Overview and analysis

The security and safety of our people and their dependants overseas is a high priority, together with the security of our missions, including government communications.

Security

The department undertook a range of reforms focused on developing a robust security culture, supporting risk-based security decision-making and delivering flexible security solutions.

We promoted the importance of a robust security culture in a range of communication campaigns, and through training and outreach activities for designated security officers in Australia and overseas.

We used the May security culture survey to tailor our communication campaigns, targeting contact reporting, personal security, mobile phones and cyber risks. The highlight of our campaign was ‘Security Week’, which we held across the network in March. We also introduced a mobile application ‘Overseas Security Awareness’ for staff to access up-to-date information on personal security related to travel.

We launched the department’s security framework in March after an 18-month review of protective security policies and procedures. The framework integrates a risk management approach to security and introduces new reporting mechanisms for posts to address risks and vulnerabilities. It helps us to adhere to the revised Australian Government Protective Security Policy Framework.

During the year security fit-outs were completed at new and relocated posts in Yangon, Ulaanbaatar, Bangkok, Dublin and Surabaya. We also upgraded physical security in Harare, Pretoria, Dili, Vientiane and Dhaka to mitigate threats.

We responded to the Australian National Audit Office’s (ANAO) Protecting Australian Missions and Staff Overseas audit findings by improving strategic planning, managing security measures and training staff. The related parliamentary Joint Committee of Public Accounts and Audit report was critical of the department in light of the ANAO’s findings and made a number of recommendations to which the department will respond by November 2018.

Our post inspection regime was reviewed following an audit, and in August 2017 we began producing up-to-date threat and security risk assessments for all posts. This has resulted in a greater understanding of our risk and how to mitigate this given resource challenges. We inspected 38 posts in 2017–18.

Information Technology

We continued to provide secure and reliable systems both nationally and internationally.

The department delivered the International Communications Network (ICN)—a five-year initiative to enhance, modernise, and replace the Secure Australian Telecommunications and Information Network at over 174 sites globally.

We conducted upgrades across the network, including to desktop computing, telephones, mobility, infrastructure, technology support and the wide area network upgrades at over 156 sites. Our improvements to the ICT system have benefited departmental and partner agency staff at home and abroad, enabling us to deliver core policy objectives more efficiently and effectively.

The upgrades reduced login times from eight minutes to 30 seconds in some locations. Staff are using the new capability to work remotely on mobile devices with access to emails and the cables system when travelling internationally, at post or out in the field. The rollout has also enabled visa e-lodgement, reducing processing times.

We also collaborated with the United Kingdom Foreign and Commonwealth Office Service to deliver ICT equipment into countries we have not previously been able to reach. This provided a cost-effective delivery solution.

While the ICN rollout has delivered benefits, ongoing investment and maintenance of assets and infrastructure—domestically and overseas—will be needed.

Overseas property

We protected Australia’s domestic and overseas property assets by providing safe, secure and functional work environments for staff across our global owned and leased properties.

Collaboration between our property, security and ICT areas to secure suitable and fit-for-purpose accommodation has been integral to the expansion of our diplomatic footprint. We relocated embassies in Yangon and Dublin to satisfy security requirements and provide more efficient workspaces.

We implemented the government’s 2017–18 Budget decision to consolidate the Commonwealth’s overseas property functions into the department and centrally manage expenditure. Twenty-three agencies transitioned to the new arrangements in March, ahead of schedule. The Commonwealth owned estate was valued at $3.28 billion at 30 June 2018.

Construction and relocations

We undertook a substantial overseas construction program during the year. The new Australian embassy in Nairobi will be completed later in 2018. Although construction is behind schedule, the project remains within budget. When completed, the new purpose-built embassy will meet the security, accommodation and operational requirements of all government agencies represented in Nairobi.

We commenced the procurement process for the new Washington chancery. The current building’s structure and services have reached the end of their economic and useful life; these are a significant business continuity risk. The department leased temporary embassy accommodation for the construction period, appointed a project director and commenced the procurement process for a construction contractor.

The department’s divestment strategy resulted in the sale of the former chanceries in Jakarta and Bangkok, and the former Head of Mission residence in Bangkok. The proceeds will help fund construction of the new Washington embassy.

Under our multi-year strategy to modernise and improve the overall condition of the Pacific portfolio, we delivered an annex to the Port Moresby chancery and completed the chancery in Lae. We are currently refurbishing the chancery in Honiara and staff residences in Port Vila.

Safety risks are inherent in building and managing a global property portfolio. We have used former construction projects in Bangkok and Jakarta as a template for managing onsite safety. The new embassy in Bangkok, completed in July, accrued 6.6 million hours of labour during construction, with a lost time injury frequency rate (LTIFR¹) of 0.79 against an industry standard of 5.6. The Nairobi project accrued 1,053,000 hours of labour with an LTIFR of 2.8, by the end of June, utilising work health and safety provisions coupled with onsite security measures exceeding standard local practices.

Maintaining the estate

An effective property maintenance program is critical to assuring the safety of staff and the public. In 2017–18 global property manager Jones Lang LaSalle delivered a $38.44 million annual repair and maintenance program, which included a $553,146 work health and safety compliance program, and $3.43 million to respond to more than 20,000 reactive maintenance work orders for services across the overseas and domestic estates.

New approaches and efficiencies

Through our renewable energy strategy, we are reducing operating costs and improving power reliability by bringing solar and energy storage technologies to posts. We completed the first trial in Amman with the installation of 532 solar panels on the chancery and car park roofs. The system—the first of its kind at a diplomatic mission in Jordan—will generate significant savings and potentially recoup the cost of the capital investment in two years. Work is underway to implement the strategy in other locations.

Australia’s Ambassador to Estonia, Kerin Ayyalaraju, in Tallinn [Estonia MFA/Ms Annika Haas]

Risk management

After London’s Grenfell Tower fire, the department assessed our Commonwealth properties for fire risk stemming from facade cladding used in construction or subsequent refurbishments. Posts worked with local property managers to identify the use and type of cladding in leased residential buildings. The review identified 21 buildings in the owned and leased estates that required attention. We are preparing detailed risk assessments for these to determine the best course of action.

To address indoor air quality issues at some overseas posts, we initiated reviews in Beijing, Cairo, Hanoi and New Delhi. Air pollution management plans developed for each location will reduce exposure by improving indoor air quality. The aim is to maintain an air quality level in line with the World Health Organization standard.

Diplomatic mailroom services

The diplomatic mailroom delivered 525 tonnes of unclassified material via 26,000 global freight shipments. The Australian Diplomatic Courier (Safehand) Service also delivered 33 tonnes of classified material to Australian diplomatic posts. Orima Research’s survey of performance of DHL, which manages the unclassified mailroom and airfreight services, showed an overall customer satisfaction rating of 93 per cent.

Results

Deliver outcome: Deliver a new Security Policy Framework

The Secretary launched the Security Policy Framework during the year as part of the department’s inaugural Security Week activities. It moves the department towards a more explicit risk management approach to security and provides flexibility to respond to the changing threat environment, particularly overseas. It ensures consistency with the revised Australian Government Protective Security Policy Framework.

The framework includes an assurance policy stream, which outlines reporting, investigations, inspections, breaches and management of security incidents. It strengthens planning with a revised annual security report, mandating overseas posts to report on key risks rather than compliance. The framework also requires posts to develop a security plan and submit an annual security risk assessment, and mandates annual checks of post security features.

We improved information management and transparency by designing an online portal for post security officers to house their security risk assessments and reports. The framework is prominent on the departmental intranet and easily accessible for all staff.

We revised security training to ensure outgoing post security officers were familiar with the framework and able to apply security risk management tools.

The department will measure the framework’s effectiveness through a formal survey in March 2019 and conduct an audit in 2018–19.

Review: Organisational security culture

Improving our security culture was a key focus for the department in 2017–18.

We launched a major new initiative—Security Week—to help staff understand the risks facing the department, and used a range of interactive exhibitions, events and activities to promote security awareness. Fifty-five posts held their own security-themed activities. There were over 75 nominations for the department’s inaugural Security Awards, recognising excellence in security practices at work.

In Canberra, more than 130 staff participated in an ‘escape room’ exercise to build security awareness, particularly around information. Staff demonstrated their security engagement through online feedback walls, which facilitate comments and input.

The department developed a number of security awareness campaigns during 2017–18, based on information gathered through the May 2017 Security Culture Survey. These campaigns are helping to reduce breaches and security incidents, and increase contact reports.

Topics ranged from mobile phone policy, information security and personal security tips for officers and families posted overseas. We developed staff surveys in 2018 to test engagement and evaluate the effectiveness of these campaigns. The first of these surveys on mobile phones showed encouraging levels of engagement with our security materials. All survey respondents showed they were aware of the department’s restriction on the use of mobile phones in certain work areas. They also welcomed the department’s instant messaging web application—available on desktops—which facilitates more effective and efficient communication between staff at post, particularly during ministerial visits.

Over the year, there was a significant increase of 108 per cent in views of the department’s security intranet pages.

Review: Implementation of recommendations of the 2015 Ritchie Review and Australian National Audit Office Audit on Protecting Australian Missions and Staff Overseas (ANAO Report No.5 2017–18)

In response to the ANAO report into Protecting Australian Missions and Staff Overseas (ANAO Report No.5 2017–2018) and the earlier internal Ritchie Review from 2015, we developed a project to implement the report’s recommendations. We also incorporated further recommendations from a follow-up inquiry by the Parliamentary Joint Committee of Public Accounts and Audit (JCPAA) into the project.

The department implemented all 27 recommendations from the 2015 Ritchie Review by 30 June along with a number of governance and capability requirements.

The recommendations focused on improving strategic planning, coordinating security measures overseas—including through better record keeping and consistency of risk assessments, staff training and inspection arrangements.

We completed six of the nine ANAO audit recommendations by 30 June. The remaining three require longer-term remediation, especially around ICT systems.

We accepted the JCPAA inquiry report recommendations. The department will provide a formal response by the November 2018 deadline.

The department continued to monitor progress in implementing these recommendations through the Departmental Security Committee, Audit and Risk Committee and the executive.

Review: High-quality advice, effective mitigation strategies and timely responses to international security incidents

During the year we improved the quality of our advice and mitigation strategies. We responded to the Australian National Audit Office report into Protecting Australian Missions and Staff Overseas (ANAO Report No.5 2017–2018), by undertaking a comprehensive review of threat and risk assessments for all overseas missions. Work is underway to review and submit risk assessments in line with updated guidelines. Expected completion date is the end of 2018. A new online collaboration site, built in June 2018, will house key threat and risk reports on overseas missions, and facilitate communication and oversight between posts and Canberra. The portal allows greater access to security information across the network and supports good record management.

The team provided support to posts where there were rapid changes in security requirements, such as Bangladesh and Nigeria. Security staff visited the sites to review requirements and implement mitigation strategies to reduce risks to staff. We also conducted threat and risk assessments for planned new posts, including Funafuti and Kolkata, as part of the whole-of-department planning process. These assessments informed the risk mitigations required.

The department’s network of overseas regional security advisers provides immediate advice and assistance in the overseas context. During 2018 we expanded the network’s coverage so more overseas missions could access in-region support. We also began developing a learning pathway to enhance the skills and experience of Canberra-based security advisers before they travel overseas.

Review: Implementation of the Business Technology Strategy 2017–2019

Through the Business Technology Strategy we seek to align ICT capabilities with our current and emerging business requirements. Consultation with divisions, posts and partner agencies identified those that offer the highest strategic value to the department.

The strategy focuses on three essential goals:

• protect and enhance business continuity
• improve the quality of ICT service delivery
• develop a greater level of flexibility and agility when responding to requests for ICT services.

The department progressed implementation in 2017–18, including:

• commissioning two new data centres to mitigate key business continuity risks
• completing integrated communications networks to ensure greater resilience and security of the network, and to refresh ICT assets
• establishing a multi-year cyber security exercise program with Australian Government agencies and the New Zealand Ministry of Foreign Affairs and Trade to test the rigour of our cyber security maturity.

We also made progress on the Australian Signals Directorate’s Essential Eight mitigation strategies, which has enhanced our capacity to detect and prevent attempts to compromise our information systems.

Review: Results of the annual client services satisfaction surveys for the outsourced service provider (Jones Lang LaSalle) and the Overseas Property Office

ORIMA Research undertook an annual client services satisfaction survey of the Overseas Property Office and service provider Jones Lang LaSalle during the year. The 2018 survey indicated an overall increase in the level of satisfaction with the Overseas Property Office’s performance (92%), however overall satisfaction declined slightly on property services (77%).

The Overseas Property Office is working with Jones Lang LaSalle to improve the client service experience across the domestic and overseas estates. This includes new governance and project management structures and greater communication with tenants.

Report: Asset management plans are in place for all owned properties in the estate

Asset management plans are in place for all properties across the overseas estate. The department reviewed these plans according to a schedule of property inspections, as part of our strategic approach to managing the property portfolio.

Deliver outcome: The construction and refurbishment of departmental overseas property is completed within agreed timeframes and budgets. Complete the design phase of the new chancery in Washington by 2017–18

Architects completed the interim chancery design in March with construction scheduled to commence in October. The final sketch design for the permanent chancery was completed in May but completion of construction documentation was revised outward from June 2018 to December 2018.

Involving contractors and industry early in the process necessitated extending the design program, but their early engagement was crucial to identifying any construction or coordination issues. It also improves design quality and creates opportunities for innovation in delivering aspects of the construction. The revised completion date for construction documentation has no impact on the overall program and supports design within budget.

Audit: Compliance of the global network and its business systems with the Australian Signals Directorate’s cyber mitigation strategies

Under the oversight of the Departmental Security Committee, a dedicated branch managed all ICT risk and cyber security operations and completed significant work to comply with the Australian Signals Directorate’s mandatory Top Four strategies.

To test our cyber security resilience we led a multi-agency exercise to ensure business continuity, governance and reporting processes were sound. We enhanced our cyber capability with ongoing investment including through the rollout of the ICN.

Report: An accessible and reliable secure cable network

The department worked to continually improve the cable network. Operational teams in Canberra monitored and supported the network on a 24/7 basis. Regional information and technical officers undertook preventative maintenance and emergency repair visits to posts and provided secure communications facilities to travelling portfolio ministers.

The department provided access to the cable network to all partner agencies under the ICT MoU.

Review: Government agencies at overseas missions are satisfied with service provided

We improved support services to government agencies at overseas missions through various initiatives, including implementing:

• the revised service level arrangements
• a security services MoU
• an ICT MoU.

The new arrangements have improved financial, office, human resources, property and fleet management services to 27 government departments and agencies. They improve ease of use and understanding, transparency of processes, and provide clarity on agency obligations and our performance indicators. Mandated quarterly governance meetings in each overseas location enable issues to be resolved and ensure high-level satisfaction.

Over the year we increased security outreach and support to overseas missions. In June we implemented a revised security services MoU. The new arrangement reflects current security policy and procedures outlined in our security framework and codifies the responsibilities of the department and other government agencies in meeting security requirements overseas. This ensures our security services are clearly articulated and allows other government agencies to manage risk for their deployed staff. For the first time ever, all participating agencies endorsed the MoU, confirming they are satisfied with our service delivery.

The revised ICT MoU ensures efficient delivery of ICT services to more than 30 partner agencies. Central to this service was completing the ICN project, which delivers better ICT infrastructure and telecommunication services to 174 sites in Australia and overseas. The project has also strengthened our ability to secure government information from potential cyber threats. The November satisfaction survey by Australia Online Research demonstrated a high satisfaction rate from all users.

Agencies provided positive feedback at the quarterly Global Service Delivery Board and working group meetings with no significant issues reported or escalated.