Five weeks before the head of the ANU’s National Security College called Australian states and territories “weak links” to national security, incoming ACT ministers were warned that ACT Government systems are “not rated to receive security classified information”.
The Australian Government regularly issues classified information subject to stringent security requirements at the protected, secret or top-secret level, but “the ACT Government’s ICT system is not rated to receive security classified information”, the brief said.
Professor Rory Medcalf said states and territories needed officials with high-level security clearances who could access classified security information to help counter foreign influence and cyberattacks.
“States and territories are where it gets real,” he said.
“They don’t deal with the abstractions of diplomatic talking points or strategic analysis, but the tangible day-to-day elements of national resilience and national vulnerability – critical infrastructure, frontline geography, and the daily decisions and livelihoods of Australian citizens.”
An ACT Government spokesperson said national security classified information is not transmitted or stored on the general ACT Government ICT network.
Highly classified documents, such as those viewed by the Chief Minister ahead of National Cabinet deliberations, can only be viewed in designated secure rooms. The same protocols are applied when Chief Ministers and Premiers video-link for National Cabinet.
“The ACT Government uses Australian Government equipment to send and receive national security classified information,” the spokesperson said.
“The ACT Government has ensured is has the right people with the right clearances in the right positions to access and use national security classified information to help keep Canberrans safe.
“ACT Government employees requiring access to National Security classified material, systems or infrastructure are vetted to the appropriate level by the Commonwealth Australian Government Security Vetting Agency within the Department of Defence.”
The revelation came after an ACT Auditor General report in June 2020 found that 89 per cent of critical ICT systems did not have a current system security risk management plan, and “there is a low level of data security awareness among staff in most agencies examined in the audit”.
That number has since come down, but of the more than 2,200 cybersecurity incidents the Australian Cyber Crime Centre responded to in a year, more than a third were directed towards Australian Government or state and territory government entities.
The ministerial briefing also noted that while Australia’s terrorism threat level remains ‘probable’, there is an increasing threat from right-wing extremism.
“Australian individuals, largely consisting of white men, are being drawn to and adopting extreme right-wing ideologies,” it says.
“While there is no current information to suggest current attack planning, including in relation to COVID-19, an extreme right-wing attack in Australia is plausible in the next 12 months.”