3. Areas of focus
   1. As noted in Chapter 1, the Committee identified four particular areas of focus for its 2021-22 administration and expenditure review.
   2. In relation to one of these, strategic workforce planning and initiatives, each NIC agency provided detailed evidence, which was discussed in Chapter 2. The following sections discuss the evidence received on the other three areas of focus outlined by the Committee: cyber resilience and cyber assurance, financial management and efficiency, and governance and compliance systems.

Cyber resilience and cyber assurance

3.3Submissions were invited to address cyber resilience and cyber assurance processes, including how internal systems are assessed against common standards, details of that assessment, common trends in this area, and future challenges.

3.4Each of the six intelligence agencies provided a response at various national security classifications to address this area of focus. The Committee is satisfied with the extent to which agencies addressed this topic, and with their internal systems in place to address issues related to cyber resilience and cyber assurance.

3.5The Australian Signals Directorate (ASD) observed that during the reporting period, malicious cyber activity against Australian networks grew in frequency, scale, and sophistication as the cyber threat environment worsened. During 2021-22, the Australian Cyber Security Centre (ACSC) reported that it had:

• received over 76,000 cybercrime reports, which represented an increase of 13 per cent from the previous financial year
• responded to over 1,100 cyber security incidents, including 260 cyber security incidents related to Commonwealth government entities
• observed a rise in the average cost of cybercrime reports, with an average increase of 14 per cent
• collected and analysed data showing that fraud, online shopping scams and online banking scams were the top reported cybercrime types, accounting for 54 per cent of all reports
• observed an increase in the average severity and impact of reported cyber security incidents, with nearly half categorised as ‘substantial’.[1]
  6. ASD said that in light of the growing cyber threat environment, and ‘Australia’s increasingly interconnected digital economy’, effective cyber defences were critical. ASD added that the ‘most effective means of defending against cyber threats continues to be implementation of ASD’s Essential Eight cyber security strategies’.[2]
  7. ASD said that cyber security was embedded into all levels of its organisation, where cyber issues and ‘the need to continually evolve organisational cyber resilience are regularly discussed and briefed at executive leadership groups and forums’. ASD staff receive ‘comprehensive tailored briefings’ on cyber threats specifically impacting ASD’s operational environment as part of onboarding processes. Following commencement, ASD staff members are required to undertake mandatory online training and annual security examinations which include cyber security as a core module.[3]
  8. The Australian Secret Intelligence Service (ASIS) said that it continuously assesses and actively monitors its information systems. ASIS also said its ICT systems are assessed against the ACSC’s Information Security Manual during the system lifecycle. ASIS noted that its threat landscape is diverse:

The threat landscape facing ASIS consists not just of nation-state adversaries who have the capability and intent to expend significant resources exploiting any vulnerability, but also the insider threat actor.[4]

3.9AGO, DIO, ASIO and ONI provided evidence related to their cyber security engagement and compliance with common cyber security standards, and examples of incidents that highlighted the importance of ongoing cyber security resilience and assurance processes.

3.10Some submissions noted joint initiatives underway across the National Intelligence Community (NIC) to improve and enhance ICT capabilities.

Financial management and efficiency

3.11Agencies were invited to address their financial management and efficiency, including opportunities for efficiencies, cost savings, how value for money is considered and opportunities for collaboration across the NIC.

3.12Each of the six intelligence agencies provided a response at various national security classifications to address this area of focus. The Committee is satisfied with the extent to which agencies addressed this topic, and, as indicated in Chapter 2, with how the NIC is seeking opportunities for cost savings and collaboration.

3.13ASD, ASIO and ONI provided information about whole-of-NIC programs designed to improve efficiency with certain functions related to administration and ICT. ASIO and ASD also detailed support they provide to the Australian Public Service (APS) more broadly.

3.14The establishment of the Defence Intelligence Group (DIG) in 2020 assisted the Australian Geospatial-Intelligence Organisation (AGO) and Defence Intelligence Organisation (DIO) to consolidate common enabling services and activities. AGO advised that regular financial reviews are conducted to reallocate funding to priority intelligence requirements as needed.[5]

3.15AGO also said that it collaborates with the NIC and other Commonwealth non-corporate entities, for shared procurement and co-funded activities:

Examples include strategic workforce activities (scholarships and training); and capability research and development activities with CSIRO, Geoscience Australia and the Bureau of Meteorology.[6]

3.16In relation to financial controls, ASIO noted that it operated in accordance with the Public Governance and Public Accountability Act 2013 (PGPA Act) in two key ways. Firstly, while the organisation is permitted to exclude certain matters from public annual reporting for national security reasons, it is required to maintain the same financial accountability obligations as any other department or agency subject to the PGPA Act. Secondly, ASIO noted that it was required to prepare annual financial statements in accordance with the PGPA Act and Financial Reporting Rules.[7]

3.17In addition, ASIO outlined its internal arrangements in which the Chief Financial Officer (CFO) reports monthly to the Executive Committee on current and future financial matters, as well as briefing the Audit and Risk Committee. Additionally, operational expenditure is governed by Director-General’s Finance Instructions.[8]

3.18Other agencies noted similar arrangements in relation to financial controls within their organisations.

Governance and compliance

3.19ASIO provided detail on a number of governance and compliance systems which comprised a combination of internal oversight mechanisms, staff training and provision of specialist advice, as well as other auditing and monitoring processes.[9]

3.20ASIO established an Influence and Impact Committee in November 2021, which is chaired by the Principal Advisor to the Director-General and meets monthly, for the purpose of assurance that ASIO’s advice is reaching the ‘right people, the right way, at the right time’.[10] ASIO submitted that the establishment of this Committee complemented the existing governance structure which comprises:

• Executive Committee (meets fortnightly)
• Audit and Risk Committee (meets quarterly)
• Security and Compliance Committee (meets monthly)
• Capability and Investment Committee (meets monthly).[11]
  21. ASD provided detail on a number of governance and compliance systems, including an overview of its fraud control and prevention controls, enterprise risk, and outcomes of internal and external compliance investigations including those conducted by the Inspector-General of Intelligence and Security (IGIS).[12]
  22. ASD highlighted the establishment during the reporting period of an external REDSPICE Advisory Board to provide the Director-General of ASD with independent advice on the delivery of the REDSPICE Program.[13] The establishment of the Advisory Board complemented the existing Committee structure which comprises:
• Executive Committee (met fortnightly during the reporting period)
• Audit and Risk Committee (met six times during the reporting period)
• Business Management Committee (met eight times during the reporting period)
• Data, Technology and Infrastructure Committee (met six times during the reporting period)
• Management Review Committee (met 66 times during the reporting period)
• Operational Compliance Committee (met three times during the reporting period).[14]
  23. ONI provided information on its Committees which ‘support the Director-General of National Intelligence to plan, manage and implement business and strategic objectives, as well as ensuring ONI meets its reporting responsibilities’. The Committee structure comprises:
• Executive Board (meets monthly)
• ONI Management Committee
• Audit and Risk Committee (meets at least every three months).[15]

ONI’s submission made reference to a number of additional Committees and working groups that support corporate and operational functions.

3.24ONI provided evidence on its internal audit function, which reports regularly to the Audit and Risk Committee, which then oversees implementation of the recommendations. The internal audit function targets ONI’s high corporate and financial risk activities. ONI also participated in the annual Fraud Against the Commonwealth Census facilitated by the Australian Institute of Criminology.[16]

3.25DIO provided information on a number of performance evaluation and compliance activities. In late 2021, DIO formalised a set of analytical standards to consolidate its existing practices and ‘reflect DIO’s mandate and broader legislative requirements’.[17] The analytical standards require DIO assessments to be ‘independent, clear and concise, timely, insightful, based on all available sources, accountable, and rigorous’.[18]

3.26Some agencies provided detail on the number of security incidents during the reporting period. ONI indicated that there were no significant security violations in 2021-22.[19]Others noted that there was an anticipated decline in the number of security incidents due to amended work arrangements during COVID-19, and that they had experienced a corresponding increase in minor security incidents following the return to normal working arrangements.

Oversight by the Inspector-General of Intelligence and Security

3.27The IGIS provided an unclassified overview of its review of intelligence agencies in its annual report for 2021-22. Though the IGIS provided the Committee with a submission to inform its consideration, the submission was classified and the details cannot be discussed further in this report. Classified compliance reporting by IGIS and the intelligence agencies nevertheless enabled the Committee to further examine, in its classified hearings, compliance trends and incidents.

3.28The IGIS undertook one inspection of ONI’s compliance with the Rules to Protect the Privacy of Australian Persons during the reporting period. The IGIS did not identify any issues of legality, though did make some propriety and administrative findings. IGIS indicated that ONI had reported one issue of non-compliance with an administrative aspect of the assumed identities arrangements under the Crimes Act 1914.[20]

3.29The IGIS undertook 21 inspections of ASIO in the reporting period and did not identify any issues of legality or propriety in many of the inspections, but did identify some matters in relation to record-keeping, adherence with internal policies and procedures, and procedural issues. In six inspections, the IGIS identified matters relating to legality and propriety relating to Ministerial submissions, technical collection and retention matters, temporary exclusion orders, surveillance device warrants and special intelligence operations.[21]

3.30ASIO reported 30 compliance incidents to the IGIS during the reporting period, as well as 7 incidents relating to the actions of another intelligence agency as it exercised ASIO managed powers under the Telecommunications (Interception and Access) Act 1979.

3.31The IGIS undertook 14 inspections of ASIS during the reporting period, and made findings in three inspections related to liaison with foreign services, and operational file reviews at particular locations. The IGIS also noted that ASIS had reported six compliance incidents during the reporting period.[22]

3.32The IGIS undertook one inquiry arising from a Public Interest Disclosure and one preliminary inquiry in relation to a Ministerial Authorisation for ASD during the reporting period. The preliminary inquiry remained underway at the conclusion of the reporting period.[23]

3.33Eleven inspections of ASD occurred during the reporting period. In one joint AGO and ASD inspection, the IGIS identified some concerns in relation to Ministerial Authorisations sought to conduct activities in support of a military operation.[24]

3.34ASD reported 12 compliance incidents to the IGIS in 2021-22. At the conclusion of the reporting period, three compliance matters remained under review, and four matters were confirmed as legislative non-compliance.[25]

3.35AGO indicated that the IGIS undertook thirteen inspections of its activities during the reporting period.[26] Aside from concerns raised in relation to the joint AGO and ASD inspection of a Ministerial Authorisation, no further matters of legality or propriety were identified. Two compliance matters were reported by AGO to the IGIS during the reporting period.[27]

3.36The IGIS undertook four inspections of DIO’s activities during the reporting period. One inspection was still underway at the conclusion of the reporting period which related to DIO processes and practices to ensure its analytical integrity.[28]

Committee comment

3.37Overall, the Committee was satisfied with the intelligence agencies’ evidence in the areas of focus for this inquiry. The Committee acknowledges the quality of the evidence given and the open and responsive nature of the discussion with the intelligence agencies on these topics at the classified hearings.

3.38The focus areas identified in 2021-22 were all areas of ongoing priority and challenge for the National Intelligence Community. As the Committee moves to consideration of the administration and expenditure of intelligence agencies in 2022-23, the Committee looks forward to engaging further with the agencies on these topics, in addition to new areas of focus set by the Committee for that year.

Mr Peter Khalil

Chair

16 May 2024

3.39

Footnotes

[1]ASD, Submission 3, p. 55.

[2]ASD, Submission 3, p. 56.

[3]ASD, Submission 3, p. 51.

[4]ASIS, Submission 6, p. 35.

[5]Department of Defence, Supplementary Submission 2.1 (AGO), pp. 47-48.

[6]Department of Defence, Supplementary Submission 2.1 (AGO), p. 48. See also Department of Defence, Supplementary Submission 2.2 (DIO), p. 25.

[7]ASIO, Submission 4, p. 19.

[8]ASIO, Submission 4, p. 19.

[9]ASIO, Submission 4, p. 62.

[10]ASIO, Submission 4, p. 5.

[11]ASIO, Submission 4, p. 3.

[12]ASD, Submission 3, p. 16.

[13]ASD, Submission 3, p. 11.

[14]ASD, Submission 3, pp. 10-11.

[15]ONI, Submission 5, p. 9.

[16]ONI, Submission 5, p. 10.

[17]Department of Defence, Supplementary Submission 2.2(DIO), p. 9.

[18]Department of Defence, Supplementary Submission 2.2(DIO), p. 9.

[19]ONI, Submission 5, p. 19.

[20]IGIS, 2021-22 Annual Report, pp. 80-81.

[21]IGIS, 2021-22 Annual Report,pp. 81-84.

[22]IGIS, 2021-22 Annual Report, p. 92.

[23]IGIS, 2021-22 Annual Report, p. 92.

[24]IGIS, 2021-22 Annual Report, p. 93.

[25]IGIS, 2021-22 Annual Report, p. 93.

[26]Department of Defence, Supplementary Submission 2.1 (AGO), p. 10.

[27]IGIS, 2021-22 Annual Report, pp. 96-97.

[28]IGIS, 2021-22 Annual Report, p. 97.