Should security clearances be outsourced?

Should security clearances be outsourced?

Summary: Everything from cleaning to IT development work is outsourced by governments these days, but should security clearance processes, which dictate what access a person has to government information systems, be included in that bundle?

SHARE:

Everything from cleaning to IT development work is outsourced by governments these days, but should security clearance processes, which dictate what access a person has to government information systems, be included in that bundle?

Outsourcing can be a useful tool for government agencies to increase staffing levels without making the same HR commitment that applies to public sector employees.

That's exactly the path the Department of Immigration and Citizenship (DIAC) has followed in order to progress its AU$496 million Systems for People IT refresh.

According to Mark Handley, DIAC's director of protective security, the agency has been issuing a phenomenal number of security clearances since 2004. Pre-2004 it issued around 800 clearances per year, but since then, its annual issuance rate has consistently reached 2,500 per year — a figure driven largely by the Systems for People overhaul, which kicked-off in June 2006.

By the end of this year DIAC will have issued security clearances to over 12,500 contractors in four years — meanwhile DIAC only maintains a 7,000 strong permanent staff level.

These figures have led to what Handley calls a high "churn" of staff, meaning that thousands are being pumped through its operations each year. However, DIAC made a decision in 2004 to outsource all but its highest priority security clearances to a panel of selectors from an external company, and also to allow long-term contractors to issue security clearances for those staff they select for work at DIAC.

"We share much of the responsibility for security with our contracted service providers," said Handley. "For example, our larger providers may develop their own security policy — based on our interpretation of the [government] Protective Security Manual, of course... We have agreements with some companies that they will actually manage the security clearance process."

It sounds like an efficient solution — DIAC pays the panel AU$1 million a year to do a job that its own team of 10 clearance officers could not possibly do. But what has occurred since it made its decision in 2004 is that 90 per cent of DIAC's security clearances are issued by an organisation other than DIAC itself.

Now it is possible that this practice is entirely safe. According to Handley, the invisible hand of commercial incentives makes the system work. "Commercial companies are more accountable for their performance than government agencies because let's face it, your current and future business with government agencies depends on your performance in the security field," he said.

And the Australian National Audits Office in a recent audit of four government agencies' handling of security clearances for staff did not find any major problems with the way DIAC issues security clearances.

However, can the "laissez-faire" system of trust really stand up to other incentives that commercial outfits face, like making money where money is available? For example, let's say a service provider faces a tight labour market, but needs to quickly bring in more skills to meet a tight deadline. Is there no risk that the commercial outfit could cut corners on the clearance process?

Perhaps decision-makers in Canberra are so closely tied to their suppliers there is no wall between the two. But I find it very odd that an agency so crucial to national security as DIAC can outsource a process which governs who has access to its systems.

What do you think? Should security clearance processes be banned from being outsourced?

Topics: Government, Government AU, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Should security clearances be outsourced ?

    NO ! NO ! NO !

    That would be like asking the fox to guard the hen house or the wolf to guard the sheep.
    anonymous
  • Should security clearances be outsourced?

    I disagree.

    My first reaction to the idea of outsourcing is at first to say no, bad idea, that it would be a security risk. That's because our first thought is the scenario you provided, "asking the fox to guard the hen house". This isn't the case though! This is because we perceive security clearances to be airtight well thought out assessments of someones character, when frankly, quite often they are not. Due to the volume of clearances processed these days, no matter who does them, they are essentially a checklist.

    To go back to your analogy, what would happen if we did ask the fox to guard the henhouse, but instead of trusting the fox, we put a very tight leash on him. Then we did our own assessment of the fox to make sure he wasn't the sort of fox to eat hens. Then we ask the farmers son to watch the fox and the hens. The fox can't go into the henhouse at all, and the fox can't even let someone else in without the farmers son checking up on both of them. I'm stretching this analogy a little far, but what I am trying to say is clearances are something that can be put together by whoever you want, because no matter who it is, the time saved in gathering the information is going to allow those trusted to do it properly to verify a lot of them in an hour, where it might previously have taken them weeks.

    Clearances aren't like six month long interviews anymore, but there are incredibly strong guidelies, rules and procedures. I think the existence of these makes an incredibly strong case for outsourcing.
    anonymous
  • Should security clearances be outsourced?

    dnt care
    anonymous
  • Should security clearances be outsourced?

    this class is so boring
    anonymous