Tag Archive for: security

Navigating the balance between privacy and security

The Cambridge Analytica scandal and recent testimony by Facebook CEO Mark Zuckerberg before the US Congress has reacquainted millions of people around the world with the issue of privacy. The scale of the controversy is itself a demonstration of the extent to which privacy rights are valued, and that the battle to retain ownership of information about oneself is worth fighting for its own sake.

This important discussion is being held in the context of the relationship between a social media company and its users, but a far older—and more significant—relationship is between states and citizens. In Australia, with the establishment of the Home Affairs portfolio and other significant, ongoing developments inspired by the 2017 Independent Intelligence Review, it’s pertinent that we consider the principles that underpin national security policy.

The foremost challenge in this area is the nexus between privacy and public safety. Our law enforcement and intelligence agencies have for many decades fostered a collaborative relationship with the Australian community. Justice Robert Hope raised this point in 1977 in the conclusion of the Royal Commission on Intelligence and Security. It was re-emphasised by Michael L’Estrange and Stephen Merchant in the Independent Intelligence Review.

That relationship continues to be largely successful, but we shouldn’t neglect its maintenance. In a security or safety-first paradigm, this means reacquainting ourselves with the value of privacy as a guiding principle of public policy.

Simply put, privacy is about the control we have over information about ourselves. It encompasses such things as protection of—and solitude in—one’s own home, freedom of thought and conscience, and freedom from intrusion and arbitrary surveillance, arrest or interrogation.

In Australia, there are statutory instruments, socio-political norms and oversight institutions such as the Independent National Security Legislation Monitor and the Inspector-General of Intelligence and Security that work effectively to uphold these ideals. But obvious difficulties arise from the fact that they can’t be adhered to in absolute terms.

It’s important, for instance, that the security of the populace and of the government (among other interests) is defended, which means that policymakers are challenged to strike a careful balance between interests and values. This dilemma was explained by Prime Minister Malcolm Turnbull when he addressed the Parliament in July 2017 on the subject of national security in light of terrorist attacks in Melbourne, London and Baghdad.

As an example, the PM focused on encryption, a feature of communications technology that enables people to disguise their online footprints, especially discussions with others, on any number of personal devices. It’s difficult to manage in a law enforcement context, where individuals’ legitimate protection of personal matters must be offset against the need for agencies to have the tools to carry out their important work. ‘The privacy of a terrorist,’ the PM argued, ‘can never be more important than public safety. Never.’

In strict terms, operational requirements can mean that breaches of privacy might be viewed as inconvenient necessities. But as the PM identified, there’s a broader test at play that goes beyond the cases where a group or individual’s responsibility for a criminal (or terrorist) act is clear. What if the subjects are under suspicion, or no act has yet been committed? Justifiably, counterterrorism strategies now lean more towards preventative measures in recognition of the fact that a reactive approach has diminishing returns. So, which priority ought to come first?

Unless you take the view that national security problems can only be solved through the purview of realpolitik, the enjoyment of collective security is contingent on the recognition of, and respect for, fundamental principles. This means that security consists of defending things of both material and intrinsic value.

The ongoing debate about foreign interference is a case in point. There’s more at stake than the economy, critical infrastructure and public safety, because we want to be able to say honestly that our democratic systems and institutions aren’t only different to authoritarian models, but are also functionally better and more conducive to human wellbeing. If the choice is made to cast privacy aside as if it’s merely an abstract ideal, then our ability to uphold that important distinction will erode.

Of course, the privacy–security dilemma will always be formidable and can never be fully resolved. For this reason, it’s important that consultation between the Australian public, intelligence and law enforcement agencies, and the government more broadly remains as active in the future as it is today.

Security is not a dirty word

 

For over a decade, both of our major political parties, in the face of uncertain times, have been going forth ‘getting tough on security’. It would seem that General Melchett, Stephen Fry’s character from the 1980s comedy classic Black Adder Goes Forth, must’ve been right when he declared, ‘Security is not a dirty word’. However, security became a really dirty word for government last month when we had one of Australia’s biggest breaches of cabinet security. Thousands of documents spanning nearly a decade—nearly all classified—were sold off in two old filing cabinets at a Canberra second-hand shop.

You could be forgiven for chuckling over the irony that at the same time that our government was talking up new legislation to protect the country from foreign interference, one department was giving the secrets away. All jokes aside, the real problem is that the ‘The Cabinet files’ may not be a ‘one-off’ breach, but rather a symptom of the Commonwealth’s declining investment in one of the less interesting but crucial elements of national security: protective security policy.

Let’s not forget that as bad as the Cabinet files breach was, it also revealed other security problems:

  • The Australian Federal Police ‘lost’ national security files.
  • Nearly 200 top secret, code word–protected documents that were supposed to be collected by the Department of Finance were left behind in a locked cabinet in the office of Senator Penny Wong during the transition of government in 2013. 

Just as the dust was settling over the Cabinet file’s, the Australian government was struck by another embarrassing security breach. A classified notebook and identification cards belonging to a Defence official were found by a member of the public.

Our growing protective security problem isn’t isolated to physical or information security either, as there are also long-term problems with personnel security. In August last year, following the 2017 Independent Intelligence Review, Kate Grayson highlighted that the ‘the long delays in security vetting for some of our key intelligence agencies are clearly unacceptable’. John agreed but argued that decentralisation was not the answer. While these delays had much to do with an increasing demand for clearances, the problem had been present for many years with little in the way of an effective policy response.

While Australia’s protective security has been tested recently and certainly been found wanting, the problem originated with changes to Australia’s protective security framework at the beginning of the decade.

In 2010, the Commonwealth embraced a paradigm shift in the government’s protective security model that moved from a prescriptive compliance approach under the Protective Security Manual to a risk management approach under the Protective Security Policy Framework (PSPF).

The PSPF model provides guidance to government in identifying and managing security risks to its personnel, intellectual property and assets. The model was developed to build a secure information architecture across the various tiers of Australian government. This information architecture was supposed to create the security environment necessary for the conduct of government business with the Australian public. In other words, it’s the nuts and bolts for ensuring that government activities and confidential information flows remain secure. However, the PSPF’s decentralised and less prescriptive approach appears to have created some rather conspicuous protective security gaps between agencies and other stakeholders in the private sector.

Australia’s protective security policy environment has become increasingly complex in recent years. As Australia increasingly relies on public–private partnerships in defence and security, if the government’s security arrangements stymie threats, those threats are likely to seek out third-party contractors, who are probably easier marks.

The government seems to be fine with that. Minister for Defence Industry Christopher Pyne says that the government can’t be held responsible for a contractor’s lax security. But Pyne’s sentiments contradict the PSPF, which specifies that ‘[government] agencies must ensure the contracted service provider complies with the requirements of this policy and any protective security protocols’.

Owing to the PSPF, training courses accredited by the Attorney-General’s Department and delivered by the Protective Security Training College in Canberra and the Australian Emergency Management Institute in Mt Macedon, Victoria, aren’t offered any longer. Security practitioners argue that this has led to a deskilling among government security professionals.

The risk-based model also led to a downsizing of the Protective Security Coordination Centre, which was historically charged with formulating security policy. More recently, the responsibilities have shifted to Emergency Management Australia (EMA). With EMA’s transfer to the newly established Home Affairs Portfolio, it now falls under the remit of Minister Peter Dutton.

The incidents above tells us that Australia’s PSPF isn’t satisfying government’s protective security requirements. More than a few commentators and policymakers will be quick to argue that a fully digitised information architecture—which would provide a tighter grasp on information flows—could be the trick to improve security. However, there’s a broader imperative for a reformed protective security doctrine.

At a time when the security threat is so diverse, the nation’s protective security arrangements need to be independently reviewed as soon as possible. Such a review would need to examine the full spectrum of physical, information and personnel security policies that form the framework of our protective security strategy. The terms of reference would also need to address such issues as security cultures, awareness, training and education.

To be very sure, finding and punishing the public servant responsible for the Cabinet files’ will have no impact on national security, nor produce any lasting improvement in security. The rot is entrenched in the system and must be exorcised.