For over a decade, both of our major political parties, in the face of uncertain times, have been going forth ‘getting tough on security’. It would seem that General Melchett, Stephen Fry’s character from the 1980s comedy classic Black Adder Goes Forth, must’ve been right when he declared, ‘Security is not a dirty word ^[1]’. However, security became a really dirty word for government last month when we had one of Australia’s biggest breaches of cabinet security. Thousands of documents ^[2] spanning nearly a decade—nearly all classified—were sold off in two old filing cabinets at a Canberra second-hand shop.

You could be forgiven for chuckling over the irony that at the same time that our government was talking up new legislation to protect the country from foreign interference, one department was giving the secrets away. All jokes aside, the real problem is that the ‘The Cabinet files ^[2]’ may not be a ‘one-off’ breach ^[3], but rather a symptom of the Commonwealth’s declining investment in one of the less interesting but crucial elements of national security: protective security policy.

Let’s not forget that as bad as the Cabinet files breach was, it also revealed other security problems:

• The Australian Federal Police ‘lost’ national security files ^[4].
• Nearly 200 top secret, code word–protected documents that were supposed to be collected by the Department of Finance were left behind in a locked cabinet in the office of Senator Penny Wong during the transition of government in 2013. 

Just as the dust was settling over the Cabinet file’s, the Australian government was struck by another embarrassing security breach. A classified notebook and identification cards belonging to a Defence official were found by a member of the public ^[5].

Our growing protective security problem isn’t isolated to physical or information security either, as there are also long-term problems with personnel security. In August last year, following the 2017 Independent Intelligence Review ^[6], Kate Grayson ^[7] highlighted that the ‘the long delays in security vetting for some of our key intelligence agencies are clearly unacceptable’. John agreed but argued that decentralisation was not the answer ^[8]. While these delays had much to do with an increasing demand for clearances, the problem had been present for many years with little in the way of an effective policy response.

While Australia’s protective security has been tested recently and certainly been found wanting, the problem originated with changes to Australia’s protective security framework at the beginning of the decade.

In 2010, the Commonwealth embraced a paradigm shift in the government’s protective security model that moved from a prescriptive compliance approach under the Protective Security Manual to a risk management approach under the Protective Security Policy Framework ^[9] (PSPF).

The PSPF model provides guidance to government in identifying and managing security risks to its personnel, intellectual property and assets. The model was developed to build a secure information architecture across the various tiers of Australian government. This information architecture was supposed to create the security environment necessary for the conduct of government business with the Australian public. In other words, it’s the nuts and bolts for ensuring that government activities and confidential information flows remain secure. However, the PSPF’s decentralised and less prescriptive approach appears to have created some rather conspicuous protective security gaps between agencies and other stakeholders in the private sector.

Australia’s protective security policy environment has become increasingly complex in recent years. As Australia increasingly relies on public–private partnerships in defence ^[10] and security ^[11], if the government’s security arrangements stymie threats, those threats are likely to seek out third-party contractors, who are probably easier marks.

The government seems to be fine with that. Minister for Defence Industry Christopher Pyne says ^[12] that the government can’t be held responsible for a contractor’s lax security. But Pyne’s sentiments contradict the PSPF, which specifies that ‘[government] agencies must ensure the contracted service provider complies with the requirements of this policy and any protective security protocols’.

Owing to the PSPF, training courses accredited by the Attorney-General’s Department and delivered by the Protective Security Training College in Canberra and the Australian Emergency Management Institute in Mt Macedon, Victoria, aren’t offered any longer. Security practitioners argue that this has led to a deskilling among government security professionals.

The risk-based model also led to a downsizing of the Protective Security Coordination Centre, which was historically charged with formulating security policy. More recently, the responsibilities have shifted to Emergency Management Australia (EMA). With EMA’s transfer to the newly established Home Affairs Portfolio, it now falls under the remit of Minister Peter Dutton.

The incidents above tells us that Australia’s PSPF isn’t satisfying government’s protective security requirements. More than a few commentators and policymakers will be quick to argue that a fully digitised information architecture—which would provide a tighter grasp on information flows—could be the trick to improve security. However, there’s a broader imperative for a reformed protective security doctrine.

At a time when the security threat is so diverse, the nation’s protective security arrangements need to be independently reviewed as soon as possible. Such a review would need to examine the full spectrum of physical, information and personnel security policies that form the framework of our protective security strategy. The terms of reference would also need to address such issues as security cultures, awareness, training and education.

To be very sure, finding and punishing the public servant responsible for the Cabinet files’ will have no impact on national security, nor produce any lasting improvement in security. The rot is entrenched in the system and must be exorcised.