Nothing Found

Forty years ago, Steve Jobs walked into a long concrete office building in Palo Alto, California. The building belonged to Xerox, the company that had recently invented the first ‘windows and mouse’ computer. Jobs saw the computer—the Xerox Alto—and was amazed. He thought the product was revolutionary. But why, he wondered, was Xerox not doing anything with it?

Four decades on, many of us are using Apple laptops and Xerox still makes copy paper. The problem wasn’t that Xerox had poor leadership or that it was caught napping. The problem was that Xerox wasn’t built to sell personal computers. It sold photocopiers and duplicating machines, and the PC pitted those two departments against each other. Internal politics caused strategic inertia.

The same problem has been experienced by Sony, IBM, Kodak and Blockbuster. They all knew what the future looked like, but to get there, ‘their internal silos that had been designed to work separately would have to work together’. That’s a big ask.

Australia’s national security community also knows what the future looks like. The chief of the Australian Defence Force, General Angus Campbell spoke of political, or ‘grey zone’, warfare at ASPI’s ‘War in 2025’ conference, prompting a number of pieces on The Strategist over the past two months. Yet, as Xerox discovered, knowing what the future looks like might not be enough.

The general prescription is that the government needs to better coordinate all arms of national power to compete in the grey zone, or left of boom. As Peter Hunter argued, ‘We should be figuring out how to combine the elements of national power, including defence, in smarter ways.’ In other words, our internal silos need to learn to work together.

In using the phrase ‘grey zone’, we are implicitly acknowledging that there’s a gap in our conception of national security; a zone where others can operate and we can’t. We’re not built for this competition, and so we’re suffering from the same ‘architectural’ problem as Xerox.

Yet this internal architectural problem goes beyond political warfare. A number of commentators on The Strategist have touched on other symptoms, including a lack of preparedness in the north, a lack of fuel security and a broader lack of a national security strategy.

On the security of Australia’s north, John Coyne notes: ‘If our industry and logistics base across northern Australia can’t easily be scaled up in a crisis, the ADF may not be able to defend our northern approaches.’ Is that a defence problem or an industry problem? Military or civilian? The reflex to ask these sorts of binary questions is indicative of the deeper architectural problem. Coyne himself acknowledges that the solution involves teaching our internal silos to work together: ‘[T]he entire strategy should be based on a cost-sharing arrangement within a national investment plan across both the public and private sectors.’

The fuel security issue is another symptom. Paul Barnes and Neil Greet wrote that while public and private entities have been campaigning on the issue, media attention has been ‘sporadic’. The government seems to think this is an industry problem; industry believes it’s a government problem. Government, industry and the media need to work together to solve it, but they’re designed to work separately. We’ve now arrived at an unhelpful ‘solution’ involving fuel stored in caves on the other side of the planet.

Many commentators have argued that the government’s lack of coherence on force posture and fuel security reflects a need for a national security strategy. As Jim Molan notes: ‘The analysis must go beyond purely military concerns to include social and economic factors that could affect Australia’s ability to fight a future war.’ Molan argues that only the federal government can fulfil that task. Yet those military, social and economic factors are designed to work separately. Until they are redesigned to work together, that analysis is likely to fall victim to the same politics and strategic inertia that killed the Xerox Alto.

In short, these are our major national security concerns and suggested solutions: to contest left of boom, the ADF should learn to work with other arms of national power; to protect the north, the public and private sectors need to be brought together; to improve our fuel security, the government must provide incentives to industry to stockpile locally; to create an effective national security strategy, the government must bridge military, economic and social concerns.

There’s a deeper pattern here: the silos we use to think about national security are outdated. They are the national security equivalent of photocopiers and duplicating machines. We know what the future looks like, but unless we start thinking about how we think, knowledge may not be enough.

Huawei’s behaviour, coupled with the Chinese government’s wide-ranging commercial espionage, is eroding trust in the global supply chain. Rebuilding that trust will take work.

Two sensational US indictments unsealed on Tuesday paint a picture of Huawei acting with utter disregard for laws and agreements in pursuit of commercial advantage. In one indictment, the US Justice Department charged Meng Wanzhou—Huawei’s CFO and daughter of the company’s founder—with deliberately lying about the company in order to subvert US trade sanctions against Iran. In the other, Huawei was charged with concertedly trying to steal technology from ‘Tappy’, a smartphone-testing robot owned by US telecommunications operator T-Mobile.

In both indictments, Huawei was accused of intentionally breaking US laws and then covering its tracks by destroying and concealing evidence, or by conducting internal ‘investigations’ that minimised the crimes, used individual employees as scapegoats and tried to absolve the company itself of wrongdoing.

Strikingly, this pattern of criminal activity and concealment is very similar to ZTE’s behaviour. ZTE, another Chinese telecommunications equipment manufacturer, was found to be violating sanctions and selling US technology to Iran in the early 2010s. Even while it was being investigated by US law enforcement, ZTE engaged in ever more elaborate schemes to hide continuing sales to Iran, including using new partners to sell to Iran, lying to US investigators, and deleting and sanitising Iran-related records from its accounting database.

This pattern of amoral deception is worrying for companies that could be placed at the heart of our telecommunications networks. But the risk involved is exponentially increased because these companies can be pressured and compelled by the Chinese Communist Party, which believes that Chinese companies and even Chinese people exist to support the party.

China has conducted espionage to gather government and military secrets—what Western governments would consider ‘legitimate’ espionage—but also espionage in search of trade secrets and commercial-in-confidence material from Western companies such as BHP, Rio Tinto, Fortescue Metals, Yahoo, Google and many more. A single hack of Rio Tinto is reported to have cost the company £800 million in lost revenue because of ‘commercial disadvantage in contractual negotiations’. From China’s point of view, commercial espionage could be viewed as important for maintaining a growing economy and keeping the population employed and happy, and therefore as crucial to national security.

Our relationship with technology relies on our faith and trust that our phones, gadgets and computers will do only what we expect them to do. We must rely on trust because information technology is so complex that it’s difficult, if not impossible, to prove that products won’t do what they shouldn’t. How can you prove that your smartphone won’t accidentally send your personal photos to your contacts? Without proof, we pretty much just have to trust that things like that won’t happen.

Unfortunately for Huawei and ZTE, their behaviour and that of the Chinese government—their wide-ranging commercial espionage, and state laws that compel companies to assist in intelligence efforts—have eroded the unquestioning trust that once existed.

Since Australia made the decision to ban Huawei from its 5G network, a number of other countries have either followed suit or expressed reservations, including New Zealand, Japan, Germany and the Czech Republic.

But 5G and telecommunications are merely the thin edge of the wedge. The global debate over Huawei and 5G networks makes it clear that we’re no longer living in a world where we can trust in the products we buy as an article of faith. How can we trust any technology product when the heart of the global electronics supply chain is in China?

Both governments and companies have a role here.

Governments need to step in and assess equipment when there are broad-based security concerns about critical and important services that underpin the Australian economy. The debate about Huawei being involved in the 5G network is a good example; for any individual Australian, the threat represented by Huawei’s involvement isn’t high, but as a community we absolutely need a robust and secure telecommunications network for our future. Governments also need to lead efforts on finding ways to build transparency and trust with foreign manufacturers and suppliers.

Companies need to understand and manage the risk exposure that comes with technology products they use—and not just those that are manufactured in China. Some collaboratively developed software, known as open-source software, can provide companies with low-cost, robust software, and is widely used across many industries. But it can be insecure, or can be quietly modified without oversight; some open-source software projects have been hijacked to steal personal data or credit card details. With a holistic consideration of the costs and benefits, many of these risks can be sensibly managed once they’re identified.

Beyond understanding their own risks, companies also need to be transparent and communicate about how they are dealing with those risks. Transparency will provide consumers and clients with some confidence that due diligence has been done, and that sensible mitigation measures are in place. In other words, transparency will build trust.

The Turnbull government argues that Australia’s national security conditions have experienced fundamental changes. These changes have been driven by the resurgence of old threats (espionage and terrorism), non-traditional national security threats (transnational organised crime) and disruptive technologies. In October 2017, the secretary of the Department of Immigration and Border Protection (DIBP), Michael Pezzullo, went even further, arguing that Australia was at risk from the ‘dark universe’ of globalisation. On the basis of these arguments, it’s clear that Australia has experienced a revolutionary change in domestic security affairs.

The Turnbull government’s position is that a revolution of such magnitude demands equally substantial changes to Australia’s domestic security arrangements. However, the government’s domestic security revolution is going to require far more than a federated home affairs portfolio. The home affairs initiative needs to be considered a long-term investment in enhancing the agility and synchronicity of the system of systems that comprises Australia’s domestic security arrangements.

Collectively, the Commonwealth and the home affairs portfolio agencies have had abundant experience of this kind of change to their operating context.

The Australian Defence Force has been dealing with revolutions in military affairs for several decades. Research, education and training have been at the heart of its responses to the dual challenge of organisational and cultural change. The establishment of joint service schools like the Australian Defence Force Academy, despite some very public failings, has contributed more to a greater sense of inter-service jointness than any structural change.

The Australian Border Force (ABF) and the newly established Department of Home Affairs (created from the DIBP) have plenty of hard-earned experience with the challenge of rapid and revolutionary organisational change.

Likewise, the Australian Federal Police (AFP) brings with it experience of implementing the lessons learned from the devastating findings of Queensland’s Fitzgerald Inquiry (Commission of Inquiry into Possible Illegal Activities and Associated Police Misconduct) and the Woods Royal Commission (Royal Commission into the New South Wales Police Service). Interestingly, in their final reports both Woods and Fitzgerald highlighted the importance of education and training in effecting cultural change. But Woods’ 1997 final report emphasised that such education and training needs to be carefully planned:

Whilst the ideals of the Police Academy and the motivation of many connected with it have been well-intentioned, delivery of police education has long risked domination by an attitude that it is by police for police, and that the broader community has little to contribute.

The message here is fairly clear: while the coordination of policy and strategy will be important, the centrepiece of the long-term success of home affairs might be an outwardly focused research, education and training strategy.

With the exception of ASPI (see here, here, here and here)—with generous support from DIBP, the AFP and the Attorney-General’s Department—and a handful of academics, little research has been undertaken in strategic studies and applied policy in law enforcement and home affairs. A portfolio research strategy could be the catalyst for a new generation of research partnerships with universities and think tanks. In the process, home affairs could leverage that collaboration to shape the undergraduate and postgraduate education of its future workforce.

There are, of course, already whispers in Canberra of a joint ABF and AFP college. While that would have some benefits, a more strategic and revolutionary solution might be required, such as the creation of a single training organisation for the whole home affairs portfolio. The underlying premise is that shared facilities are fine, but the creation of a research centre of excellence, combined with joint training and education, will be revolutionary.

A single home affairs training strategy, and dedicated facilities, would create economies of scale for the portfolio agencies. In specialist training areas like physical surveillance, there are already pockets of excellence spread across several Commonwealth agencies. Those efforts could be enhanced by centralisation. This approach may be of particular relevance for security subject areas; previous training decentralisation efforts have unintentionally reduced capability across the Commonwealth. I’m thinking here of security risk management and protective security.

One of the most important benefits of a home affairs education and training strategy is the opportunity to promote greater interoperability and cultural change. The introduction, for instance, of a common home affairs training or induction course would send a clear message to the new staffer or recruit that connectedness and interoperability are the foundation stones of the portfolio. And the development of standardised training in the portfolio, for areas such as criminal and administrative investigations, would provide greater organisational agility in terms of operational deployment. It would also enrich the operational benefits drawn from such institutions as the Australian Institute of Criminology, the Jakarta Centre for Law Enforcement Cooperation and the Australian Institute of Police Management.

To be clear, the argument here isn’t that the various agencies that constitute, or that will in time constitute, home affairs haven’t done a good job when it comes to training. Rather, research, education and training can be used to drive and maintain the revolutionary change needed to protect Australia.

Peter Jennings accurately described the contrast between two examples of structural policymaking last week, the announcement of the new Home Affairs portfolio and the release of the unclassified version of the 2017 Independent Intelligence Review. Jennings was also right to argue that discussion and implementation of the review should not be submerged beneath the tumult over the incorporation of responsibility for ASIO and the AFP, along with immigration and border protection, under the Home Affairs umbrella.

Much of the review’s value arises from the authors’ deep knowledge of the history of reform of the Australian intelligence agencies.  Michael L’Estrange and Stephen Merchant place their analysis and recommendations into the context of the two royal commissions conducted by Justice Robert Hope in the 1970s and 1980s, which gave the Australian intelligence community the shape it has had for the past 40 years. They are well equipped to do so. L’Estrange was a researcher for the second Hope royal commission and was greatly impressed by Hope’s intellectual and personal qualities. He has held a number of posts, including secretary of DFAT and Cabinet secretary, which have enabled him to observe the agencies at close quarters. Merchant has held a number of senior posts in several of the agencies shaped by Hope. They are two experienced insiders, building on the work of a remarkably effective outsider.

L’Estrange and Merchant take as their baseline the Hope royal commissions’ definitions of the roles and responsibilities of the intelligence agencies, the oversight and accountability mechanisms under which they should operate, and the operational principles they should observe. After examining the current security environment, they express their recommendations as extensions, amendments or revisions of the structures and principles developed by Hope.

The central concern of Hope’s 16 major reports—striking the right balance between national security and civil liberties—remains fundamental, but L’Estrange and Merchant argue that some of the other crucial distinctions he made—‘between intelligence collection and assessment, between human intelligence and signals intelligence, between intelligence assessments and policy determination, and between security intelligence and law enforcement’ (paragraph 2.17)—can no longer be applied as rigidly as Hope did. By being so frank, they provide an intellectually robust framework within which to discuss their recommendations.

The review’s two most important recommendations are logical and timely extensions of Hope’s work. The first is the expansion of the Office of National Assessments (ONA) into the Office of National Intelligence (ONI).  The creation of ONA was probably Hope’s single greatest innovation. He saw the need for greater coordination between agencies that had too often been divided by geographical distance and institutional rivalries. Hope envisioned a central agency, devoted solely to assessment—unlike the US Central Intelligence Agency, which combines assessment, collection and special operations. By no coincidence, ONA’s new headquarters in 2011 was named the Robert Marsden Hope Building.

The review tackles, firmly but tactfully, the false expectations that some have entertained over ONA’s role and sets out clear reasons why it should be developed into an ONI, along the lines of the coordinating bodies in Australia’s Five Eyes partners.

Turning ONA into ONI has potential risks as well as likely benefits. L’Estrange and Merchant emphasise the importance of preserving the independence of intelligence assessments, while also saying that assessments must be timely and relevant to policymakers. Both statements are right, but getting the balance between relevance and independence will be no easy matter. Similarly, there is potential tension between two stated aims, greater coordination and greater contestability. How can we ensure that assessments are contested, without descending into interagency rivalry (like the notorious FBI–CIA antagonism before 9/11), and that the agencies are coordinated, without succumbing to groupthink? There are no simple answers, and outcomes depend on personalities and organisational cultures as much as on structures. The review’s recommendations seem wise, if implemented with the designated checks and balances. The ONA can rightly be housed in the Robert Marsden Hope Building.

The review’s second major recommendation is that the Australian Signals Directorate (ASD) be turned into a statutory authority with increased responsibilities and resources. This, too, is an extension of Hope’s arguments. Hope was ahead of his time in foreseeing an important future for signals intelligence, then handled by a division in the Department of Defence. He urged that it be given greater autonomy from the defence minister and secretary. Today, when everyone recognises the importance of cyber as an arena of international contest, turning ASD into a more influential and independent agency is a logical further step in the direction initiated by Hope.

The office of the inspector-general of intelligence and security emerged from Hope’s second royal commission. The intelligence review rightly insists that, as the agencies increase their roles, responsibilities and resources, so should the accountability and oversight bodies. The review’s recommended augmentation of the office is entirely consistent.  Hope, however, doubted whether a parliamentary committee was appropriate in the Australian system. The Hawke government decided on a very limited model, which has had its remit extended over the years. The review’s proposal for further extension of the committee’s role is consistent with the views of (PDF) the respected former Labor senator and minister for defence, John Faulkner.

There is much else in the review that should form the basis of calm and rational discussion and prompt implementation. Any discussion should start from the basis that this review is the most thorough, comprehensive and clearly argued assessment of the intelligence agencies since the Hope royal commissions; that it consciously aims to bring the structures and principles enunciated by Hope into the current strategic environment; that it is frank about the areas in which those structures and principles require revision; and that constructive discussion and prompt implementation should not be submerged beneath the controversy over the establishment of a Home Affairs portfolio.

The other week, ASPI’s Cesar Alvarez and Simon Norton published a cogent argument for the greater protection of Australia’s private and public sector whistle-blowers. With startling statistics, Cesar and Simon highlight that:

‘…of the 80% of Australian employees who feel ‘personally obliged’ to blow the whistle, only 49% would actually do so.’

While there’s no globally accepted definition of whistleblowing, most people would likely accept the definition put forward by a 1994 Senate committee: ‘the disclosure by organisation members (former or current) of illegal, immoral or illegitimate practices under the control of their employers to persons that may be able to effect action.’

As a nation, we don’t have a good track record for protecting whistleblowers. There should be little surprise in public sector circles that the leaking of information to the media is a much safer option than whistleblowing because anonymity can be maintained. But leaks have increasingly become a tool of politics, not an act to right a wrong. As we enter the federal election period, there are going to be plenty of temptation for public servants and staffers to leak information to the media.

In 2013, then Public Service Commissioner Steve Sedgwick made the Commonwealth’s perspective on information disclosure clear:

‘The default assumption is that—unless there are good public interest reasons to the contrary—the business of government will be public and knowable.’

But there are also many aspects of government that must be kept confidential in the interest of national security.

So when it comes to public sector leaks, we have people who feel that their employers have acted illegally, immorally or illegitimately and that to effect action, while protecting their identity, they need to leak information. On the other side we have the agencies charged with keeping our national secrets safe. Then we have the Australian Federal Police who are responsible for investigating incidents where official information has, without authorisation, been disclosed to the media.

Investigating leaks isn’t an easy task for the AFP, which has had precious few successful prosecutions. Identifying and proving who had access to specific information is difficult. But even more difficult is proving, beyond reasonable doubt, who leaked information, and how and when a piece of information was leaked to the media. But with changes to data retention laws and improved access to metadata, things may get easier for the AFP. And this likely spells trouble for journalists trying to protect sources.

Imagine how distressing it would be to see your name appear, over and over again, in hundreds of pages of AFP documents. Journalist Paul Farrell knows this feeling all too well. Earlier this year, he published an article in The Guardian that contained sensitive, and most likely classified, official information leaked to him by a confidential government source.

Farrell’s account of the AFP documents—and an AFP fact check—reveal that the police are undertaking a criminal investigation into a Commonwealth criminal offence to identify and charge the source of the leak.

Freedom of the press isn’t under threat. Farrell isn’t under investigation, and he’s not being accused of committing any criminal offence.

But having your privacy probed like this would be incredibly intrusive. Farrell’s confidential source reportedly provided information that indicated that the Australian Border Force vessel Ocean Protector had gone far deeper into Indonesian waters than the government had disclosed. Farrell reported the information in April 2014.

Yet the leaked information didn’t belong to the person who leaked it, but to the Commonwealth. The person who leaked the information to Farrell wasn’t authorised to do so by any Commonwealth official. Given the published facts and the way in which the information was passed to the media, it’s reasonable to assume that the source involved was as aware as Farrell that the leak may have constituted a criminal offence.

Farrell argues that the leaked information reveals that the review into Ocean Protector’s incursion into Indonesia’s waters was flawed and therefore his source’s actions are justified by the public’s interest in the matter. I’m not privy to the details of this incident but it appears that the leak had an impact on national security: the revelations alleged in Farrell’s article adversely impacted on our relationship with Indonesia.

Farrell’s source would have expected that the matter would be referred to the AFP for investigation. And that’s what occurred.

Farrell has a strong obligation not to burn his source. But this doesn’t mean that the leak can’t or shouldn’t be investigated by the AFP to identify the source.

If there’s any mitigating circumstances for the leak, then there’ll be ample time for this to be considered should the source of the leak ever be identified and charged. Given the AFP’s track record with leak cases, it’s doubtful if it will ever come to this.

My argument is unlikely to sway the perspectives of journalists. Sure, journalists themselves aren’t under investigation but neither, as argued by Cesar and Simon, are they being adequately protected. For journalists this case highlights a worrying trend. If the AFP are going to access metadata and telecommunication records in leak investigations, then Australia’s journalists are going to need to be a lot more tech-savvy if they’re to maintain their source’s anonymity.

Australia’s national security agencies are unlikely to be entirely supportive of my colleagues recommendations for overcoming the fear of whistleblowing when it comes to matters categorised as having ‘national security’ implications. With an election campaign underway, the Farrell case might give pause to potential leakers—a deterrent effect that would be welcomed by departmental heads and their political masters alike.