The loss of a Parliament House security manual by a contractor last year is more of an embarrassment than a major security problem.
The manual was reportedly a large brick of a document of about 1000 pages. The document apparently contains information about Parliament House's $126 million security upgrade that is not available to the general public. Department of Parliamentary Services officials confirmed a contractor "lost" it in November 2016, but it was not reported as being "misplaced" until February 2017. BAE Systems Australia since confirmed that it was the contractor involved.
One of my past jobs was director of security intelligence in defence. This involved, among other things, responsibility for security investigations. During my three years in that position, we investigated the loss of tens of security-classified hardcopy documents. Invariably, they had been destroyed without proper records being kept of their destruction, or misfiled – rather than lost or stolen.
I can only recall three occasions when documents were deliberately taken to be sold on. In all cases, the perpetrators were convicted and jailed.
There have, of course, been embarrassing incidents when classified documents were taken from a defence workplace and left in a Qantas lounge or elsewhere, but that was down to carelessness or incompetence rather than malicious intent.
On one occasion, a defence civilian employee who had been acting (very satisfactorily) in a section-head position did not get the role when it was filled permanently. When he was reassigned, he retaliated by putting all the classified policy documents for that section in the classified waste. It left that section in policy limbo for a while, but no action was taken against him because of the questionable selection process.
Politicians and their staff were notorious for having a lackadaisical approach to the security of highly classified defence material. One minister even lost a briefcase of classified documents on an overseas work trip.
Anyway, to return to the Parliament House manual, it seems unlikely that those who may wish to have it (such as protestors and anarchists) would have had the opportunity to get it, while those who may have the means (like foreign spy espionage services) would not be interested in such a low-level working document. The manual would have contained new physical-security measures but would not facilitate access to Parliament House, because access data is continually renewed.
In my experience, the private sector and contractors can pose a security vulnerability because they sometimes fail to provide the same level of information protection that government agencies and personnel do. Even so, the private sector often needs access to sensitive government documents to undertake contract work or place bids for new contracts.
The ones with the best security, like Thales Australia, have employed experienced former security managers from defence or ASIO.
BAE Systems, the parent company of BAE Systems Australia, has previously come under regulator investigation in Britain and the United States over corruption charges and security lapses, but these have never to my knowledge implicated the Australian business. It seems likely that the loss of the manual in this case was due to carelessness by one person rather than anything more sinister, but it's the type of incident that can tarnish a business's reputation for maintaining good security.
A far more concerning problem is the mega-theft of digital data from contractors, which can undermine national security into the future. Hackers, believed to be Chinese, accessed the database for the F-35 Lightning II joint strike fighter in the US and acquired terabytes of sensitive information about the plane, possibly compromising its future effectiveness.
This presumably not only allowed China to leapfrog research for its equivalent aircraft, the (less capable) Chengdu J-20 stealth fighter, but will also give China a very good insight into the capabilities of our F-35s, due to enter Royal Australian Air Force service in 2020.
The ultimate national-security nightmare is a rogue IT contractor who has access to highly classified information and knows how to bypass security controls.
In 2013, US contractor Edward Snowden leaked highly classified information from the US National Security Agency, damaging numerous global surveillance programs, negatively affecting the Five Eyes collection efforts, and undermining cooperation with telecommunication companies. Snowden's theft and outing of top-secret information is said to have set back allied intelligence collection capabilities by several years.
Clive Williams is an honorary professor at the Australian National University's centre for military and security law, and an adjunct professor at the Australian Defence Force Academy.