The Ex-files - PM&C’s lost Cabinet documents
Once upon a time, in an agency not so far, far away… there lived a filing cabinet.
And in that filing cabinet lived around 300 documents, collated between mid 2013 and mid-2014 as part of the official business of PM&C’s Cabinet Division.
Sometime between January and March 2016 the filing cabinet and seven of its steely colleagues were identified as surplus. As no keys were available to open the cabinets, they were not opened or checked prior to being sold.
And so, the filing cabinet and its contents passed eventually into the hands of the ABC, and ultimately, the AFP, garnering wide media interest in the process. Paraphrasing Oscar Wilde:
To lose one [Cabinet document] may be regarded as a misfortune; to lose [300] looks like carelessness…
Cue lights, unhappy senior public servants, an AFP investigation and an external review by Ric Smith AO PSM, a retired and distinguished senior public servant (the Review ).
The ending was far from a happy one:
The (AFP) investigation concluded that ‘the catalyst for the documents being made public is attributable to a culmination of human errors in the record keeping, movement, and clearance and disposal of document storage containers by PM&C rather than a deliberate unauthorised disclosure.
The Review: 28 recommendations, mostly for PM&C and some for the APS.
The moral of the story – what does it mean?
Let’s start with the Review, which was required to:
..make recommendations to ensure that PM&C safeguards official information in an appropriately secure and practical manner that reflects the trust and confidence placed in them by the Government and the Opposition of the day, and will address the implications of these findings for the Australian Public Service. In particular, the Review will consider [PM&C's] security procedures, practices and culture…
…The Review will also address the implications of its findings on these matters for the broader Australian Public Service…
The Review was completed on 23 March 2018 and concluded that:
… PM&C should strengthen the high-level governance of its protective security responsibilities and demand a more robust security culture in the organisation. While PM&C’s procedures, protocols and guidelines are generally sound, they are in need of updating and modernising in response inter alia to its fast changing working environment.
The shortcomings reflected in the incident which triggered this Review should be addressed through the revision of procedures, protocols and guidelines and through more targeted training programs.
The Review went on to list 28 recommendations for future action, mostly to be undertaken by PM&C, with recommendations 23-28 having APS wide ramifications. For the sake of brevity (and sanity) I have attached them at the end of this article.
The PM&C recommendations focus on:
reviewing PM&C’s current systems and training and updating them
ensuring existing PM&C staff and newcomers are provided with appropriate training
increasing information security procedures, particularly enforcing the ‘clean desk’ policy
reporting infringements and increasing Executive Board oversight of security breaches
raising the governance profile of protective security through senior executives, PM&C governance and also appointing ‘champions’, and
ongoing review and assessment of the implementation of the new procedures.
The outcomes for the rest of the APS involved:
advising Secretaries and agency heads to review their own protective security arrangements and culture
an end of year ‘report card’ to the Attorney-General on the information security performance (number of breaches etc) of each agency
increased engagement by AGD and ASD with APS agencies in relation to information security and in providing training, and
including protective security as a standing agenda item for Secretaries’ Board meetings, to discuss breaches and matters relating to agencies’ handling of Cabinet documents.
Clearly, there is a very necessary need for information security within government, to ensure that staff understand this and to consistently implement agency processes to ensure they do so. The heightened emphasis on information security is long overdue, and ensuring that more staff are trained, improving the training materials available to them and increasing the compliance and enforcement activities (breach notices) are generally positive steps to improve culture.
In one sense, the Review recommendations are similar to any other risk management and compliance process.
This is also borne out by paragraphs 4.2 to 4.6 of the Review, which state:
The Review was presented with no evidence to challenge the view of one senior officer that ‘the great majority (of staff) intend to do the right thing and largely are left to do it instinctively’. It was also noted that there has not been a significant ‘leak’ from the Department since 2001.
Clearly, while all staff must understand basic physical security and document handling requirements, those who have a close involvement with National Security matters or come to the Department from agencies within the National Security community have a stronger understanding of their security obligations and are experienced in managing them.
That said, failures in protective security practice undoubtedly occur. Under the pressure of time and work-place demands, staff almost certainly adopt ‘work arounds’ at times and behaviours can fall below required standards. As previously explained, the data available from physical security breach records does not enable a detailed analysis of practices in regard to non-ICT security across the Department but the breaches that are recorded indicated a need for continuing rigorous implementation of the existing protocols and guidance.
To minimise the risks of security failures either deliberately motivated or of a kind arising from carelessness or human error, PM&C should ensure that its culture is one that deters ‘excusable behaviour’ and rewards ‘accountable behaviour’ and recognises that ‘security is everyone’s everyday business’ .
A positive culture of this kind could be fostered by a combination of measures proposed in this Report. Foremost of these is a stronger, more leadership-driven governance regime (as proposed in Chapter 2). The revision of Departmental security protocols and guidelines (as proposed in Chapter 3) and their firm application, and more targeted training as described below, will also help foster a stronger culture.
The Review does take a proactive and positive stance in addressing the risks inherent in managing confidential information. However, some of my usual concerns remain in relation to the proposed solutions.
First, the emphasis on this risk in particular, and the increased level of time and effort by staff and management, may take the focus away from other just as significant risks. Information security should be no more ‘special’, in terms of risk management and risk culture, than other significant strategic or enterprise risks facing agencies. The assessment and treatment of this risk should be part of an overall organisational approach to risk, particularly in relation to risk culture.
Focusing too much on ‘special’ risks almost inevitably leads to more detailed process than in necessary, process fatigue and then the inevitable ‘workarounds’ start to re-emerge.
Secondly, changing culture and practice, particularly in a process heavy environment, requires simpler language and procedure – more Commandments, less Bible. As the Review notes at paragraph 3.5, PM&C’s Protective Security Plan (modified in 2017) is supplemented by 10 other related information security policies, almost all of which is only available on the intranet. Added together with AGD information, the APSC’s Code of Conduct and the “The Cabinet Handbook’ it totals 300 A4 pages.
The Review suggests reviewing and updating this collection of wise words, noting that:
This is a task which might best be shared between security specialists and a professional editor.
Perhaps also a risk manager and a shredder…
Thirdly, and consistent with most risk management exercises, I suspect that the resources allocated to this new world order of security management do not match the ambition. For example, does PM&C have electronic keysafes? My experience in the Department of Finance was that electronic keysafes accurately track and record the use of keys for offices and safes.
How are documents currently being stored, what is the current state of PM&C systems and facilities and do they help or hinder staff to improve information security?
Fourthly, irrespective of whether staff ‘intended to do the right thing’, was there any accountability for the actual problem giving rise to the Review?
Someone actually made a decision, or failed to properly consider the ramifications of a decision, to allow the filing cabinets to leave PM&C unchecked, all because they did not have the keys and did not arrange for a locksmith to open the cabinet.
Prior to that, someone made a decision to shove 300 documents into the filing cabinet, and not record it anywhere, and not put the keys in a place they would be able to be used by others.
If it were your filing cabinet, would you take the same actions? Yet, someone, who is paid to uphold the APS Values, be professional, and manage information securely, just didn’t care.
My compliance experience tells me that if there is no accountability for such actions, then the compliance effect is compromised and treated as an annoyance and time wasting activity. Unless breaches are treated seriously, beyond a ‘please explain’, then attitudes and cultures do not change.
In the private sector, in areas like the pharmaceutical or health care industry, breaches of information, inadvertent or not, are often treated far more seriously, and can often lead to instant dismissal. My (limited) understanding is also that staff in Centrelink and DSS offices are also subject to sanction and/or dismissal for inappropriately accessing or using personal information of others.
Accountability is crucial, yet the tone of the Review suggests that real and significant sanctions (beyond breach reporting and counselling) have been put in the ‘too hard’ basket.
The moral of the story?
The Review sets out useful ideas for a more positive and proactive risk culture, but does so in a way that overly focus on one risk. Further, the biblical sized and disparate procedures manuals will undermine change unless they are appropriately worded to enable easy access, clear understanding and not information overload. Management must also put the money where the risk is, and replace and update systems to support change. And there must be accountability.
The End
(Recommendations follow)
RECOMMENDATIONS
Chapter One: PM&C’s operating environment
1. PM&C's risk management framework should clearly identify the risks associated with the Department's unusually complex operating security environment.
2. As a matter of risk management, all staff joining PM&C at the level of EL2 and above, or promoted to those levels, should be briefed on the complexity of the Department's working environment and the level and nature of the risk they, as managers, are responsible for managing.
3. A further review should be undertaken after 12 months to confirm that the agreed recommendations in this Report have been implemented and, to the extent possible, to measure their effectiveness.
Chapter Two: Protective Security Governance arrangements
4. Protective security should be specified as one of the whole-of-department responsibilities of Deputy Secretary Governance, who should attend the quarterly meetings of the Government Security Committee which is chaired by the Attorney-General's Department, with Deputy Secretary National Security attending National Security related meetings as appropriate.
5. The Executive Board should consider regular, say monthly, compliance or breach reports prepared jointly by the IT Security Advisor (ITSA) and Agency Security Advisor (ASA), including data on breaches and security waivers, recording any incidents of particular concern and explaining the remedial action taken.
6. To facilitate security compliance reporting to the Executive Board, processes for recording security breaches should be improved as soon as practicable to ensure robust security data is collected to enable comparisons over time and between work units.
7. This data should be used to ensure that staff who incur breaches are actively counselled. A staff member who incurs two breaches in a Performance Agreement year should be counselled by a First Assistant Secretary. Three breaches in a year should lead to counselling by the Secretary or Deputy Secretary, and should trigger a review of the staff member's security clearance.
8. In anticipation of a recommendation from a current review of the Protective Security Policy Framework (PSPF), PM&C should nominate the head of Corporate Division as Chief Security Officer, responsible for both ICT and non ICT security.
9. Corporate Division should prioritise the completion of an integrated, real-time framework to link staff profiles and movements (e.g. onboarding, leave, promotion, temporary secondments, and exit) with asset registers including responsibility for individual containers, the assignment of digital devices, and other PM&C records.
10. The 'clear desk' policy required in the Department's Protective Security Plan should be enforced, and security staff clearly mandated to record and report breaches.
Chapter Three: PM&C’s documented practices, systems and procedures
11. PM&C's Protective Security Plan (the Plan) and its supporting policies, protocols and guidelines should be updated as a matter of urgency to reflect Machinery of Government changes since 2015, lessons learned from the recent incident, increased digitalisation and changes in office configurations following from the implementation of 'Working Your Way'.
12. The revision of the Plan and its supporting documents should aim for coherency and consistency across the Department's policies and procedures; avoid duplication; ensure that the revised documents are both clear and accessible; and distinguish clearly between those areas in which high-level principles are sufficient and those in which compliance-based directions are necessary.
13. New and specific requirements to the disposal and relocation of security containers should be implemented with immediate effect. Detailed recommendations are set out in the Annex of Chapter 3.
14. Consideration should be given to whether secure containers should simply be destroyed, that is transferred to a scrap metal dealer, with drawers removed, rather than passed to agents for public sale at the end of their useful life.
Chapter Four: Culture, training and behaviours
15. The Secretary and Deputy Secretaries should lead in raising awareness and accountabilities for security across the PM&C network, including by using opportunities in their weekly communication with staff.
16. All Canberra-based new starters should be required to undertake face-to-face security training within the first week of starting at PM&C, including IT security, Physical and Personnel security, and storage and handling of Cabinet documents.
17. All staff in the regional network should be required to complete mandatory online induction training within a week.
18. In parallel, a PM&C team, comprising Learning and Development staff and security personnel, should regularly evaluate the effectiveness of the Department's security training, including assessing the value of face to face training versus e learning modules and training.
19. PM&C's Security section should initiate random but frequent internal security checks, and periodic independent audits of staff security, with an emphasis on the storage of classified information. The outcomes of regular audits should inform targeted areas for further training and nudges.
20. The ASA and the ITSA should consider working with the Behavioural Economics Team of the Australian Government to assess options for increasing security awareness at key points in information and document management processes.
21. The redesign of PM&C's working environments (physical and virtual), including the transition to Working Your Way, must be accompanied by
a. an assessment of the implications of environmental changes, including the centralisation of key facilities such as shredders and storage facilities;
b. enhanced promotion of advice for staff accessing PM&C resources on mobile devices in public spaces.
22. Consideration should be given to nominating 'Security Champions' in branches to help grow the security culture and establish a continuous line of communication with the ASA and ITSA.
Chapter Five: Implications for the Australian Public Service
23. Secretaries and agency heads should be advised to review protective security management arrangements in their agencies, paying particular attention to higher level governance and to ensuring an appropriate security culture.
24. In addition to agencies' annual compliance reports, reports resulting from investigations or inquiries into significant security incidents in agencies should be passed to the Attorney-General's Department (AGD), redacted to exclude names and other personal or sensitive information; and AGD should use these reports and the agency compliance reports to develop an annual assessment for the Attorney-General about the 'protective security hygiene' of Commonwealth agencies.
25. AGD should be asked to engage regularly with 'security executives' or ASAs to enable exchanges of information about developments in the area of non-IT protective security and to share 'lessons learned' from any investigations, reports or reviews in the area of protective security.
26. The Australian Signals Directorate (ASD) should be asked to facilitate exchanges of information about cyber security and risk assessments to support greater alignment of risk and planning across agencies.
27. AGD should be asked to survey suitable protective security courses and security training services, including but not limited to courses offered through Registered Training Organisations, and ask agency heads to review the training needs of their staff in this area.
28. Protective security should be routinely included as a standing item on the agenda for Secretaries' Board meetings to enable the Secretary of AGD to report significant incidents and other matters of non-compliance with the PSPF, and to enable the Secretary of PM&C to advise Secretaries on matters relating to agencies' handling of Cabinet documents.