07 August 2009

Time to get serious about security

The prior disclosure to The Australian of the police operation against a group of people allegedly planning an attack on Holsworthy Army Base demonstrates once again the need for those responsible for the protection of national security information to start taking their responsibilities seriously, and in conformity with applicable law.

The hotly debated questions of whether the management of the newspaper provided an appropriate level of cooperation with the authorities responsible for the operation, and whether the newspaper did or did not hit the sales counters before the operation commenced, while of some second-order importance, are completely irrelevant to the main issues here.

Some relevant background about the handling of information with a national security classification:

- No person is entitled to have access to any national security information unless they have a security clearance to the appropriate level. Australian practice recognises four levels of security clearance: in ascending order Restricted (equivalent to the US “For official purposes only”), Confidential, Secret and Top Secret. Clearance to the higher levels requires extremely comprehensive and invasive background checks.

- Overlaid on the level of security clearance is the need to know principle. The fact that an officer is cleared to a particular level does not create an entitlement to access to information at that level; it only creates an entitlement to be granted access to that information which is needed for the performance of their duties.

- It doesn’t end there. Overlaid onto that framework is the existence of compartments, access to which requires an officer to be specifically admitted (determined on the basis of need to know), and to enter into additional undertakings regarding the protection of information circulating within that compartment. One of the usual obligations here is not even to mention the existence of the compartment to anyone who is not a member of it (the first line of defence of national security information is to avoid arousing curiosity about it or its existence); another, which flows from that, is the requirement to ascertain from a designated source whether any particular individual has access to material within that compartment.

- Every level of national security classification and compartmentalisation carries with it strict rules regarding the physical and IT protection to be afforded the information – e.g., must not be left unattended, must be locked overnight in a certain kind of safe, must not be removed from the building, must only be transmitted over certain designated networks etc. Being briefed on, understanding and being in a position to comply with these physical and IT protection requirements is a fundamental part of being granted access to documents of any classification or compartment.

- The classification to be given to a document is determined by the person who creates it, in accordance with certain rules, of which the most obvious is that it must be classified to at least the level of the highest level information it contains, and if it contains compartmentalised information then the document must be restricted to authorised persons within that compartment.

- Documents may not have their classification downgraded without reference back to the originator – only the originator knows the sources of all the material that was used in the preparation of the document.

- The sharing of intelligence or other national security classified information between states or between agencies within states normally comes with a high degree of conditionality – it is at all times to be provided with the degree of protection appropriate to its classification and sensitivity, it is to be made available only to authorised persons and on the basis of a strict need to know, it is not to be further disseminated without prior written authorisation, and it is to be used only for the purposes for which it has been made available.

- It is an offence against the Section 70 of the Commonwealth Crimes Act for any Commonwealth officer to disclose any national security information to anyone to whom they are not authorised to disclose it:

(1) A person who, being a Commonwealth officer, publishes or communicates, except to some person to whom he or she is authorized to publish or communicate it, any fact or document which comes to his or her knowledge, or into his or her possession, by virtue of being a Commonwealth officer, and which it is his or her duty not to disclose, shall be guilty of an offence.

- The above rules and procedures make it extremely difficult, even for the most senior people in the national security apparatus, to authorise disclosure or downgrading of classified material (there may, for example, be a whole chain of upstream document originators, not all of them in Australia, from whom prior consent must be obtained). As Secretary to the Department of Defence, while I had ultimate responsibility for the protection of all classified information held by the Department, I had no authority to “authorise” its release to persons not entitled to have access to it.

The points that occur to me about the sorry tale of the prior release to The Australian of information about a sensitive and potentially dangerous police operation are:

- Quite aside from any question about the time that the newspaper went on sale, upstream of the sales counter there was a whole supply chain of unauthorised persons who had access to information about the operation, for periods ranging from hours to days. Any one of these could have used it or disclosed it to others to the detriment of the success of the operation and the safety of those who were to participate in it. From the moment the information had been disclosed to journalist Cameron Stewart, the police forces and ASIO had lost control of the information.

- It would be interesting to know what notes Cameron Stewart took at the time, what documents he created subsequently in the course of preparing newspaper copy, what physical protection was afforded at all times to his original notes and all copies of subsequent documents, and to his computer(s), what level of IT security applied to any network on which any relevant material was transmitted, etc.

- Disclosure of the information can only have come from within a very tight circle of people within the three agencies involved – ASIO, the Australian Federal Police and the Victorian Police.

- Whoever disclosed it might have done so in the belief that they were “authorised” to do so, i.e., someone higher up their chain of command had given them “permission” to brief a “responsible” journalist who could “be relied upon”. For reasons outlined in the backgrounder above, however, I would take a lot of convincing that whoever “authorised” this disclosure actually had proper authority to do so. The disclosure seems to me to be almost by definition an offence against the Commonwealth Crimes Act and no doubt against equivalent Victorian legislation.

- Apart from any security considerations, the tipping off of media about any raid would appear to involve substantial prejudice to the right to a fair trial of people who are entitled to a presumption of innocence, not to mention a massive invasion of the privacy of people who are raided but not taken into custody. In this case 19 properties were raided and four people were arrested; either the police raided a lot of empty houses or a lot of the occupants of these houses were not considered to have any case to answer.

Regrettably, serious breaches of national security are not nearly as rare as they ought to be. To take two specific examples from the 1990s:

- In the run-up to the referendum in East Timor, someone thought it a good idea to blab to a journalist from The Age extremely sensitive information about our intelligence capabilities against Indonesian military communications within East Timor. The moment the story was published, that vital source of tactical and operational intelligence was lost. This was just days before we were to put unarmed police into that highly volatile environment. Lives might well have been lost as a result; fortunately they were not.

- Some years earlier, some bright spark revealed to a newspaper a very important intelligence capability against the Chinese Embassy in Canberra. End of capability.

While the reasons for security breaches are many and varied, these most serious breaches seem to stem from someone’s need to show the world how clever they are (or, I think in the cases just above, how enormously clever their Minister is). The world of spin and the world of national security do not mix. When the desire for self-promotion meets the obligation for reticence, self-promotion will win every time.

I have encountered an attitude in government agencies that, while these breaches are regrettable, investigating them is a waste of time because “you’ll never catch the bastards”. And when there is a suspicion that a minder might have done it, there might be a want of moral fibre at work as well.

This is not good enough. To my mind, every significant breach should be referred to the police for thorough investigation, offenders if caught should be subject to the full processes of the law, and everyone who commits such a breach should be aware that there is a prospect that one day someone wearing Size 14 boots might turn up on their front doorstep for a not particularly amicable chat.

No comments: