Agreement between the Government of Australia and the Government of the French Republic regarding the Exchange and Reciprocal Protection of Classified Information
Background
3.1
The treaty action under consideration is the proposed Agreement between the Government of Australia and the Government of the French Republic relating to the Exchange and Reciprocal Protection of Classified Information 2017 (the Agreement).
3.2
The purpose of the Agreement is to strengthen arrangements for sharing classified information between France and Australia. The Agreement will supersede two previous agreements:
the Agreement between the Government of Australia and the Government of the French Republic relating to the Exchange and Communication of Classified Information signed in Paris on 15 July 1985; and
the Arrangement between the Secretary of the Department of Defence of Australia and the Secretary General of National Defence of the French Republic relating to the Exchange and Communication of Classified Information signed in Paris on 15 July 1985.
3.3
Although the Agreement is a stand-alone treaty action, it was tabled at the same time as the Framework Agreement between the Government of Australia and the Government of the French Republic concerning Cooperation on the Future Submarine Program (‘the Framework Agreement’). The Agreement will support collaboration and information sharing in relation to the Future Submarine Program (FSP):
A key example of this cooperation is sharing classified information to support the Future Submarine Program, a critical component of Australia's naval capability over the coming decades. Classified information protections under the intergovernmental agreement for that program will rely on the measures in this new treaty.
Protective Security Policy Framework
3.4
The security of government information is maintained under the overarching policy guidance of the Protective Security Policy Framework (PSPF). The PSPF contains mandatory requirements for Australian Government entities. AGD has policy responsibility for the PSPF; with individual government agencies responsible for implementation.
3.5
The PSPF undergoes revision and review in response to changing circumstances and specific incidents. AGD advised that:
There has been a process of constant and heightened examination of our protective security policy framework and our personnel security practices in light of international and domestic experience.
The Agreement
3.6
The Agreement is more comprehensive and prescriptive than its predecessors, but, according to the National Interest Analysis (NIA), is similar to recent exchange of classified information agreements with America, Japan, the European Union and the North Atlantic Treaty Organization.
The proposed Agreement provides a framework for protecting Classified Information exchanged between the Parties. It does not require the exchange of Classified Information. Under the proposed Agreement, Classified Information will be afforded a degree of protection equivalent to that afforded domestically.
3.8
The Agreement defines classified information as ‘any information or material, regardless of the form, determined to require protection against unauthorised disclosure or compromise which has been designated with a security classification.’
3.9
The Committee heard that there are four key features of the agreement:
it requires the parties to protect classified information to a standard at least equivalent to the protection afforded domestically;
it sets out how classified information can be transferred between the parties, and is limited to certain channels;
it enables security clearances of officials and contractors to be mutually recognised; and
it regulates how each party enters into or authorises classified contracts in the territory of the other party.
Issues raised in evidence
Personnel security clearances
3.10
Many contractors working on defence related contracts, including the FSP, will need a security clearance to access the information they need to do their jobs. A number of concerns were raised about this process during the committee’s inquiries into this Agreement and the Framework Agreement.
3.11
Personnel security clearances are done by the Australian Government Security Vetting Agency (AGSVA). The AGSVA is a centralised government agency providing vetting services on behalf of the majority of Australian Government agencies and state and territory agencies, based within and run by the Department of Defence.
Timeliness
3.12
In its inquiry into the FSP, the Committee heard evidence that delays in obtaining security clearances have hindered businesses in obtaining work. For individuals, the process of obtaining a security clearance may delay their employment, or result in the selection of another person who already possesses a security clearance.
3.13
The AGSVA has set benchmarks for processing security clearances within certain timeframes:
four months for Negative Vetting level 1(‘NV1’);
six months for Negative Vetting level 2 (‘NV2’); and
six months for Positive Vetting (‘PV’).
3.14
The AGSVA informed the Committee that for baselines, NV1 and NV2, it is undertaking all clearances within the benchmark processing time. However there is a significant backlog for PV clearances, which are taking longer than the six month benchmark. In relation to industry PV clearances, Ms Perkins, First Assistant Secretary Security and Vetting Services, Department of Defence, advised:
I would say that industry are not very big users of the top secret positive vet clearance. They are very small numbers; this year it will be around 45 people and last year it was about 15.
3.15
According to the AGSVA, there are several changes underway to address the backlog. This means that within 15 months PV clearances should be conducted within the six month benchmark.
3.16
The volume of security clearances required is likely to fluctuate as projects–including the FSP–come on-line, causing workflow management challenges for the AGSVA. The AGSVA told the Committee that it has worked on understanding and planning for future demand; linking with detailed future workforce plans for Defence and industry.
3.17
Ms Perkins also pointed out that the AGSVA has some flexibility to increase its workforce at short notice:
I would note that AGSVA was set up by government in 2010 on a cost recovery basis, and that gives us the capacity to use our internal resources and what we call our industry vetting partners—contract staff who are suitably trained and accredited to undertake security clearance action—so that we can look into those forward years as these major projects come online and we can grow the need to meet the demand into the future.
Sponsorship
3.18
Sponsorship is a core plank of personnel security under the PSPF. A contractor cannot commence a security clearance alone. A clearance must be ‘sponsored’ by a government agency. This has been reported in the media as a ‘catch-22’: in order to get a contract in government, a clearance is required, but to get a clearance, a government agency must sponsor the applicant. To address the issue, contractors have called for the option to pay for their own clearances.
3.19
The AGSVA is aware of the concerns about sponsorship and has made several changes to the sponsorship requirements. In September 2016 the AGSVA implemented a more flexible approach to sponsorship; removing the requirement for an external entity to have an active contract with a government agency. The AGSVA now allows sponsorship for staff of businesses that are part of a Defence standing offer panel; or that have been identified as a potential supplier under a limited tender process; or that have a recognised business relationship with Defence.
Adequacy of clearance process
3.20
In order to be an effective element in maintaining confidentiality of information, the personnel clearance process must be sufficiently thorough. During the clearance process, the AGSVA collects a range of information about a person from a variety of sources to make a determination on their suitability to hold a clearance. The degree of examination is proportional to the level of the clearance.
3.21
As a general principle, the AGSVA and AGD consider that the current personnel clearance processes in Australia are adequate to maintaining the security of classified information, stating:
There are certainly improvements that we would like to make but, as Ms Perkins said, we have not identified any glaring holes or gaps that mean that there is any concern about the high functioning of our personnel security arrangements at the moment.
3.22
One aspect of information collection examined by the Committee was the degree to which information on criminal activities or charges is obtained from State and Territory police forces. The AGSVA advised that they maintain close relationships with the Australian Security Intelligence Organisation, the Australian Federal Police and state police forces. State police forces advise the AGSVA of some–but not all–criminal charges. For state–based offences it would depend on the severity of the offence. Notification may also occur when a criminal investigation is underway, and it becomes apparent that a person under investigation has links to defence or security related matters.
3.23
The Committee received evidence that the government has projects in play to improve the overall ‘provide a whole-of–security approach rather than relying simply on a point-in-time vetting check’. Part of this is developing a mechanism to formalise information exchange between jurisdictions. The Committee considers this should be brought forward as a matter of urgency.
French personnel clearance process
3.24
Article 7 of the Agreement obliges each party to accept the security classification applied to personnel of the other party for the purposes of access to classified information. If necessary, Australia will commence personnel security clearance processes for French nationals where they are resident in Australia (and vice versa).
3.25
According to AGD, the security arrangements of both countries are at ‘a level of parity that provides appropriate comfort for the recognised security arrangements’. This conclusion is based on government-to-government engagement and:
…an exploration of the security practices both of Australia to the satisfaction of the French government and of the French processes to the satisfaction of the Australian government.
3.26
Security clearance waivers–where a person is given access to classified information without going through the security clearance process–are used by both Australia and France. In Australia, security clearance waivers are strongly discouraged and rarely used. In order for a foreign national to be granted a waiver under Australia’s system it would require ‘extremely exceptional circumstances’.
3.27
AGD provided the Committee with information from the French National Security Authority – Secrétariat général de la défense et de la sécurité nationale–that under normal eligibility requirements an individual must be a French citizen or a citizen of a country with which France has a security agreement. However ‘in exceptional circumstances’ a clearance may be approved that would not otherwise be eligible.
Revalidation and renewal of security clearances
3.28
For clearances at the PV level, revalidation and renewal occurs every five to seven years. Revalidation is a full re-check of a person’s suitability to continue to hold a security clearance. This is in addition to an annual appraisal, where the clearance holder advises the AGSVA of information that may be relevant, and his or her supervisor also provides comments. The revalidation for clearances at the NV1 level is ten years.
3.29
The onus is on the clearance holder–and his or her supervisor– to advise the AGSVA of any changes in their life or other circumstances that may have an impact on their suitability to hold a clearance. The AGSVA advised that:
While there is no active checking by AGSVA [at NV1 level], both the holders of any level of security and their supervisors have a range of responsibilities and we are involved where they are invoked. So all holders of security clearances are responsible to advise to AGSVA changes in their personal circumstances or issues of concern, and their supervisors have a similar obligation.
3.30
The intention is for clearances to move to a continuous assessment process. The AGSVA stated that there is a current project to design a next-generation vetting process, and ‘a core element of that will be a mechanism for more continuous vetting of people’. These changes will need amendments to the information technology systems that support the security clearance process.
3.31
Representatives from AGD and the AGSVA were not able to give a timetable for the introduction of a continuous assessment process, other than to say there are a ‘range of policy and design issues’ that will need to be developed. The Committee notes the desirability of continuous assessment, and the inherent risks in relying on self-identification of potential concerns.
Equivalence of security classifications
3.32
The French and Australian systems of classifying information are not identical. The Agreement contains an equivalency table, which sets out the respective classification structures in both countries.
3.33
However, Article 5(3) also provides that Australian classified information at the ‘Secret’ level may be handled by France as either ‘Secret’ (its equivalent) or ‘Confidential Défense’ (a lower level classification in France). Australian ‘Secret’ information may only be handled as ‘Confidential Défense’ by France where it is practicable to do so.
3.34
Although this appears to be a downgrading of the classification for certain material, the Committee heard evidence that the protection given to this information by France will be appropriate to the information being transmitted. According to AGD, Article 5(3) gives Australia an option to choose to transmit material that would be handled domestically as ‘Secret’ with a marking allowing France to treat it as ‘Confidential Défense’.
3.35
AGD explained that the option under Article 5(3) gives effect to existing arrangements for cooperation between Australia, where information is exchanged for operational reasons. In each case, before transmitting material with this marking Australia would be confident that the French handling of information at the ‘Confidential Défense’ level would provide ‘appropriate protections having regard to the assessed degree of harm in the event that the information was disclosed’.
3.36
The Committee notes AGD’s assurances about the equivalency of classifications for this particular type of information. The Committee did not receive detailed evidence on the actual handling of information at the relevant security classification levels, and has therefore not formed a view on the equivalency of the classifications.
Structures and frameworks under the Agreement
3.37
The Agreement identifies AGD as Australia’s National Security Authority responsible for the general control and implementation of the Agreement. Other Australian agencies may be designated or authorised as Competent Security Authorities responsible for carrying out or implementing particular requirements under the proposed Agreement.
3.38
The Committee heard further information on how arrangements for the protection of information are being managed under the FSP. The AGSVA advised that they are currently working with the FSP team within the Defence Capability Acquisition and Sustainment Group in negotiating the protective security instructions with France. The instructions will be the ‘core contractual underpinnings of how the projects work’.
3.39
A whole-of-government working group has also been set up to work with the FSP to ensure that ‘at this very earliest set-up issues around physical, personal and cybersecurity are deeply embedded into the design’. This includes engaging with the physical design of the FSP sites in Australia and France.
Contractors
3.40
In Chapter 2 of this report the security risk associated with contractors was noted; particularly where those contractors work with multiple companies or across several countries. In these circumstances there is an increased risk of a deliberate breach of classified information. This Agreement is one of the means for managing the risk associated with the ‘trusted insider’.
3.41
As noted earlier in the report, the company contracted to build the submarines, DCNS, is a commercial enterprise offering naval vessel construction services internationally. DCNS also has a contract to build submarines for the Indian navy, and in August 2016, over 20,000 pages of information concerning the Indian submarines was leaked by a sub‑contractor to DCNS.
3.42
The Committee asked the Department of Defence whether it was possible for a person working under a DCNS contract to also be working for another country. Despite repeated attempts by the Committee, the Department of Defence was unable or unwilling to supply this information before the date of consideration of this report. The Committee relies on information from government officials to complete its inquiries, and is frustrated by the Department’s failure to respond. The Committee finds this very disappointing.
3.43
Article 12 of the agreement requires that, before entering into a contract that will involve classified information, a party must:
obtain written confirmation of the security clearance held by the relevant contractor or its personnel;
obtain information on whether the relevant contractor is owned or controlled by a third party to the extent that information is known; and
ensure that the classified contract contains, at a minimum, specific provisions for the protection of classified information.
3.44
According to the NIA, Article 12:
…also makes the relevant authorities of the Party in whose territory a contractor is located responsible for administering the relevant security requirements performed under a classified contract and ensuring the security conduct of contractors within its territory.
3.45
The Committee heard evidence on the nature and scope of the security requirements that will be in place under the Agreement. This covers not just personnel security clearances but also physical security and information security.
3.46
The AGSVA advised that they are currently working on a governance framework to set the security arrangements in relation to the FSP:
Those arrangements extend to all personnel working in the program, the classified information, which is shared, and the classified systems on which design work will be conducted. They extend to the segregation of technical data, including the need to separate combat system information and design data, and they will come in to the physical design of those locations. In the locations in France and Australia the design will work in a joint space, in what we would call an AUSTEO—an Australian-only facility—and a French-only facility, and we will be designing and accrediting all of the physical, personal and information security in those facilities to Australian standards, on our behalf.
3.47
In contrast to the previous 1985 agreement, this Agreement creates a high‑level framework with ‘robust and detailed protections’. Individual contracts and subsequent agreements will contain further detail of the security requirements, and the nature of the intellectual property and its protection in each case.
3.48
The Committee considers that the requirements in the Agreement create a solid framework for the exchange protection of classified information. However the Committee notes that this will rely on the implementation of the requirements of the Agreement in the content of each separate contract and sub-agreement.
3.49
The Agreement sets out a minimum standard for the information protection requirements of sub-contracts. It is therefore open to include additional, more stringent, clauses in future contracts in response to changing circumstances. The Committee urges the Department of Defence to consider including more rigorous clauses in future contracts.
Investigation and enforcement of breaches
3.50
The Agreement permits each party security inspection visits to areas and facilities within the other party’s territory where classified information is exchanged or generated under the Agreement for the purposes of ensuring implementation of the proposed Agreement. The Agreement contains a procedure for requesting and approving visits (Articles 13 to 15).
3.51
Each party is obliged to notify the other of the details and circumstances of any unauthorised disclosure, destruction, misappropriation, loss of or access to classified information.
3.52
The party in whose jurisdiction the violation occurs must investigate the violation, institute disciplinary and/or legal proceedings, and advise the other party of the measures taken to ensure such a disclosure does not occur again (Article 16). AGD advised the Committee that this set up ‘very clear territorial lines’ as to who would investigate any breach, and responsibilities on the investigating party to notify the other party of the outcome, and any remedial action.
Committee comment
3.53
The Committee notes recent efforts by the AGSVA to improve issues identified by industry in relation to the timeliness and sponsorship of personnel security clearances. It is too soon to see whether these improvements will fix the problems, and the Committee will be following up these concerns as they are raised again in future Committee inquiries.
3.54
In relation to the general processes for personnel security clearances, the Committee notes the desirability of continuous assessment of cleared personnel, and the need to continue to exchange information between organisations and across jurisdictions.
3.55
The Committee recommends that the government bring forward, as a matter of urgency, its work program to connect State and Federal law enforcement and judicial information systems with the personnel security clearance systems in order to maximise the information available to the vetting agency to monitor changes in circumstances.
3.56
The Committee supports the Agreement between the Government of Australia and the Government of the French Republic relating to the Exchange and Reciprocal Protection of Classified Information and recommends that binding treaty action be taken.
The Hon Stuart Robert MP
Chair
7 April 2017