In this blog, one of Fivecast’s Senior Tradecraft Advisors explores recent calls from Australia’s intelligence community to reform current Security Vetting processes, the implications of the suggested reforms and how technology and publicly available information play an important role in developing a model of continuous evaluation.
Last week, speaking publicly to the National Security College, two of Australia’s leading figures in the Australian intelligence community spoke about their efforts to overhaul and modernise their approach to security vetting. While these comments were intended for the Australian intelligence community, they are applicable and hold learnings relative to security vetting improvements for other global Government agencies and organizations, particularly in Five Eyes nations.
Andrew Shearer, Head of the Office of National Assessments and Mike Burgess, Director General of the Australian Security Intelligence Organisation, spoke candidly about a range of challenges faced by not just their own agencies, but the Australian National Intelligence Community more broadly.
One topic clearly at front of mind for both men – with long and distinguished careers in the national security space – is Personnel Security Vetting. Andrew Shearer warned that outdated and rigid thinking needed to be modernised, and his counterpart at ASIO went further, specifically warning that security vetting in Australia was currently characterised by a ‘Vet and Forget’ mentality, which needed to transition to a model Burgess referred to as ‘Continuous Evaluation’.
What is security vetting?
Before government employees are given privileged access to their country’s classified information and sensitive facilities, they undergo a process known as security vetting. Designed to filter those who may be unsuitable to hold such positions, or to identify those deliberately attempting – with malicious intent – to infiltrate government agencies, security vetting is a relatively intrusive employment screening process which thoroughly examines – among other things – a prospective employee’s background and social network.
This process is undertaken prior to an applicant being granted access to classified material for the first time. Once the clearance has been granted, it is reviewed – or ‘revalidated’ – periodically. However, both the initial and ongoing vetting checks are resource intensive. This means that revalidation of a security clearance may not actually occur for a period of up to 10 years after the initial grant, depending on the level of clearance.
What is Continuous Evaluation?
When people talk about ‘Continuous Evaluation’ in the context of security vetting, they’re referring to an enhancement of the current model, wherein clearance holders are subject to more regularly scheduled due diligence checks so that relevant changes in their lives can be reviewed for risk immediately, rather than waiting potentially years for the next scheduled review.
Australia is not alone in seeking to enhance its rigour when it comes to vetting. The US Government has been moving toward this model for years and the primary vetting agency in the US – Defense Counterintelligence and Security Agency (DCSA) – is implementing the processes and infrastructure to enable the changes.
FIVECAST MATRIX
Learn how Fivecast’s large-scale risk assessment and digital footprinting solution, Fivecast MATRIX, was purpose built in partnership with the US Government to support security vetting and continuous evaluation applications:
In Australia, the government is making efforts to hand Burgess’ agency, ASIO, greater legislative power to issue, maintain and revoke Australia’s highest level of security clearance, currently known as “TOP SECRET: Positive Vetting” though changing as ASIO takes control of the process to be known as ‘TOP SECRET – Privileged Access’. This is the context in which Burgess refers to the application of Continuous Evaluation, but moves are also afoot more broadly to introduce the concept in other forms of screening. The Australian Defence Department now requires all companies with Defence Industry Security Program (DISP) membership to ‘continuously monitor’ all employees.
In August last year, the overarching policy document that mandates security settings across the Australian Government – the Protective Security Policy Framework (PSPF) – was updated to incorporate application of AS4811:2022 (Workplace Screening) to Personnel Security. The standard describes a risk-based approach to employee screening that considers the level of access required for the role, goes beyond just looking for red flags, and requires ongoing suitability assessments after the point of employment for all employees, even those without security clearances.
Resourcing challenge
While very few would argue with the notion of increased rigour around background checking of those people and companies charged with protecting Australia’s security, the obvious problem that arises from the new push toward continuous or ongoing evaluation is one of resourcing.
Long plagued by delays and bottlenecks, AGSVA is already an agency stretched to capacity. And it’s not alone among its Five Eyes counterparts in grappling with the challenge. Earlier this year, the UK Inspector of Constabulary Matt Parr said in a BBC interview that – in relation to the vetting scandal engulfing the Metropolitan Police – “there were vetting units that were overwhelmed and under pressure to get the numbers in, and in some cases they just weren’t very efficient”.
Is it realistic to expect vetting agencies to make a dramatic and overnight improvement without additional funding? Probably not, so how can they be expected to suddenly lift to the entirely new level of capacity required to make Continuous Evaluation actually possible?
“We need to reconceptualise vetting”: DG ONI
While one obvious answer is resources – extra people to undertake the security and vetting checks – the other big challenge flagged by Shearer and Burgess is outdated, rigid and old-fashioned thinking.
As Shearer pointed out, things like diverse sexuality and mental health are managed very differently in modern society, yet some of the arcane rules governing vetting have not been updated in a long time and fail to take this changed dynamic into account. Further, vetting processes aim to explore and gauge risk in a variety of aspects of people’s lives. But the way in which those lives play out continues to evolve. For instance, significant elements of people’s lives – their connections; their ideology; their vices, pleasures and vulnerabilities – now playout online, in a social media landscape that wasn’t even envisaged 20 years ago. That landscape cannot be properly examined these days with a few Internet keyword searches, or mitigated by the manual checking and rechecking of digital footprints to identify changes.
Jack Teixeira: a cautionary tale
21 year old US National Guard airman Jack Teixeira has recently been charged by the US Government with causing the worst damage to US National Security and global standing in a decade by leaking a trove of classified documents.
Teixeira was able to access such material by virtue of holding a US Government TOP SECRET clearance, presumably issued with all the rigorous background checking that process would have entailed.
Rather than providing those documents to an undercover intelligence officer at a sports club or community association after a long face to face cultivation – as may have been the case in years gone by – prosecutors allege that Teixeira, while caught up in the culture of online gaming, shared hundreds of classified documents on an online communication platform known as Discord.
The dissemination of the documents to fellow members of the Discord server occurred over a period of months; at some point after which they were posted in a more public Discord chat group, and then – according to Bellingcat – found their way on to Telegram, another social media platform.
According to media reporting, US Federal Prosecutors have alleged that Teixeira – while undergoing the initial vetting process – hid “unsavoury aspects of his character” from public view, citing violent and racist views from Teixeira’s online social media accounts which presumably were not unearthed at the time.
While relatively easy to trace back once an incident like this makes public headlines, an estimated 1.25 million US citizens hold TOP SECRET security clearances alone. As such, the unenviable challenge for vetting agencies is attempting to proactively check and assess the public social media footprints of all their clearance holders, looking for the tiny fraction of those who may actually pose a risk.
A better way?
As DG ASIO noted, part of the path to Continuous Evaluation is the application of technology, which provides great opportunity to enhance the rigour of security vetting. We need more effective data acquisition & integration, as well as new capabilities to help us identify the right patterns and anomalies in that data.
Continuous Evaluation, done properly, requires the vetting authority to have ongoing access to a range of sensitive personal information such as financial records, credit history, international travel, and so on. It is intrusive, but a necessary trade-off for clearance holders seeking positions of trust inside their country’s governments.
In the modern age, a critical component of Continuous Evaluation is publicly available, or ‘open-source’, information. Specifically, public social media – the modern equivalent of the town square, which increasingly offers vetting authorities an insight into the complexity of human life, as the Teixeira case demonstrates.
Publicly available information is a particularly suitable component of Continuous Evaluation because it is relatively non-invasive from a privacy perspective, relatively easy to access and the technology is now available to automate much of the screening. While not able to provide the complete vetting picture, social media and other open-source information – the ‘digital footprint’ – is conducive to light but frequent monitoring to identify emerging risks and better targeting of the deeper investigations and assessments required.
Learn more about how Fivecast’s Large-Scale Risk Assessment tool, Fivecast MATRIX:
With technology now available to support this outcome without a corresponding increase in numbers of vetting personnel, it is policy and procedural transformation that remains the final challenge. Recent public reporting of former ASIO counter espionage officer George Peacock having been recruited by Russian intelligence services in the 1970’s and run in place for many years serve as a reminder of the criticality of this effort.
