Australia’s supply chain is vulnerable to a wide range of hazards. The Security of Critical Infrastructure Act 2018 (SOCI Act) recognises that critical infrastructure faces threats across multiple hazard domains, including cyber and information security, physical and natural hazards, personnel security, and supply chain risks.
A recent case, reported by media in early October 2024, illustrates the insider threat within the personnel security domain. This case, originating in Germany’s supply chain at an airport, demonstrates the serious risks associated with personnel security.
Yaqi X, as pictured, is alleged to have stolen national security-related information to which she had legitimate access and passed it to a foreign power, in this instance, China. Yaqi X was arrested in Leipzig for allegedly providing intelligence on Leipzig/Halle airport, a key transport hub for the German defence industry, to Chinese intelligence.
At the time of her arrest, Yaqi X, 38, was employed by a logistics services provider at the airport. Prosecutors claim she repeatedly shared information on flights, passengers, and military cargo transport with another individual linked to China’s secret services. The airport is recognised as a critical node for German defence exports, particularly in support of Ukraine.
Between August 2023 and February 2024, Yaqi X allegedly passed information to Jian G, a figure involved with Chinese intelligence. The shared intelligence reportedly related to the transport of military equipment and personnel tied to a prominent German arms company, widely believed to be Rheinmetall, Germany’s largest defence manufacturer. Rheinmetall has played a crucial role in supplying Ukraine with military vehicles and weapons.
The case appears connected to another espionage case involving Jian G, a former aide to a German Member of the European Parliament. Detained earlier in 2024, Jian G was accused of spying on Chinese dissidents in Germany and sharing information on the European Parliament with Chinese intelligence. Jian G, who had obtained German citizenship after moving to the country in 2002, had previously worked with dissident groups in Germany.
Key Lessons and Implications
This case serves as a stark reminder of the importance of rigorous pre-employment screening and the ongoing assessment of employee and contractor suitability—critical elements of an insider threat program. Under the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023, owners and operators of critical infrastructure assets must ensure the suitability of all employees, contractors, and third-party personnel who may have access to sensitive information and critical assets.
Further, this case underscores the need for an enterprise-level Supply Chain Risk Management Framework. Such a framework should include integrated protected procurement to ensure risk is assessed and monitored not just at the organisational level but also for key individuals within the supply chain.
Proactive risk management demands independent assessments and continuous monitoring of supply chain entities, particularly those with access to sensitive operational details.
Questions to consider:
How does your organisation assure the suitability of third parties and contractors who have access to your sensitive information and critical assets?
Is your insider threat program robust enough to detect and mitigate personnel-related security risks?