Everyone has secrets. You don’t like Nana’s fruitcake but don’t want to tell her. That’s a secret, but it’s not classified SECRET (well, unless the fruitcake has illicit ingredients, not just dried fruit).
Yet from social media to pop culture, terms like ‘classified’, ‘secret’ and ‘top secret’ are thrown around with abandon. Often uninformed commentators, lobbyists and ideologues with little experience working in these environments purport to speak on these terms with authority. That’s unhelpful because information security, and clearances for information access, underpin the effective conduct of statecraft—especially when it involves intelligence matters.
In Australia, security classifications are applied to information based on the amount of damage it could cause if it was unlawfully disclosed.
What classifications mean and what security clearances are in an Australian government context is detailed in the foundational and constantly updated Protective Security Policy Framework (PSPF).
Compromise of information classified TOP SECRET would be expected to cause ‘exceptionally grave damage to the national interest, organisations or individuals’. (The leaking of Harry and Meghan’s plans for a TV project or new IOC rules for Olympic athletes? Not so much.)
National security agencies and the government haven’t always done enough to explain this to Australians. Proper use of these systems ensures national security. It’s important that the public understand the relative seriousness.
There are three levels of security classification used in Australia: PROTECTED, SECRET and TOP SECRET.
Protected information can be accessed with a minimum ‘baseline’ clearance. But such information does require some restrictions on how it’s stored, communicated and used. Formally, it is information the compromise of which would be expected to cause ‘damage to the national interest, organisations or individuals’. Compromising secret information could cause ‘serious damage’, and top secret ‘exceptionally grave damage’. Similar language is used by other governments in their definitions of classification levels.
The ‘exceptionally grave damage’ threshold is a high bar and should give pause. Examples in the PSPF include ‘significantly affecting the operational effectiveness, security or intelligence operations of Australian or allied forces’, ‘directly provoking international conflict or causing exceptionally grave damage to relations with friendly countries’ and ‘widespread loss of life’.
Some classifications, such as RESTRICTED, HIGHLY PROTECTED and CONFIDENTIAL, are no longer used and are now found only in historical documents. In addition, there’s OFFICIAL, a protective marking used for government documents but not strictly a security classification since it doesn’t require a clearance for access.
Agencies determining classifications are obliged to set them at the ‘lowest reasonable level’, and the PSPF outlines potential downsides of overclassification.
To access material classified as PROTECTED and above requires a security clearance, of which there are four types: baseline; NV1 (negative vetting 1), aka a secret clearance; NV2 (negative vetting 2), top secret; and PV (positive vetting), the highest clearance.
The Australian Government Security Vetting Authority (AGSVA) in the Department of Defence undertakes the bulk of security clearance work. However, important changes are happening with the creation of a new vetting authority within the Australian Security Intelligence Organisation responsible for all PV clearances—rebadged as TOP SECRET—Privileged Access.
That change reflects Australia’s heightened security and counterintelligence concerns and is being implemented through legislation recently reviewed by the Parliamentary Joint Committee on Intelligence and Security. The new arrangements also reflect the difference between NV2 and PV clearances, which both provide access to top secret information. A crude but useful analogy: an NV2 lets you eat sausages, but a PV also lets you see how sausages are made (be involved in discussions about sausage-making techniques, have access to a sausage warehouse, and so on).
Before this, PV clearances were issued by a small number of ‘authorised agencies’ and AGSVA. AGSVA, and those authorised agencies, will continue to be responsible for non-PV clearances.
ASIO’s new responsibility is not unusual—security agencies in Canada and New Zealand, for example, perform comprehensive vetting roles for their countries’ public services.
Centralised vetting has significant potential benefits, particularly for increasing efficiency and effectiveness, but a principal challenge is effectively integrating clearance management by a central agency with ongoing personnel security management by individual employers.
Clearances are important because they govern access. To read (or just to have access to) a classified report requires a commensurate minimum level of clearance. But information is not always in the form of a report. Access might involve a whole system or a particular store of information. It might involve being part of sensitive discussions and planning. Or it might mean physical access to a particular kind of classified space. Therefore, the type of access and the type of information might have practical implications for employment in a specific role or even by a particular agency.
Obtaining a clearance involves escalating levels of intrusiveness and obligations on the candidate, which can last a lifetime. The vetting process necessarily involves significant personal imposts, especially on an individual’s privacy. It involves multiple steps, noting that in this context a police check is a step, not a clearance. This is also why specific accountability and whistleblowing mechanisms are instituted for clearance holders, such as the role played by the Office of the Inspector-General of Intelligence and Security in relation to intelligence officials. Furthermore, access to privileged information, per a PV clearance flips the burden of proof from ‘why shouldn’t this person have a clearance’ to (as it says, positively) ‘why should this person have a clearance’.
Clearances have time limits and need to be periodically reviewed and re-adjudicated—in the lingo, ‘revalidated’. PV clearances, for example, are reviewed at least every seven years.
For all their necessity, security clearances are also a significant challenge for organisations. They can complicate engagement of staff, particularly when organisations are trying to develop capabilities quickly.
Access to information isn’t limited only by classification and clearance level. Code words are added to classifications as caveats to further limit access to those who have also been briefed into (and retain) a particular compartment of knowledge—‘sensitive compartmented information’ in US parlance—because they need to know (NTK) that information to perform their duties. As such, a clearance is just the first step in the process of accessing information. Simply having a requisite clearance doesn’t give someone a right to access, or ownership over, classified information. In addition, there are ‘special handling instructions’ (most notably for cabinet materials) and ‘information management markers’ (such as for legally privileged information).
Finally, there is ‘releasability’. Nationality in the 21st century might be a contested concept in op-ed pages or on Twitter, but in the national security arena nationality via citizenship remains inviolable. Releasability controls which nationals can access what information.
This kind of limitation is universal to all governments. It just happens that certain intelligence communities have mature intelligence-sharing regimens, such as the Five Eyes intelligence alliance or NATO, but also bilaterally, that make releasability relevant. Perhaps ironically, releasability markings are an indicator of the regularisation of sharing.
AUSTEO (Australian eyes only) material is limited only to Australian citizens. The lesser used AGAO (Australian government agencies only) extends access to seconded allied personnel. The US government has its own equivalent to AUSTEO—NOFORN (not releasable to foreign nationals).
In addition, there’s the concept of the need-to-know principle itself, which has been challenged in the post-9/11 era and even more recently by rival concepts like ‘responsibility to share’.
There is an important carveout. Security clearances aren’t required for certain officeholders, including members of parliament, ministers, judges, royal commissioners and the governor-general. This reflects their authority, derived from election or appointment. Nonetheless, similar forms of briefings are typically used, not for the purpose of formal access but to inform about sensitivities, appropriate handling or other matters.
So, when a news story identifies something as ‘top secret’, ask whether it’s actually referring to material classified TOP SECRET, which can be accessed only by people with an NV2 or PV security clearance. Or is it just some hitherto unknown piece of juicy gossip or a peccadillo someone is trying to hide?
Accuracy matters, and secrets still matter. Even in a global village, everyone wants to know everyone else’s business.