Vetting agency not protecting against internal threats: audit report
Advertisement

Vetting agency not protecting against internal threats: audit report

Australia's security vetting processes for defence and security personnel are failing to protect the government against potential insider threats, an audit report has found.

The Australian Government Security Vetting Agency (AGSVA) has been lashed by the National Audit Office, which found that even though 43 per cent of vetting assessments in 2015-16 and 2016-17 resulted in potential security concerns, almost all decisions were made to allow the clearance without extra measures to reduce risks.

The report found that AGSVA only denied the requested clearance in 53 cases in the two-year period audited, and there were just 55 cases where the requested clearance was denied and a lower clearance was granted.

The security agency said its low rate of denials was because of rigourous recruitment processes, the rate at which clearance subjects cancel the process, and the opportunity for indviduals to respond to security concerns and mitigate the risk factors.

The report also found that the agency did not share information about the security concerns raised by the vetting process with the government department or agency where the staff member proposed to work, due to privacy concerns. AGSVA has been required to update its informed consent form since 2014 in order to share the information, but an update in 2017 failed to do so.

Despite average waiting times for positive vetting - the highest security clearance available - blowing out to almost 18 months for non complex cases and more than two years for complex cases, the report found that overall the rate at which clearances were processed within the benchmark timeframes improved.

Advertisement

Just 31 per cent of applications for positive vetting clearances were approved between 2015-2016 and 2016-17, with more than half of applications being cancelled.

The report recommended that the Attorney-General's Department and the Department of Defence establish a framework so that security concerns about potential staffers could be shared with the agency looking to employ them.

The IT system underpinning the vetting system is also not up to scratch, with Defence not set to replace it until 2023.

The report found that the Attorney-General's Department, ASIC, Home Affairs and the Digital Transformation Agency all had a small number of staff that didn't hold the clearance required for the work they were doing.

The report also showed the vetting agency made an average of 39,000 decisions a year, with 83 per cent of those being clearances for people to be able to deal with protected and secret documents, the two lowest level clearances.

Publishing a recommendation around the security of clearance records was deemed to be against the public interest, and separate information about this has been provided to the prime minister, the attorney-general, the defence minister, the finance minister and the home affairs minister.

Earlier this year Inspector General of Intelligence and Security Margaret Stone told a Senate inquiry that half the people offered jobs at her spy oversight agency found other jobs within the two years it took for their positive vetting clearance to be granted.