• Home
  • About Us
    • Advent IM – What Makes Us Tick?
    • Downloads
    • Advent IM Media
    • Advent IM News
    • Industry News
    • Certifications and Memberships
    • Vacancies
    • Trusted Partners
    • Useful Links
    • Legal Info
    • Privacy
  • Consultancy
    • Cyber Security
      • GDPR/MyDPO
      • ISO27001
      • ISO27552
      • Data Protection/GDPR
      • Educational Cyber Security
      • Information Risk Management
      • PCI-DSS
      • Cyber Essentials
      • Police Cyber Security
      • NIS Directive/Regulations
      • Supply Chain Assurance
      • MySecurityManager
      • NHS Data Security and Protection toolkit
    • Physical Security
      • Review and Audit
      • Educational Physical Security
    • Business Continuity
  • Training
    • Data Protection/GDPR Training
    • Police Senior Information Risk Owner (SIRO)
    • Police Data Protection/GDPR Training
    • Police Information Asset Owner (IAO)
    • Public Sector Senior Information Risk Owner (SIRO)
    • Public Sector Information Asset Owner (IAO)
    • NIS Directive Training
    • Technical Information Risk Management (TIRM)
    • Bespoke Training
    • Use our Training Facilities
  • Blog
  • Contact Us
    • Press and Media
    • Downloads
  • Home
  • About Us
    • Advent IM – What Makes Us Tick?
    • Downloads
    • Advent IM Media
    • Advent IM News
    • Industry News
    • Certifications and Memberships
    • Vacancies
    • Trusted Partners
    • Useful Links
    • Legal Info
    • Privacy
  • Consultancy
    • Cyber Security
      • GDPR/MyDPO
      • ISO27001
      • ISO27552
      • Data Protection/GDPR
      • Educational Cyber Security
      • Information Risk Management
      • PCI-DSS
      • Cyber Essentials
      • Police Cyber Security
      • NIS Directive/Regulations
      • Supply Chain Assurance
      • MySecurityManager
      • NHS Data Security and Protection toolkit
    • Physical Security
      • Review and Audit
      • Educational Physical Security
    • Business Continuity
  • Training
    • Data Protection/GDPR Training
    • Police Senior Information Risk Owner (SIRO)
    • Police Data Protection/GDPR Training
    • Police Information Asset Owner (IAO)
    • Public Sector Senior Information Risk Owner (SIRO)
    • Public Sector Information Asset Owner (IAO)
    • NIS Directive Training
    • Technical Information Risk Management (TIRM)
    • Bespoke Training
    • Use our Training Facilities
  • Blog
  • Contact Us
    • Press and Media
    • Downloads

“Five Eyes” intelligence document leak – Australian Defence bureaucrat off to jail

This week saw the news that the junior bureaucrat from the Australian Department of Defence, has been jailed for one year, following his guilty plea in the ACT Supreme Court to posting a secret Defence Intelligence Organisation, to an online forum. Julia McCarron gives her take on this quite staggering series of events.

Not a ‘Gooday’ for the Canberra APS

Surprise!

Well this a strange one for sure. So, Michael Scerba, a former junior Defence bureaucrat has been jailed in Australia for uploading secret information online. He downloaded a 15 page document from a secret Defence Intelligence report, burnt it to disk, took it home and posted the first two pages on an on-line forum. The post was viewed and commented on by a dozen people and re-posted but disappeared an hour after its original post.

This is bad on so many levels …

When they say he was a junior bureaucrat, he was actually a 21 year old Department of Defence (DoD) graduate … with only 8 months on the job behind him and a secret (negative vetting level one) clearance … and apparently “his mental health had impaired his judgement”. I accept that the article does not expand on these mental health issues or when these issues occurred, and I am in no way implying that mental health of any kind should be a barrier to employment as I do not believe it should in general. However, we are talking about a position in National security here with access to secret information, so assuming his issues occurred pre-employment. So first question: Why was a 21 year old graduate with mental health issues given a level of clearance high enough to enable access to, and the capability to download, information relating to National security?

You've got to have a system.

Something has to have gone wrong with the vetting process and/or the employment process where access rights and privileges are determined and applied. If he had underlying mental health issues surely these should have been detected prior to his employment or during the induction process. I would presume DoD staff have to go through stringent mental stability checks checks for security clearance purposes to minimise the risk of coercion or subversion? This seeming lack of procedure demonstrates the importance of a robust vetting process, particularly in a role so critical to the security of the nation. It also demonstrates the need to ensure privileges are granted relevant to the job role and on a ‘need to know’ basis. Did he really need to access to information that revealed the identity of intelligence sources, gathering methods and classified aspects of strategic partnerships between Australia and other countries?

Advent IM Cyber SecurityIt also opens up the question of removable media access and control in sensitive areas. Second question: Did he really need to be granted the ability to burn information to disk or USB at the level he was working at? Are there not search facilities at access points a la ‘Spooks’ that detect unauthorised media? I would have thought again that some sort of policy would have existed that meant staff were only allowed use of authorised removable media and that no media was allowed to be removed from the premises?

And finally, the claim by the Judge that, “Scerba had not intended to compromise national security, although he knew the disclosure could cause harm”. I find this claim quite astonishing. So he’s employed in a DoD job, with access to information pertinent to National security and he didn’t know the disclosure could cause harm or compromise National security? Really? Question 3: What kind of induction training was the DoD providing? I can’t believe they do not put employees through extensive security training highlighting how to handle data at various classification levels, the importance of data classification and handling and the consequences of failing to comply with policy. If they don’t then some serious questions need to be asked!

I think I’m with retired Lieutenant General Peter Leahy on this one though; jail time was definitely required for this serious National security data breach. But 12 months with only 3 served does not send out a good message to others employed by the DoD who, like Scerba, believe Julian Assange is their hero. This could just be the beginning unless changes to process are tightened up.

Post comment based on an online article in the Canberra Times dated 5th November 2015.

Share this:

  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to email this to a friend (Opens in new window)
  • More
  • Click to print (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to share on Pocket (Opens in new window)
  • Click to share on Skype (Opens in new window)
  • Posted by Ellie Hurst
  • On 5th November 2015
  • 0 Comments
Tags: advent IM, Australia, cyber security, Department of Defence, five eyes, information security, Insider threat, intelligence, Julia McCarron, national security, Security, security policy, spooks, vetting

0 Comments

Content Search
Blog Categories
Post Tags
advent advent calendar advent IM business business continuity christmas CNI cyber attack cybercrime cyber crime cyber security cyber threat data breach data protection data protection act data security Ellie Hurst GDPR hack hackers hacking HMG ICO IFSEC information security Infosec Insider threat ISO27001 IT security Julia McCarron malware Mike Gillespie NCSC passwords phishing physical security privacy ransomware resilience risk management Security security tips surveillance camera commissioner Tony Porter training vulnerabilities
Blog Archive

SAFE HARBOUR RETURNS...

Morrisons staff suing over data breach. Del Brazil takes a look at what we know and what it might mean.

Scroll
Advent IM Limited

Advent IM is the UK’s leading independent information security and physical security consultancy.

We specialise in holistic security management solutions and have a proven track record of successful certifications.

Privacy Information

Legal Information

Latest Blog Posts
  • Solutions for yesterday’s DPD19 Crossword puzzle…
  • Top of the Breach – Data Protection Day – Top 5 Cyber Causes
  • Mike’s Medicine Show…a cautionary Data Protection Day tale…
  • New Crossword for Data Protection Day 2019
Our Tweets
  • Managing the physical protection of records is part of #dataprotection how good is your business at this… https://t.co/iy5E6PMiy418th February 2019 - 4:54 pm
  • If you need guidance through the process of gaining certification to the UK Government’s #CyberEssentials Scheme, t… https://t.co/hFOFXsU1D918th February 2019 - 4:50 pm
KEEP IN TOUCH…

Your Email (required)

Head Office: 0121 559 6699
London Office: 0207 100 1124
Email: bestpractice@advent-im.co.uk

Copyright @ 2016 Advent IM Limited.

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.