The Insider Threat and AUKUS: Safeguarding Australia’s Strategic Partnerships

/ Article / By

We invite you to either listen to the article or read the below. 

Insider threat is not new, but it has been turbocharged in the 21st century by advances in technology.  Be it communications, computing, social media, or access to information the fact is 21st century technology (a very recent and innovative in terms of the arc of human history) has enabled and empowered a single person – the insider threat – to cause great harm to people, societies, businesses, economies, governments, and national security.

But technology is only the enabler as the core of the insider threat remains the person: their psychology, predispositions, motivations, and attitude that shape and drive them to commit an act of harm. Examples of insider threat acts of harm are Barings Bank, founded in 1762, destroyed in 1995 by rogue trader Nick Leeson, and in 2013 Edward Snowden stole highly classified files from the National Security Agency and caused enormous harms.

Understanding the Insider Threat

The significance of managing insider threat was recently made clear by Tom Homan (pictured), whom President-elect Donald Trump selected in November 2024 as his border czar. Homan said on 2 January 2025 that the incoming Trump administration needs to address ‘insider threats’, referencing that week’s New Orleans and Las Vegas terror incidents which resulted in deaths and injuries.

Homan told Fox News during an interview that “we can’t let this go on any further” after authorities said an Army veteran killed at least 14 people with a truck in New Orleans and an Army Bronze Star recipient injured seven while exploding a Tesla Cybertruck in front of the Trump International Hotel in Las Vegas.

Homan said: “We need to drill down and find out about this inspiration and what insider threat is currently in the United States government, military, and in the United States government service, and address them right away,” Homan said. “We gotta address insider threat. We have to. We can’t let this go on any further.”

Homan expressed the need to “really dig down into insider threat” in “federal servants,” whether “it’s the FBI,” and especially in an industry with “infrastructure responsibilities.”

Australia’s Insider Threat Landscape

In Australia, the insider threat – a person who uses their legitimate access to assets and information to cause harm  –  has long been a recognised threat in our Defence, national security, and intelligence agencies with personnel security effort devoted to mitigation of the insider threat.  The Australian Security Intelligence Organisation (ASIO) plays a significant role in Australia’s efforts to mitigate insider threat, but its resources and remit are limited.

Insider Threat Programs for Commonwealth Government Entities

Only in late 2023 were the many Commonwealth departments outside the abovementioned national security departments and agencies told they may need to establish an insider threat program. This requirement was clarified in November 2024 amendments to the Commonwealth’s Protective Security Policy Framework(PSPF), which most Commonwealth departments are subject to. The PSPF is administered by the Department of Home Affairs.

The new PSPF requirement 51 directs “An insider threat program is implemented by entities that manage Baseline to Positive Vetting security clearance subjects to manage the risk of insider threat in the entity.”

This means that if your entity sponsors any level of a Commonwealth Government security clearance, it is required to implement an insider threat program.

Obligations for Owners and Operators of Critical Infrastructure Entities under the Security of Critical Infrastructure Act 2018

Further, in 2023, it became clear that critical infrastructure entities – most of which are private sector, not government – which are under the obligations of the Security of Critical Infrastructure Act 2018 (SOCI Act) are obliged to mitigate insider threat for their ‘critical workers’ and overall workforce, and into their supply chain.

Whilst the SOCI legislation does not expressly use the term ‘insider threat program,’ it is the required mechanism to manage insider threats across an enterprise.  Also, select critical infrastructure entities will increasingly have employees with Commonwealth clearances, which reinforces the obligation to have an insider threat program.

Insider Threat Management and AUKUS

Australia’s partners in the AUKUS enterprise, the United States and the United Kingdom, to build and maintain nuclear-propelled submarines in Australia (Pillar 1) and share select advanced technologies and research (Pillar 2), will require the creation and operation of robust insider threat programs spanning thousands of people across Australia and beyond.  Australia cannot afford to fail to safeguard the nuclear submarine secrets and sensitive technology that our key allies are willing to share.

Robust insider threat management is indispensable.  Australia now has clear advice from a key member of the Trump administration – Tom Homan – that Australian entities involved in AUKUS need to understand the nuances of personnel security, especially with regard to insider threat mitigation, and deploy that approach on a vast national scale and do so with an intensity that befits Australia fighting for its economic wellbeing and national security.

Addressing the Insider Threat: A Path Forward for Australia

Effectively managing insider threats requires a multi-faceted approach that blends robust policies, advanced technologies, organisational culture, and a deep understanding of human behaviours and risks individuals are presenting in the lifecycle of employment.  The following nine recommendations outline the key steps Australia needs to undertake to strengthen its insider threat defences in alignment with global best practices.

1. Establish Comprehensive Insider Threat Programs

  • Government Agencies: Commonwealth departments and entities subject to PSPF must fully implement Requirement 51, ensuring insider threat programs are operational across all levels of security clearance, from Baseline to Top Secret Positive Vetting (PV).  For Top Secret-Privileged Access (TS-PA) clearance holders there is already an assurance process in place.

  • Critical Infrastructure Entities:  Entities subject to the SOCI Act should incorporate insider threat programs as part of their broader risk management strategies.  These programs should address vulnerabilities associated with critical workers, the broader workforce, and supply chain partners.

2. Leverage Lessons from AUKUS Partners

  • Draw on the expertise of the U.S. and UK, which have established robust insider threat programs to protect sensitive military and technological assets (including critical infrastructure), leveraging internationally recognised standards like ISO 9001 for quality management systems and ISO 19443which is specifically designed for the nuclear sector.
  • Australia must develop aligned programs to safeguard the nuclear propulsion technology and operational secrets associated with AUKUS, ensuring these programs integrate the rigorous risk and quality management frameworks provided by ISO 9001 and ISO 19443 to enhance their effectiveness, reliability, and alignment with global best practices.

3. Adopt a Holistic Approach to Personnel Security

  • Move beyond traditional vetting or background checking processes to focus on continuous evaluation. This includes behavioural monitoring, advanced vetting techniques, and psychological support programs designed to mitigate risks associated with stress, financial instability, or ideological shifts.
  • This approach might be characterised by some as a potential breach of Australia’s Privacy Act 1988 or objected to by unions or other self-interest groups. Designed and executed appropriately, the continuous monitoring approach actually protects employees and the enterprise.  It can provide ‘duty-of-care’ assurance to prevent an employee or contractor from acting in self-harm and damaging the enterprise.

4. Deploy Advanced Technologies

  • Behavioural Analytics: Implement OSINT-driven tools to conduct workforce screening, monitor anomalies in user activity, flagging potential risks before they escalate.  Introduce team-level short questionnaires to gain insight into employee attitude and emerging workplace issues.
  • Access Management: Use role-based and access controls and audit mechanisms to limit and monitor access to sensitive information and assets.
  • Incident Response: Establish real-time insider threat response capabilities to detect, investigate, and neutralise threats swiftly.

5. Enhance Collaboration and Information Sharing

  • Foster partnerships between government agencies, private sector entities, and academia to share best practices, intelligence, and threat indicators.

6. Educate and Train Workforces

  • Provide tailored and responsive training for employees at all levels to recognise, report, and prevent insider threats.  
  • This includes:
    • Recognising behavioural red flags.
    • Understanding legal and ethical considerations.
    • Engaging in regular security awareness programs.
    • Nurturing a security culture that supports people, the enterprise, and the clients / stakeholders that depend on the enterprise.

7. Implement Strong Governance Frameworks

  • Develop clear policies and procedures for insider threat management, ensuring alignment with legislative obligations under the SOCI Act and PSPF as well as with the risk management elements of whatever Quality Management System is used.
  • Conduct regular external audits and assessments to evaluate program effectiveness and compliance.

8. Prepare for High-Stakes Environments

  • Given Australia’s role in the AUKUS partnership, insider threat programs must meet the rigorous standards expected by the  U.S. and UK allies. Failure to protect secrets could jeopardise access to critical technologies, strain diplomatic relations and ultimately impact the national security of all three AUKUS partners.

9. Invest in National Insider Threat Research and Development

  • Establish a dedicated research initiative to study insider threats in Australia’s unique context, focusing on critical infrastructure and government applications.
  • Collaborate with international partners to stay ahead of emerging threats, particularly those exacerbated by technological advances.

Conclusion

As insider threats become more sophisticated and impactful, Australia must act decisively to mitigate this threat. By implementing robust insider threat programs, leveraging international expertise, and fostering collaboration across sectors, the nation can act to safeguard its critical assets and mitigate the insider threat.

Australia’s national security and its role in global partnerships, like AUKUS, depend on its ability to rise to this challenge, and that challenge includes embracing a clear-eyed approach to managing people securely which includes acting to mitigate the insider threat. The time for action is now.

Interested in learning more? Pentagram Advisory Pty Ltd strongly advocates for proactive measures to mitigate the insider threat, providing tailored advice and expertise to help organisations achieve compliance and resilience. Explore our insider threat courses on the eLearning Hub or view our program of workshops.

If you have any questions or require tailored advice, please reach out to us at [email protected].

0
    0
    Your Cart
    Your cart is emptyReturn to Shop
    Continue Shopping