Whole of Government Protective Security Outlook
Dr Margot McCarthy, National Security Adviser
Department of the Prime Minister and Cabinet
Tuesday, 4 September 2012
Security in Government Conference, Canberra
Thank you for your introduction.
My role as National Security Advisor (NSA) is about providing improved strategic direction within the national security community and promoting a cohesive national security culture.
Secure and appropriate information sharing, supported by a robust protective security framework, is critical to achieving these objectives. I have seen this first hand, both in my current role as NSA and in previous roles.
Let me provide some context by stepping back almost four years to when the NSA role was first established.
The NSA and National Security Community
In 2008, the Government commissioned Mr Ric Smith, former Secretary of the Department of Defence, and Former Ambassador to China and Indonesia, to report on the best and most efficient way to coordinate Australia's overall national security arrangements.
The Smith Review recognised that many threats are cross jurisdictional or transnational in nature, and acknowledged the part played in mitigating these threats by States and Territories, businesses, the community, allies and friends.
The Review did not recommend the establishment of a Department of Homeland Security, which had been a key part of the United States response to the 9/11 terrorist attacks.
Instead, the Smith Review suggested that Australia should focus on building a national security community.
And the Review concluded that a senior coordinating role was needed in the Commonwealth to provide, and I quote:
“…a new level of leadership (that would) go beyond coordination and committees' and promote a ‘cohesive national security community”.
The Government accepted the Smith Review recommendations.
In the National Security Statement delivered not long after the Smith Review, the then Prime Minister said that the NSA was needed
“…to provide improved strategic direction within the national security community; to support whole-of-government national security policy development and crisis response; and to promote a cohesive national security culture”.
The NSA was to interact directly with agency heads, complementing their role by enhancing whole of government coordination.
Importantly, the Smith Review also recommended an additional focus on threats and hazards other than terrorism, including serious and organised crime, and electronic attack.
So coming out of the Smith Review were two central themes.
First, the national security agencies, and those with whom may where in the states and territories and private sector had to be closer and better coordinated. More of a community.
And, second, that community had to take a wider view of potential threats or hazards. And therefore a wider view of its membership.
How then to best develop this large community?
Well the fact is, meetings and committees do play an important part in building cooperative habits. More fundamentally though, it's all about information. How to get it. How to keep it. And how to share it.
If we were to be a genuine national security community, with a shared understanding of the challenges we faced, and a shared commitment to leveraging our knowledge and capabilities to respond to these challenges, it was essential that we be able to communicate effectively and securely in order to collaborate and manage risk.
I want to focus now on information sharing. How to facilitate information flows and how to minimise the risks associated with better information flows.
It used to be said that national security agencies were great at producing information. And locking it in their bottom drawer.
Information treated this way might have been secure. But it wasn't particularly useful.
Post 9/11, this approach seemed so obviously flawed that our national security community set out to improve interconnectivity and information flows. Their actions mirrored what was happening in the United States and elsewhere. And, note too, that the Smith Review also comprehended these post 9/11 themes of improved connectivity and better information sharing.
In 2009, The Australian Government established in the Department the Prime Minister and Cabinet, the role of the National Security Chief Information Officer, or NSCIO, whose key task was to be improving information sharing across the national security community.
In 2010, the Government released the National Security Information Environment Roadmap: 2020 Vision.
The Roadmap recognised that information management, both domestically and internationally, was a critical element of our national security arrangements.
The goal is that by 2020, the national security community will be able to securely and expeditiously to manage and share information required to support effective and efficient policy making, political decision making and cooperation on national security activities and administration.
- A culture that supports a whole of community approach;
- A harmonised policy and legislative environment that will support the smooth flow of ideas and activities across the national security community;
- An agreed information management governance framework with consistent interoperability standards
- and ensuring that all new ICT initiatives are compatible with these standards;
- The alignment of all Australian Government ICT investments with the priorities set by the Government
- ensuring value for money and no duplication;
- Cross-agency recognition of personnel security clearances, identity management and access controls, and common security nomenclature: and
- Agencies ensuring that interoperability with other domestic partners is afforded the same priority as interoperability with international counterparts.
The 2020 Vision also includes work towards:
- Agencies being able to access and share information from the desktop
- across government, with industry and internationally;
- One screen and keyboard per desktop offering switching between classification domains, access to secure video and teleconferencing, and
- Effective information sharing domestically and internationally.
The 2020 Vision has been formally approved by Government. Further, given the priority attached to this work, the NSCIO role has been elevated to a Deputy Secretary level and now rests with the Deputy National Security Adviser, my colleague Allan McKinnon.
The NSCIO's role is to coordinate agency information management policies, linking strategies and priorities to build a secure and effective national security information environment.
Real progress is being made in building this “information community”:
- Thanks to a lot of hard work by the Attorney-General's Department, we now have a Secret gateway covering all Secret networks within the national security community
- connectivity across the Secret networks is a reality;
- Commonwealth agencies have developed and adopted whole of government information management policies;
- We now have a National Classification Scheme ensuring consistent and common security classification nomenclature;
- Through the Australian Government Security Vetting Agency, we are realising the development of cross-agency mutual recognition of personnel security clearances, identity management and access controls; and
- Progress is being made on interoperability standards for key processes such as handling of data and file management to facilitate the interoperability of networks.
With increased connectivity across Secret networks within Australia, and across Top Secret Networks internationally with allies and partners, the Roadmap is already delivering real benefits across the national security community.
As users utilise, and come to appreciate these new capabilities, they will demand even more advanced capabilities (e.g. secure desk top video). The challenge will be to service existing capability enhancements while delivering further improvements at little or no additional cost.
This challenge will both test and strengthen our community because it can only be met by collaborative efforts, and by a focus on collective outcomes rather than narrow, parochial interests.
While a culture of broader information sharing is critical, it brings with it an increased threat of exploitation by those serving the national or private interests of others.
These threats manifest themselves in a number of different ways. One such highly publicised threat is that of malicious cyber-activity.
Malicious cyber-activity is now commonplace and can cause great damage to individuals, businesses and government.
Indeed, in Australia, it's no secret that a wide range of Government networks have been targeted for all sorts of information. The existence of this pervasive cyber threat has consequences for the way we handle information and what we do online.
In short, responsible information management has required a careful weighing of risks and the adoption of appropriate technical and policy responses.
Each agency is responsible for its own network but a coordinated approach is critical, with agencies such as the Defence Signals Directorate able to provide specialist assistance as required.
We should never underestimate the time, money and other resources that those seeking to compromise our networks are willing to expend.
The government does not face this threat alone. CERT Australia, the national computer emergency response team, has a central role in ensuring that, together with non-government partners, we have the right focus on maintaining and hardening our critical cyber infrastructure.
Ensuring Australia remains a ‘hard target’ for malicious cyber activity must therefore be a fully shared responsibility.
Accepting that the cyber security response must be a shared one simply recognises the highly interdependent nature of cyber activities and the ripple effect that a seemingly small action can have on all dimensions of cyberspace-whether this ripple has good or bad outcomes. It challenges the way we organise ourselves to manage the size and complexity of the issues, but also provides opportunities for innovative responses.
I should say at this point that the Prime Minister intends to release a cyber-policy White Paper this year which will traverse in detail the management of these issues.
The balance, therefore, between information assurance imperatives and the critical operational requirements of timely and effective information sharing, remains finely tuned and needs to be closely monitored at all levels.
And it's important to understand that external threats are only part of the challenge.
Some of the most prominent espionage cases and compromises of information have involved trusted insiders using their access to systems to download and disseminate information. In these cases the existence of robust outward-looking defences were irrelevant.
This risk has been apparent for a long time. In 1995, Robert Morris, former Chief Scientist of the US National Security Agency National Computer Security Center, said:
“It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders!”
What this means is that we can – and must – undertake vetting and security clearances with the utmost diligence. However, at the same time, we must also recognize that human beings may compromise information and networks for financial gain, or some other reason.
So we need to take all reasonable precautions to mitigate this risk – and operate systems that anticipate it.
One approach is the introduction of strong access and identification controls. Systems must have strong data tagging and authorisation protocols so that people can only access the data they need and are entitled to access. And systems also need strong real time, audit and governance features so that they can detect and report potential wrongful access of data as it happens.
It must be recognised, too, that even people who would not dream of maliciously using or taking information can still let their security guard down and compromise our networks.
They may succumb to advanced “phishing” techniques when an email arrives apparently from a close friend or colleague. The seemingly harmless email may even use information from their Facebook page or other public sources to enhance its credibility. Or they may accept a thumb drive containing conference documents only to find that they have introduced malware onto their network. Bruce Schneier (US Computer Security expert and cryptographer) put it best when he said that “Amateurs hack systems, professionals hack people”. Or to put it another way, there is no software patch for human error or folly.
So hardware solutions will only take us so far in protecting our networks and the information carried on those networks.
The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. It is in this area that we must place much of our emphasis.
And this leads to one final point.
I have talked about the importance of information flows as the lifeblood of our national security community. I have talked about some of the initiatives we have underway to enhance information sharing across the community.
I have also talked about the risks of malicious cyber activity and the need to harden our networks and improve our practices so that our networks are more difficult to compromise.
This may have given the impression that information flows and risk are directly proportional i.e. more information equals more risk. Indeed, it was this sort of thinking, I had in mind what observed that – traditionally – the more highly classified the information, the more likely it was to be locked in a bottom drawer and not shared.
But, I don't believe that having good information security is the same as tightly restricting all information flows. We can't afford to return to the pre-9/11 stove-piped approach to information sharing.
Therefore, to help create greater confidence in the information sharing architecture we must improve and extend initiatives like improved access controls and data tagging so that only authorised users can access information. Strengthened online audit controls will help ensure that inappropriate access and exfiltration of information is either not possible, or detected and reported immediately.
If we can achieve these things we might find that originators of information (whether in Australia or elsewhere) are more willing to share it more widely and that we have improved connectivity to facilitate this.
In this way, higher standards of information protection would lead to more – not less – sharing. And sharing that is secure.
In coordination, at the whole of government level, our sense of community is developing well. We have significant achievements under our belt, including enhanced connectivity internationally in the Top Secret domain and domestically in the Secret Domain.
Our goal is to work together as a cohesive national security community to realise the benefits of better information sharing, by breaking down the barriers to ensure that the right people receive the information they need at the right time to help them make the best possible decisions in a secure and appropriate way.
Thank you, and good luck for the rest of the conference.Top