Brandis boosts vetting of APS staff to prevent insider threats

Australian Government agencies will be required to vet their staff on an ongoing basis in order to protect sensitive government data against the kind of "insider threat" posed by the likes of Edward Snowden and Bradley Manning.

Attorney-General George Brandis this morning unveiled revised mandatory requirements for how agencies should screen employees, which could potentially see periodic staff security assessments replaced by dynamically ‘pushed’ information, to keep tabs on staff on an ongoing basis.

Brandis recently directed his department to review the existing personnel security policy under the Australian Government’s protective security policy framework (PSPF), which sets out the controls government agencies are expected to take to protect their people, information and assets.

The changes to the personnel security policy aim to reduce the risk of loss, damage or compromise of Commonwealth resources by “providing assurance about the suitability of personnel authority to access those resources” in response to risks posed by “insider threats” such as Edward Snowden and Bradley (now Chelsea) Manning, Brandis said.

“They aim to minimise the potential for misuse of those resources either by inadvertent or deliberate disclosure,” he told delegates at the Security in Government Conference today.

“To address the risks that could arise from a trusted insider, the importance of security vetting, contact reporting and ongoing monitoring of our employee’s suitability to access information should never be underestimated.”

Brandis also asked the Attorney-General’s department to explore vetting in a “paradigm of evolving threat”, specifically ‘dynamic’ vetting in which information about an employee requiring clearance is pushed to the vetting agency, rather than being provided by the employee themselves.

“There is a need to change our focus from point-in-time suitability assessments to continuous monitoring and assessments of each person’s ongoing suitability,” Brandis said.

“The new and emerging threats we face require Government to constantly revisit and revise our approach to national security. This should be extended to personnel security and vetting, where it is not enough to simply tick and flick an application every few years.

“We must take a dynamic, not a static approach, to the assessment of suitability."

The revised personnel core security policy now contains nine mandatory requirements for government agencies, compared to the previous six.

The main changes will require agencies to monitor the suitability of personnel on an ongoing basis, and in an effort to address deficiencies in the flow of information between the employing agency and vetting agency, the Government will require both to share any information which may change the security clearance status of the staff member in question.

The policy also now puts the onus on agencies, rather than individuals, to advise the Australian Government Security Vetting Agency when a clearance holder ends their employment.

The AGD’s national security chief Mike Rothery said there was a sense amongst public service staff that much of the emphasis for clearances lay in the paperwork and bureaucracy rather than in identifying the risk factors.

“Many [who] have gone through the validation process will think ‘oh, I have to give these details again, didn’t I give this to them 10 years ago?’” Rothery said.

He said the department was beginning to work on ways the information collection and monitoring for clearance and validation of staff can be automated.

“There’s certainly been suggestions made to us that we can go to a push model, where information about people’s border movements, credit history, criminal record can actually be pushed to vetting areas, as opposed to having to go through periodic validation where information is sought about the candidate,” he said.

“If that is possible we can focus more on reviewing for cause rather than reviewing because a certain number of years have lapsed.

"It means we can use those resources to identify and test risk with the candidate rather than come back every five, seven, ten years to go through an exercise that looks and feels very similar to the ones candidates have been through before.”

Insider threats more dangerous than external attack

The decision to update the Commonwealth’s protective security policy framework (PSPF) was made in response to the evolving national security threat posed by trusted insiders, which Brandis said was the most likely source of a breach within an organisation.

He cited the recent cases of Bradley Manning and Edward Snowden, both who leaked mass amounts of United States classified documents to the public, as an example of the damage such threats posed.

“Macbeth, Brutus, Iago were all trusted insiders. Judas Iscariot is one of the historically best known examples of a trusted insider,” Brandis said.

“More recently, I don’t need to remind anyone about the damage caused to the US and its allies through the treachery of Edward Snowden. His revelations have placed Australia’s relationships with countries in our region under strain. Prior to Snowden’s disclosure, we were working with our allies to fight national security threats and combat people smuggling and organised crime.”

Brandis said the ability for large amounts of information to be easily stored - along with the increasing networking capabilities of computers and other devices - has meant trusted insiders are now able to access massive amounts of sensitive data and copy and transfer it without difficulty.

He said government agencies need to better manage their staff to minimise the potential for espionage, corruption, fraud, unauthorised disclosures and other security breaches, by creating a culture of security.

“We need to change the focus of personnel security from assessing suitability to assessing and maintaining suitability to work for the Australian Government, whether [those workers are] accessing classified information or not.”