Brandis warns against future Snowdens and Mannings

Australian government agencies will be required to implement stringent new security policies, to monitor public servants in order to protect the government against the 'insidious enemy' of the 'trusted insiders' leaking sensitive information to the public.
Written by Josh Taylor, Contributor

Public servants will face far more scrutiny from their employer under new guidelines from Attorney-General George Brandis to prevent the 'insidious enemy' of 'trusted insiders' leaking sensitive government information to the public.

Image: Screenshot by Josh Taylor/ZDNet

Brandis yesterday launched a new personnel security handbook (PDF) for government that outlines how agencies can be protected against deliberate, or accidental, information leaks through their staff.

He told a Security in Government conference in Canberra that the "trusted insider" was an "insidious enemy" that could cause enormous damage through the leaking of information.

Brandis again referred to the "treachery" of National Security Agency contractor and whistleblower Edward Snowden, and said his leaks about the NSA's spying and data retention regimes, as well as Australia's own spying activities in Indonesia had put Australia's relationships in countries in our region under strain.

"Prior to Snowden's disclosures, we were working with our allies to fight national security threats and combating terrorism, people smuggling and organised crime," he said.

"Was it in the public interest for these programs to be jeopardised by Snowden's actions?" Brandis asked.

He did not name any specific instances where Snowden's leak had endangered lives, but said that former Director-General of the US National Security Agency, Keith Alexander had said that lives would be lost because "capabilities that were once effective are now rendered ineffective".

Brandis also said that the 2010 leaks from Chelsea Manning to Wikileaks hurt international diplomatic relationships.

"Bradley Manning [sic] copied thousands of classified documents while working as an intelligence analyst for the US army. He [sic] leaked a quarter-of-a-million diplomatic cables and half a million army reports to the website Wikileaks," Brandis said.

"Manning's leaks affected diplomatic relationships between allies. Of particular concern was the potential for the information to expose Iraqi citizens who had helped US forces."

Advances in technology had made it much easier for the trusted insiders to leak information, Brandis said.

"Enough classified material to fill a heavy suitcase can now be stored on a microchip no larger than my thumbnail. The amount of classified information that we hold has grown exponentially," he said.

"The computers that we use are networked, and they themselves are connected to a vast array of networked devices. We have deliberately built an information architecture that ensures that information is readily available to those who need it."

Insiders can access massive amounts of sensitive government information and copy it with ease, Brandis said, and trusted insiders posed a greater threat to businesses and government than viruses or hacks.

He said agencies needed to foster a culture of security, with controls, policies and an organisation structure designed to ensure the protection of sensitive information.

The revised policy issued by the government today outlines advanced background checks for personnel joining government agencies, as well as ongoing personnel security, including monitoring access controls to information, or sensitive locations.

Agencies are warned in the guide to keep an eye out for what could lead to an employee becoming an "insider" including being intoxicated at work, nervousness, a decline in work performance, interpersonal difficulties, resentment, bitterness or vengeance, and sudden unexplained wealth.

Once a staff member has left the organisation, the guide recommends that access to IT be revoked immediately.

For IT policy, the guide warns against using shared administrative accounts, and says IT roles should be split between administrators and security personnel to increase monitoring and minimise the possibility of malicious access going undetected.

Agencies should also use a standard operating environment so the use of malicious software can be more easily detected.

Brandis said that staff needed to be continually assessed for relevant security clearance.

"I have asked my department to further explore the future of vetting, in a paradigm of evolving threats, increasing data availability and the heightened awareness of the damage that can be inflicted by a trusted insider. This approach is consistent with that of our international partners," Brandis said.

"Of course, the need for security does not mean a workplace devoid of enjoyment. In fact, a happy workplace that can balance hard work with some down time when appropriate, will more likely result in a positive culture comprised of trusting teams which actually support each other to achieve the organisation's objectives, including the important objective of protecting the security of information."

Editorial standards