2014 Security in Government Conference—"The Insider Threat"
2 September 2014
[CHECK AGAINST DELIVERY]
Thank you very much indeed, Katherine, for your introduction.
Might I also welcome the delegates, the sponsors, might I particularly Kerri Hartland—Deputy Director-General of ASIO—who will be speaking to you shortly, other distinguished guests, ladies and gentlemen.
It's a great pleasure for me to give the opening address to the 2014 Security in Government Conference, an initiative of the Commonwealth Attorney-General's Department.
I don't need to tell anyone in this room that we have seen national security once again take centre stage in the Australian national consciousness.
The government is taking action in response to new and emerging threats. We are determined to protect our nation from the threat posed by Australians fighting overseas with extremist groups.
We are determined to bolster the capacity of our policing and intelligence agencies to respond quickly to new and emerging threats. And we are determined to ensure that intelligence is available and accessible to our agencies so that they can stop those seeking to do us harm.
The nature of the national security threat is evolving and as such we must constantly review our approach to ensure we are as effective as possible. The price we will pay if we fail is unthinkably high. And we must not lose sight of the fact that there are more threats to our security than simply those posed by terrorists.
Today I will speak about the threat posed by another insidious enemy—the trusted insider.
Trusted insiders are exactly that—they work within our organisations, they have access to our information—they know how things work.
And, from that privileged position, a trusted insider can cause enormous damage.
The trusted insider is of course a familiar figure throughout our history, and indeed, our literature. Macbeth, Brutus, Diargo??? were all trusted insiders. Judas Iscariot is one of the historically best-known examples of a trusted insider. Guy Fawkes was part of a revolutionary group, who plotted to blow up most of England's aristocracy, including the King, in 1605. Using a pseudonym, Guy Fawkes and his co-conspirators leveraged their positions and contacts to place barrels of gunpowder under the House of Lords. The infamous Gunpowder plot was foiled by authorities who caught Fawkes before he could carry out his treacherous intentions.
More recently, I don't need to remind anyone in this room about the damage caused to the United States and her allies through the treachery of Edward Snowden.
Snowden, and his apologists, claim that he acted in the public interest but he has sought refuge in a country that is an historical opponent of the United States. From there he continued to leak the information to which he had privileged access as a government contractor and which he exfiltrated unlawfully.
And what has been the result of his actions? His revelations have placed Australia's relationships with countries in our region under strain.
Prior to Snowden's disclosures, we were working with our allies to fight national security threats and combatting terrorism, people smuggling and organised crime.
Was it in the public interest for these programs to be jeopardised by Snowden's actions? And of course, the effect upon Australia and its relationships was but a tiny proportion of the tiny damage that Snowden's conduct reaped.
In May, the former Director-General of the US National Security Agency, Keith Alexander, said that he believed people's lives would be lost because, "capabilities that were once effective are now rendered ineffective".
In another recent case—Bradley Manning copied thousands of classified documents while working as an intelligence analyst for the US army. He leaked a quarter-of-a-million diplomatic cables and half a million army reports to the website Wikileaks.
Manning's leaks affected diplomatic relationships between allies. Of particular concern was the potential for the information to expose Iraqi citizens who had helped US forces.
Of course, a lot of what Snowden and Manning have revealed is interesting. But there is an important distinction between something being interesting to the public and it being in the public interest for it to be disclosed.
But at least when someone has leaked your information to the media you quickly learn about it. When information is passed by a trusted insider to an adversary—a concept commonly known as espionage—the stakes can be even higher.
A remarkable case, which is instructive here, occurred in the 1930s when fascism was on the rise and Marxism was popular amongst intellectuals. During this time five students of Cambridge University were recruited by the KGB as agents. The group, known to history as the 'Cambridge five', went on to become one of the most embedded, influential and successful spy rings ever run by the former Soviets Union.
At the height of the group's power and importance, all members were in extremely influential positions across the British government. One of them, Kim Philby, was in charge of counter-intelligence of MI6.
Members worked for British Military Intelligence, the Ministry of Fuel and Power, Treasury, GCHQ, the Foreign office and MI5 and MI6 at various times in their careers.
Australia, as an important part of the Western alliance, was also seen as an attractive intelligence target for the Soviet Union at about this time and in the years immediately after the Second World War. The Sovierts attempted to infiltrate both the Australian public service as well as political parties.
In 2011, the UK archives released previously secret MI5 documents relating to the Petrov Affair. That event electrified Australian politics some 60 years ago, and had its focus of course in this city. The documents contained a cable from the then head of ASIO, Sir Charles Spry, advising the British to withhold important secrets from Australia should the then Labor leader, Dr Evatt, become Prime Minister at the 1954 election.
ASIO believed that Evatt's office and his staff had been infiltrated by Soviet spies. Their assessment was correct by the way. Of course, Evatt lost the 1954 election and the government of Menzies was returned.
The Current Threat
A lot has changed since the 1950s. Enough classified material to fill a heavy suitcase can now be stored on a microchip no larger than my thumbnail. The amount of classified information that we hold has grown exponentially.
The computers that we use are networked, and they themselves are connected to a vast array of networked devices. We have deliberately built an information architecture that ensures that information is readily available to those who need it.
What has not changed since the 1950's, or the 1600s, or Imperial Rome for that matter, is the threat posed by the trusted insider who wishes to do us harm.
In 2002, Robert Hanssen was described as undertaking "possibly the worst intelligence disaster in US history". What took Hanssen 22 years to leak, as an FBI agent who spied for the Soviet and Russian intelligence services against the United States, would now take a Snowden or a Manning only a few hours. Upon reflection, Hanssen's security breaches now pales into insignificance.
The trusted insider can access—on an unprecedented scale today—massive amounts of sensitive information through our networked computers and copy and transfer it with ease. That is why the two largest breaches of Western intelligence information have occurred only recently.
What's at Stake?
Let me give you an example of what is at stake by once again drawing upon the lessons of history. Military historians like to play with the idea of pitting armies from the past against each other. The resulting studies provide insights into tactical strengths and so on.
It is widely accepted amongst military historians that from about the Napoleonic Wars and onwards, a new historical truth emerged—earlier armies do not beat later armies. It sounds obvious but this was not always the case. The armies of the Roman Empire could have easily defeated anything that came after the fall of the Empire, for many hundreds of years.
Today—if you miss only ten years of technological development—then you could lose a war. This is the result of technological supremacy applied to the battlefield—but it also applies equally to the commercial endeavours of business.
Government must continually innovate and make progress to protect our national security. But equally, business must work to gain or sustain a competitive advantage over its rivals. In this environment we must remain vigilant to the threat of a trusted insider who with the click of a mouse can steal that hard won competitive advantage instantly.
You may assume from the media that sophisticated hacking or viruses are your biggest concern. These are threats but the reality is that the most likely source of a breach, whether accidental or deliberate, is not a hacker, it's not a person who puts malware into the system. The most likely source of a breach is one of your own staff.
Building a culture of security
So how do we respond to the threat of the trusted insider? The Australian Government uses a range of protective security strategies to prevent, detect or contain the trusted insider threat. This conference is the ideal forum to share those learnings.
But the starting point is to foster a culture of security within each organisation, whether public or private sector. A strong culture of security is fundamental for the success of all other security measures. In a strong security culture, employees display an intuitive awareness of risk and security in a way that attracts the respect of colleagues, the admiration of regulators and the on-going trust of customers.
So how can you foster this culture of security in your organisation? I'm sure that's one of the issues that you'll be addressing over the next two days. Let me offer some suggestions. Control systems, policies, organisational structures can be adjusted to encourage cultural change. A critical additional factor in achieving real cultural change is in changing the behaviours of individuals throughout the organisation to support protective security policies, procedures and structures.
If policy and practices are to be successful in preventing security breaches, they need to be adopted and practiced by every member of the organisation. Unless appropriate security policies are developed at the strategic level and shape the cultural fabric of the organisation, it runs the risk of significant harm to its most valuable holdings.
We have to evolve from the notion that if we simply attach policies and practices onto the existing framework of the organisation, cultural change will occur automatically and protective security will be sufficiently addressed. That just isn't the case. In reality the policies and practices have to become an integrated part of the culture and need to be reflected in, and re-enforced by the behaviours of all members of the organisation.
Evidence of a strong security culture can be observed if all employees make a contribution to managing the problem. As well as complying with policies, employees should be empowered to challenge colleagues who do not. Obviously the need for, and level of sophistication of the culture of security should be appropriate to the risks of the organisation. This is a scalable problem.
Agencies need to understand their business, what is most valuable to them and the risk of losing those valuable holdings.
Strengthening Personnel Security Policy
Governments continually review the strategic environment; develop policy and capability options in response to challenges; and direct operations. The leaking of classified information both at home and overseas highlights the importance that our framework must remain up to date to guard against the threat posed by trusted insiders.
In recent years there have been marked advances in how we manage our people, but we can do more to minimise the potential for espionage, corruption, fraud, unauthorised disclosure and other security breaches. But we need to change the focus of personnel security from assessing suitability to access security classified information to assessing and maintaining suitability to work for the Australian Government whether accessing classified information or not.
My Department has been leading a review of the Australian Government personnel security policy which forms a key component of the Protective Security Policy Framework.
Today, I am announcing the first tranche of changes to strengthen our personnel security policy. The changes aim to:
- Reduce the risk of loss, damage or compromise of Australian Government resources by providing assurance about the suitability of personnel authorised to access those resources.
- Create an environment where those accessing Australian Government resources are aware of the responsibilities that come with that access and abide with their obligations.
- Minimise potential for misuse of Australian Government resources through inadvertent or deliberate unauthorised disclosure, and finally, they aim, as I've said in the speech;
- To emphasise the importance of creating a culture of protective security.
The revised policy which I'm announcing today clearly identifies that personnel security is about being suitable to work for the Australian government in any capacity. It describes the actions the government expects from every agency or supplier to provide assurance of the suitability of their personnel to access official resources, including classified information.
To address the risks that could arise from a trusted insider, the importance of security vetting, contact reporting and ongoing monitoring of our employees' suitability to access information should never be underestimated. Further details of the policy changes will be discussed by Mike Rothery when he addresses the conference over the next two days.
While the policy changes address some of the identified risks, further strategic reforms need to be undertaken. These reforms will consider the new and increasing challenges and threats being faced by Government.
We need to be able to better direct our resources to the areas of greatest risk and further strengthen the ongoing assessment of security clearance holders. There is a need to change our focus from point-in-time suitability assessments, such as those currently used for security clearances, to continuous monitoring and assessment of each person's ongoing suitability.
I have asked my Department to further explore the future of vetting, in a paradigm of evolving threats, increasing data availability and the heightened awareness of the damage that can be inflicted by a trusted insider. This approach is consistent with that of our international partners.
Of course, the need for security does not mean a workplace devoid of enjoyment. In fact, a happy workplace that can balance hard work with some down time when appropriate, will more likely result in a positive culture comprised of trusting teams which actually support each other to achieve the organisation's objectives, including the important objective of protecting the security of information.
Handbook: Managing the insider threat
To address the immediate challenges of the trusted insider, today I am also launching the handbook "Managing the insider threat to your business," which has been prepared by the Attorney-General's Department.
The handbook provides practical advice on the risks and factors leading to a trusted insider going rogue. It includes practical measures to mitigate the threat that can be applied both for agencies and by businesses.
The booklet is publicly available to all Australian businesses and is available for distribution to delegates of this conference. I encourage you to access your own copy either by collection or through the Protective Security Website.
Let me conclude as I began by observing that the new and emerging threats that we face require government to constantly revisit and revise our approach to national security.
I have sought to make the case today that this approach should be extended to personnel security including vetting procedures where it is not enough to simply 'tick and flick' an application every few years.
From the Cambridge Five to Robert Hanssen, Bradley Manning and Edward Snowden, the threat of the trusted insider is an enduring one because sadly treachery is endemic in human nature among some.
A trusted insider can only be thwarted by a robust security culture shared by, and observed by every member of the organisation and by an ongoing assessment of the suitability of personnel to work within the organisation and to work specifically, for my purposes, for the Australian Government. We must, in other words, take a dynamic, not a static approach
Over the next two days you will hear many more trusted insider examples illustrating the theme of this conference, which will demonstrate the proliferation of the "insider" and the importance of mitigating the threat posed by those insiders who are unworthy of the trust the organisations place in them. This is an important issue. It's an important issue for public policy just as it's an important legal and ethical issues.
You have much to discuss and I wish you well in your deliberations. Thank you.