1. Executive Summary

1.1
The Joint Committee of Public Accounts and Audit (JCPAA) inquiry into security at overseas missions was based on the Australian National Audit Office (ANAO) Report No. 5 (2017–18) Protecting Australia’s Missions and Staff Overseas: Follow-on. As conveyed by the title, the audit examined issues of appreciable importance to Australia’s national interests and the safety of personnel, property and confidential information.
1.2
The Department of Foreign Affairs and Trade (DFAT) is responsible for security arrangements at its diplomatic posts, including the chancery facility (embassy, high commission or consulate building) and staff residences.1 The ANAO concluded that DFAT had ‘arrangements in place to provide security to overseas missions and staff.’ It added however that:
Aspects of the delivery of the overseas security, in particular the strategic planning, management of security measures and elements of the framework supporting staff training, have not been fully effective.2
1.3
The Committee notes that poor coordination and a lack of consistency impacted on the delivery of core security functions. A number of issues identified were also characterised by inadequate monitoring and assurance. The Committee considers that the ANAO’s findings, and the persistence of ‘weaknesses relating to overseas security measures’3, undermine the department’s credibility before parliamentary committees. Concerns were exacerbated by responses which focussed on processes currently underway without clear commitments regarding timeframes. As a priority, the Committee expects that DFAT will undertake to address the critical issues identified in this report.

Governance arrangements

1.4
In relation to its overseas security responsibilities, DFAT recognised that ‘elsewhere poor risk management could be financial loss; here the results could be catastrophic’.4 Despite this, a recurring theme of this inquiry was the lack of consistency and coordination in DFAT’s management of overseas security. The Committee notes that the Departmental Security Framework was to be launched in March 20185 and has recommended that DFAT report back to the Committee on the outcomes.
1.5
Of concern to the Committee is the department’s slow progress in rectifying issues identified in the preceding ANAO audit over a decade ago.6 At a minimum, an effective implementation strategy should be supported by a plan that sets out for each recommendation: roles and responsibilities; a budget; a timeframe; and deliverables.
1.6
Inconsistencies identified by the ANAO in DFAT’s record-keeping, risk assessments and inspection arrangements have undermined the Committee’s confidence that measures are being appropriately deployed and monitored across posts.
1.7
The Committee notes the annual reporting requirements for briefing the Audit and Risk Committee7, and the recent inclusion of overseas securityrelated audits in DFAT’s internal audit program8. The Committee has recommended that consideration be given to whether current independent assurance mechanisms should be supplemented or strengthened.
1.8
The Committee supports the Auditor-General’s position that noncompliance with an organisation’s security policy must be addressed in order to drive cultural change, with the leadership of an organisation providing a clear direction for this change.9 The Committee has directed a recommendation to DFAT in line with this view.
1.9
Noting the importance of cyber resilience for the protection of overseas missions, the Committee commends DFAT on its commitment to achieving cyber resilience by June 2018.10 The Committee has recommended that the department report back on its cyber resilience and compliance with the ‘Essential Eight’11 as at July 2018.
1.10
The Committee notes the ANAO’s findings about the quality of DFAT’s performance measures and discrepancies identified in its 2014–15 Annual Report.12 Performance measures should be relevant, reliable and complete, to enable assessment of DFAT’s management of overseas post security.13 The Committee expects that evidence presented in DFAT’s future annual reports will be accurate and transparent.

Staff capability

1.11
It is the Committee’s view that governance arrangements can only be effective with the necessary staff skills and capability underpinning them. The Committee has therefore recommended actions to strengthen staff capability, including in the area of cyber security.
1.12
The Committee notes the limitations of DFAT’s information system, which prevents the consistent monitoring and assurance over whether staff have received the required security training for their posting.14 The Committee was advised that changes are being made to corporate and human resource processes but it was not clear how these improvements would provide for greater assurance. In light of this, the Committee requires further information from DFAT about work underway to address this deficiency.
1.13
The Committee has also recommended that DFAT review the level of support provided to staff regarding post security, with particular attention to the effectiveness of the security training program. This would include implementing improvements to strengthen the program as necessary.
1.14
The Committee recognises that staff awareness about cyber security is critical in DFAT’s online operating environment. As such, one recommendation goes to ensuring all staff have the appropriate training to help protect DFAT’s networks from cyber threats.
  • 1
    Australian National Audit Office (ANAO), Report No. 5 (2017–18) Protecting Australia’s Missions and Staff Overseas: Follow-on, p. 16.
  • 2
    ANAO Report No. 5 (2017–18), p. 7.
  • 3
    ANAO Report No. 5 (2017–18), p. 44. The ANAO previously reviewed DFAT’s overseas security arrangements in Audit Report No.28 (2004–05) Protecting Australian Missions and Staff Overseas.
  • 4
    Department of Foreign Affairs and Trade, Review of Diplomatic Security, May 2015– as quoted in ANAO Report No. 5 (2017–18), p. 14.
  • 5
    DFAT, Submission 2, p. 1.
  • 6
    The ANAO previously reviewed DFAT’s overseas security arrangements in Audit Report No.28 (2004–05) Protecting Australian Missions and Staff Overseas. As noted in Report No.5 (2017–18), this previous audit ‘recommended that DFAT improve security guidance and training, security risk management, the implementation and effectiveness of security measures in mitigating risk and the monitoring of security at overseas posts’ (p. 17). Further, the ANAO’s latest findings in relation to DFAT’s management and maintenance of security measures were ‘consistent with the 2004–05 ANAO audit’ (ANAO Report No.5 2017–18, p. 44).
  • 7
    Mr Luke Williams, Chief Security Officer, DFAT, Committee Hansard, Canberra, 7 February 2018, p. 5.
  • 8
    Ms Jennifer Rawson, Deputy Secretary, DFAT, Committee Hansard, Canberra, 7 February 2018, p. 6; DFAT, Submission 2.1, p. 2; ANAO Report No. 5 (2017–18), p. 50.
  • 9
    Mr Hehir, ANAO, Committee Hansard, Canberra, 7 February 2018, p. 14.
  • 10
    Mr Spackman, DFAT, Committee Hansard, Canberra, 7 February 2018, p. 8.
  • 11
    The ‘Essential Eight’ are set of eight mitigation strategies recommended by the Australian Signals Directorate to help organisations prevent cyber security incidents. More information is available at https://www.asd.gov.au/publications/protect/Essential_Eight_Explained.pdf.
  • 12
    ANAO Report No. 5 (2017–18), pp. 41 & 47.
  • 13
    As reflected in JCPAA Report 469: Commonwealth Performance Framework, the ANAO and Department of Finance indicate that performance measures should be relevant, reliable and complete (pp. 61-62).
  • 14
    ANAO Report No. 5 (2017–18), pp. 36-37.

 |  Contents  | 

Past Public Hearings

07 Feb 2018: Canberra