively discharge its responsibilities, it is critical that the Australian Public Service appropriately safe guards all official information, to ensure its confidentiality, integrity, and availability. 
The review will make recommendations to ensure that PMC safeguards official information in an appropriately secure and practical manner that reflects the trust and confidence placed in them by the Government and the Opposition of the day, and will address the implications of these findings for the Australian Public Service. In particular, the review will consider PMC's security procedures, practices and culture, including:
• PMC practices, systems and documented procedures for handling, storing, disposing of and providing access to official information, as well as the safe guarding and disposal of assets used to store official information; 
• the effectiveness of these procedures in responding to staff movements and in different working environments; and 
• the formal and informal security culture within PMC, including ­ internal communication and training regarding security, and ­ the awareness, behaviours and attitudes of staff towards proper security.
The review will also address the implications of its findings on these matters for the broader Australian Public Service.
The 42 page report states
The incident that triggered this Review would have been very serious for any Public Service agency but was especially so for the Department of the Prime Minister and Cabinet (PMC) given its position at the apex of Commonwealth agencies. 
In commissioning this Review, the Secretary of the Department recognised the gravity of the incident and sought advice on measures that needed to be taken to optimise protective security management in the Department. 
The incident was investigated by the Australian Federal Police (AFP), whose report identified ‘human errors in the record keeping, movement, clearance and disposal of document storage containers by PMC in 2016 rather than a deliberate unauthorised disclosure’. 
This Review concluded that the Department should strengthen the high-level governance of its protective security responsibilities, and demand a more robust security culture in the organisation. While the Department’s procedures, protocols and guidelines are generally sound, they are in need of updating and modernising in response inter alia to its fast changing working environment. The shortcomings reflected in the incident which triggered this Review should be addressed through the revision of procedures, protocols and guidelines and through more targeted training programs. 
‘Protective security’ is a term which embraces the security of people, assets, systems, information and documents. Breaches of protective security may arise from activities or failures across a wide spectrum – ranging from espionage to carelessness and error, to assault on individuals, and attacks on property and assets. While the impact of breaches can be especially severe at the level of National Security, the importance of failings at any level should not be underestimated. They can affect government efficiency and inhibit frank consideration of policy or operational options. They can also erode confidence in the Public Service within both the Government and the Opposition, in the Australian community at large and among foreign governments with whom Australia works. Protective security is therefore critical to the functioning of government. 
In addressing its Terms of Reference, this Report describes the environment in which protective security must be managed within PMC (Chapter 1) and then, in order, describes and makes recommendations about:
• the protective security governance arrangements in place in PMC (Chapter 2), 
• the existing documentation in PMC, including practices, systems and procedures relating to protective security (Chapter 3) 
• PMC’s culture in regard to protective security and its relevant training programs (Chapter 4), and 
• the implications of the recent incident for the broader Public Service, including lessons that might be drawn from the Review for other agencies (Chapter 5).
 It goes on to make the following recommendations
Chapter One: PMC’s operating environment 
1. PMC's risk management framework should clearly identify the risks associated with the Department's unusually complex operating security environment. 
2. As a matter of risk management, all staff joining PMC at the level of EL2 and above, or promoted to those levels, should be briefed on the complexity of the Department's working environment and the level and nature of the risk they, as managers, are responsible for managing. 
3. A further review should be undertaken after 12 months to confirm that the agreed recommendations in this Report have been implemented and, to the extent possible, to measure their effectiveness. 
Chapter Two: Protective Security Governance arrangements 
4. Protective security should be specified as one of the whole-of-department responsibilities of Deputy Secretary Governance, who should attend the quarterly meetings of the Government Security Committee which is chaired by the Attorney-General's Department, with Deputy Secretary National Security attending National Security related meetings as appropriate. 
5. The Executive Board should consider regular, say monthly, compliance or breach reports prepared jointly by the IT Security Advisor (ITSA) and Agency Security Advisor (ASA), including data on breaches and security waivers, recording any incidents of particular concern and explaining the remedial action taken. 
6. To facilitate security compliance reporting to the Executive Board, processes for recording security breaches should be improved as soon as practicable to ensure robust security data is collected to enable comparisons over time and between work units. 
7. This data should be used to ensure that staff who incur breaches are actively counselled. A staff member who incurs two breaches in a Performance Agreement year should be counselled by a First Assistant Secretary. Three breaches in a year should lead to counselling by the Secretary or Deputy Secretary, and should trigger a review of the staff member's security clearance. 
8. In anticipation of a recommendation from a current review of the Protective Security Policy Framework (PSPF), PM&C should nominate the head of Corporate Division as Chief Security Officer, responsible for both ICT and non ICT security. 
9. Corporate Division should prioritise the completion of an integrated, real-time framework to link staff profiles and movements (e.g. onboarding, leave, promotion, temporary secondments, and exit) with asset registers including responsibility for individual containers, the assignment of digital devices, and other PMC records. 
10. The 'clear desk' policy required in the Department's Protective Security Plan should be enforced, and security staff clearly mandated to record and report breaches. 
Chapter Three: PMC’s documented practices, systems and procedures 
11. PM;C's Protective Security Plan (the Plan) and its supporting policies, protocols and guidelines should be updated as a matter of urgency to reflect Machinery of Government changes since 2015, lessons learned from the recent incident, increased digitalisation and changes in office configurations following from the implementation of 'Working Your Way'. 
12. The revision of the Plan and its supporting documents should aim for coherency and consistency across the Department's policies and procedures; avoid duplication; ensure that the revised documents are both clear and accessible; and distinguish clearly between those areas in which high-level principles are sufficient and those in which compliance-based directions are necessary. 
13. New and specific requirements to the disposal and relocation of security containers should be implemented with immediate effect. Detailed recommendations are set out in the Annex of Chapter 3. 
14. Consideration should be given to whether secure containers should simply be destroyed, that is transferred to a scrap metal dealer, with drawers removed, rather than passed to agents for public sale at the end of their useful life. 
Chapter Four: Culture, training and behaviours 
15. The Secretary and Deputy Secretaries should lead in raising awareness and accountabilities for security across the PMC network, including by using opportunities in their weekly communication with staff. 
16. All Canberra-based new starters should be required to undertake face-to-face security training within the first week of starting at PMC, including IT security, Physical and Personnel security, and storage and handling of Cabinet documents. 
17. All staff in the regional network should be required to complete mandatory online induction training within a week. 
18. In parallel, a PMC team, comprising Learning and Development staff and security personnel, should regularly evaluate the effectiveness of the Department's security training, including assessing the value of face to face training versus e learning modules and training. 
19. PMC's Security section should initiate random but frequent internal security checks, and periodic independent audits of staff security, with an emphasis on the storage of classified information. The outcomes of regular audits should inform targeted areas for further training and nudges. 
20. The ASA and the ITSA should consider working with the Behavioural Economics Team of the Australian Government to assess options for increasing security awareness at key points in information and document management processes. 
21. The redesign of PMC's working environments (physical and virtual), including the transition to Working Your Way, must be accompanied by a. an assessment of the implications of environmental changes, including the centralisation of key facilities such as shredders and storage facilities; b. enhanced promotion of advice for staff accessing PMC resources on mobile devices in public spaces. 
22. Consideration should be given to nominating 'Security Champions' in branches to help grow the security culture and establish a continuous line of communication with the ASA and ITSA. 
Chapter Five: Implications for the Australian Public Service 
23. Secretaries and agency heads should be advised to review protective security management arrangements in their agencies, paying particular attention to higher level governance and to ensuring an appropriate security culture. 
24. In addition to agencies' annual compliance reports, reports resulting from investigations or inquiries into significant security incidents in agencies should be passed to the Attorney-General's Department (AGD), redacted to exclude names and other personal or sensitive information; and AGD should use these reports and the agency compliance reports to develop an annual assessment for the Attorney-General about the 'protective security hygiene' of Commonwealth agencies. 
25. AGD should be asked to engage regularly with 'security executives' or ASAs to enable exchanges of information about developments in the area of non-IT protective security and to share 'lessons learned' from any investigations, reports or reviews in the area of protective security. 
26. The Australian Signals Directorate (ASD) should be asked to facilitate exchanges of information about cyber security and risk assessments to support greater alignment of risk and planning across agencies. 
27. AGD should be asked to survey suitable protective security courses and security training services, including but not limited to courses offered through Registered Training Organisations, and ask agency heads to review the training needs of their staff in this area. 
28. Protective security should be routinely included as a standing item on the agenda for Secretaries' Board meetings to enable the Secretary of AGD to report significant incidents and other matters of non-compliance with the PSPF, and to enable the Secretary of PMC to advise Secretaries on matters relating to agencies' handling of Cabinet documents.