Lost a classified government safe? There’s an app for that…

The Department of Prime Minister and Cabinet is hoping to eradicate the awkward issue of mislaying secure containers for its classified documents by deploying a new cloud-based digital asset registry built on the ServiceNow platform.

The move was revealed in the official autopsy into how a secure container (essentially a document safe) which held classified Cabinet documents, including national security sensitive material, was mistakenly sold-off to a government disposals dealer.

The container’s contents later found their way to national broadcaster the ABC after a further unsuspecting purchaser eventually managed to prize open the fortified box and found a trove of classified material.

Aside from exposing a sequence of human error that led to the loss, the investigation report released on authored by former Defence Department Secretary Ric Smith details a raft of reforms for handling secure information that traverse both digital and non-digital spheres.

According to the Smith report, all “secure containers” have now been given a new sequential reference number and unique “asset identifier barcode”, with records “transferred to a digitalised asset register that will record the names of officers with access to the container.”

“A new online application (Service Now) process has been implemented to manage requests for new secure containers, their relocation and disposal,” the investigation report said, adding the software will “significantly improve reliability, auditability and tracking of information,” the Smith report said.

Contract notifications on the government’s AusTender procurement register show ServiceNow secured a $1.67 million deal for ICT contactor services from June 2016 to June 2019, with an additional $90,000 contract let between May and June 2017.

Smith has also firmly put it to government agency boards that they need to take more holistic, regular and timely stock of protective security arrangements ‑ tech or physical.

“The Executive Board should consider regular, say monthly, compliance or breach reports prepared jointly by the IT Security Advisor (ITSA) and Agency Security Advisor (ASA), including data on breaches and security waivers, recording any incidents of particular concern and explaining the remedial action taken,” the Smith report said.

“In anticipation of a recommendation from a current review of the Protective Security Policy Framework (PSPF), PM&C should nominate the head of Corporate Division as Chief Security Officer, responsible for both ICT and non ICT security.”

Ironically, one of the reasons highly classified material has remained in printed form is to physically control its access and distribution.

The Smith report also observed technologists charged with maintaining protective security were better networked and shared information about “the frequency and nature of incidents affecting their systems” than their non-tech peers.

“The same degree of ‘connectedness’ and information sharing is not evident at this time in regard to non-ICT related protective security. There is some exchange at an informal level, but for instance lessons or recommendations arising from enquiries or investigations into incidents are not shared among agencies (or received by AGD),” the report said.