Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Standing Committee on Public Works
Fit-out and relocation of the Australian Cyber Security Centre, Canberra

BEUTEL, Brigadier Noel, Director-General, Capital Facilities and Infrastructure, Department of Defence

COLLINS, Mr Chris, General Manager, RPS Project Management

MAPLETOFT, Mr Jim, Director, Facilities and Data Centre Services, Department of Defence

REES, Mr Alun, Project Director, Australian Cyber Security Centre 2.0, Department of Defence

SCOTTON, Mr Michael, Assistant Secretary, Cyber Security, Department of Defence

Committee met at 13:32

ACTING CHAIR ( Senator Smith ): I declare open this public hearing of the Parliamentary Standing Committee on Public Works into the proposed relocation and fitout of the Australian Cyber Security Centre. I welcome representatives of the Department of Defence. Although the committee does not require you to give evidence under oath, I should advise you that these hearings are formal proceedings of the parliament. Consequently, they warrant the same respect as proceedings of the parliament itself. Giving false or misleading evidence is a serious matter and may be regarded as contempt of parliament. Do you have any comments to make on the capacity in which you appear?

Brig. Beutel : I am the Defence lead witness for today's hearings.

ACTING CHAIR: Brigadier, would you care to make some brief introductory remarks before we proceed to questions?

Brig. Beutel : Yes. This proposal seeks parliamentary approval for the fitout and relocation of the Australian Cyber Security Centre to commercially leased facilities at Brindabella Park, Canberra, following the relocation of the centre from its current location in the Department-of-Finance-managed Ben Chifley Building.

The Australian Cyber Security Centre is an important Australian government initiative to ensure that Australian networks are amongst the hardest in the world to compromise. The centre brings together the elements of a number of existing cybersecurity capabilities from Defence, the Australian Security Intelligence Organisation, the Australian Federal Police, the Computer Emergency Response Team and the Australian Criminal Intelligence Commission. These organisations are being brought together in order to enable a more-complete understanding of sophisticated cyberthreats, as have been described in the Australian Cyber Security Centre 2016 threat report, to facilitate faster and more-effective responses to significant cyberincidents and to foster better interaction. The centre is also a hub for greater collaboration and information sharing with the private sector, state and territory governments, academia and international partners to combat the full range of cyberthreats. Critically, the centre plays a vital role in the operationalisation of Australia's cybersecurity strategy, and is one of 13 priority actions identified in the strategy. The office of the Prime Minister has endorsed the relocation of the centre from its current location at the Ben Chifley Building to fit-for-purpose facilities that better address the key functional requirements for expansion, flexibility and collaboration.

As such, the objectives of this proposal are to provide office accommodation facilities to accommodate up to 700 personnel; to provide appropriate security zoning to accommodate staff at various security clearances; and to provide an environment to support partnerships with industry, academia and other innovation initiatives.

The total government-approved budget for this proposal is $38.8 million, which includes both development and estimated delivery costs. Subject to parliamentary approval, works are planned to commence in late March 2017 to achieve an initial operating capability at Brindabella Park by June 2017, with the completion of all works and the achievement of a final operating capability at Brindabella Park no later than December 2017. That concludes Defence's opening statement. The Defence witnesses stand ready for any questions.

Senator GALLACHER: Given that you have only been in your current facilities for two years, and there was obviously public expense to move into those facilities, can you put onto the public record the need to move and whether there is any loss to the Commonwealth from vacating your current premises?

Brig. Beutel : I will provide some high-level comments and then maybe Mr Scotton can provide some further detail. When the decision was taken to establish the Australian Cyber Security Centre and to locate it in the then newly completed Ben Chifley Building, the Cyber Security Centre at that stage was based on approximately 300 people, and the space made available for the Cyber Security Centre in the Ben Chifley Building at that time was based on 300 people. Since that time, with the release of the Cyber Security Strategy and also other growth initiatives within the Defence White Paper 2016, the Australian Cyber Security Centre will grow to approximately 700 personnel over the next few years. That growth requirement is the key driver for why a larger premises is required.

In addition to the growth, there is also the issue that the Ben Chifley Building is at the higher security classifications. That makes it extremely difficult, if not impossible, for people without those higher security classifications, to get into the Ben Chifley Building. That actually provides limitations to the Cyber Security Centre in relation to their potential interactions with other agencies that make up the Cyber Security Centre and, more importantly, people from industry and academia who may not hold those high-level security classifications.

Senator GALLACHER: And the space you leave behind?

Brig. Beutel : I am advised that there is also growth in ASIO, so the space left by the 300 people from the Cyber Security Centre will be filled by the Australian Security and intelligence Organisation. So there is no waste. Those facilities will not be left vacant. They will be used. The cost that we put into the fit-out of the Ben Chifley Building to support the Cyber Security Centre two years ago are sunk costs, but they are not wasted costs, because those facilities will be reused. Do you have anything to add, Mr Scotton?

Mr Scotton : I think Noel has covered it very well. The only other thing I would mention that is the nature of the work done at the centre does not always require that top-secret level of classification. By comparison, for instance, our partners in the UK have recently established a National Cyber Security Centre in London which operates primarily at the unclassified level. What we are doing is very much in keeping with that.

Senator GALLACHER: The obvious question is, couldn't you have foreseen this two years ago?

Mr Scotton : I do not think we could have foreseen the government's decision to invest so much in cybersecurity and provide the level of growth that they have done over the next four years.

Senator GALLACHER: Fair enough. Going out to Brindabella, are there any incentives on offer there for value for money for the taxpayer?

Brig. Beutel : For this particular centre, in relation to the proposed fit-out that is under consideration by the committee, there are no incentives as part of this deal in relation to the fit-out costs. Within the Department of Defence, as you are aware, there are a number of other leased facilities for other Defence agencies and there are certain incentives within Defence for other leased facilities at Brindabella Park. However, no incentives are being used as part of this cost.

Senator GALLACHER: A part of the whole-of-government approach to be Brindabella Park is that some areas are getting incentives, but this particular project is not?

Brig. Beutel : Correct.

Senator GALLACHER: It is at the high end of our expectations in terms of the fit-out, if we have parameters of $1,200 to $1,800 per square metre Can you walk us through the reasons for that or place them on the public record?

Brig. Beutel : I can, but I would ask, in relation to commercial-in-confidence, noting that we have not at the moment—

Senator GALLACHER: You can put the need on the public record. You do not have to put the value on record.

Brig. Beutel : I am more than happy to provide committee with those details in the in camera hearing.

Mr Collins : Not talking about square metre rates, more about the requirements?

Senator GALLACHER: The build-up—the need for extra security that contributes to the higher costs. Not the costs.

Mr Collins : In terms of the contribution to the higher costs, it is considerably between two major areas, which are security works and communication works. The security works are primarily due to the additional physical security, typically for zones 3, 4 and 5, against the PSPF.

Brig. Beutel : Could you explain zones 3, 4 and 5 and PSPF for the committee?

Mr Collins : Zones 3, 4 and 5 are to do with the Protective Security Policy Framework. Zone 3 typically aligns with protected, zone 4 with secret and zone 5 with top secret. One of our buildings is going to be accredited for zone 5 capability. It will be on the higher end of costs and it will contribute to a significant amount to our cost estimates. In terms of the communications services, the communications cabling, predominantly the passive cabling—given the amount of networks and the number of agencies in here which operate different networks and potentially different types of networks, a combination of different cabling will have to be installed at each workstation to allow flexibility for the ACSC to move its staff around to allow for that collaboration between all the different agencies and the different zones and classifications.

Senator GALLACHER: Have you had a security assessment that this is a good place to be for a cybersecurity centre, and we cannot all get shut down from banking or mobile phones taking you out overnight? You are moving out of the ASIO building—presumably that is secure?

Brig. Beutel : I am advised that a security risk assessment has been undertaken. Mr Rees may be able to provide some further detail on that. I would also note, though, that we are talking about security and mitigation measures. As a former senior ADF officer for Brindabella Park, I would note that there are standard security management plans in place that are practised quite regularly. That ties in with the overall Canberra Airport group emergency management plan. Mr Rees may be able to provide some more detail about the security assessments that were undertaken.

Mr Rees : The security assessments have identified that there is no identified risk to the cyber centre. As such, it is compared to a standard Defence commercial facility, which the precinct currently is. The requirements for Defence facilities are that once we identify that there is a current threat within the area, to the facility and also the surrounding facilities, various security measures will then be enacted. However, they are kept as reserve, in case those kinds of issues arise. However, at this point there is no identified security threat to the Australian Cyber Security Centre going to the Brindabella Park precinct.

Brig. Beutel : There will be layered levels of security in Defence with the buildings as part of that. I do not want the committee to get the impression that with the high level of security in the Ben Chifley Building we do not have the appropriate security measures in place for our equivalent top-secret spaces. Again, it is a layered approach because of the different security areas that are required to get that better collaboration, particularly with industry and academia.

Senator GALLACHER: So you are saying that the security assessment is based on the fact that there is no threat to the organisation. Is the geography around there safe and dependable?

Mr Rees : The threat assessment assesses the site, the precinct and any identified threats that have come through either as a result of security assessments or by identifying them within the public arena. There has been nothing identified.

Brig. Beutel : I can confirm that as well, having only just recently handed over the responsibilities for the senior Australian Defence Force officer. Again, our security plans are not based on any recognised threat. That said, we do have procedures in place where if a threat is identified or a threat risk is escalated then, as Alun was saying, we have mechanisms to raise our security awareness. But at the moment there are thousands of Defence Force personnel, including me, who still work out there and go about our daily business out there in uniform without any other precautions in place. That is based on the current risk assessment.

Senator GALLACHER: If you are in a very secure, top-secret facility and you move over there I would not want to see the ability to be shut down easily by someone making a threat or you going out there and all of a sudden the cybersecurity division does not operate. You have accounted for all of that, anyway; is that what you are saying?

Mr Rees : It is in the threat assessment, yes.

Brig. Beutel : The threat assessment is not a once-off. It is an ongoing activity. Daily security risks and threats are advised through various means within Defence. If actions are required to be taken then they are taken.

Mr COLEMAN: Obviously this is driven by the need to house a lot more staff because you are going from 260 to 650. It is a very, very large increase. Can you talk us through why that increase is required and, broadly, what those people are going to be doing.

Brig. Beutel : I can give you a quick breakdown of the numbers that make up the 700, and then I think Mr Scotton would be far better placed to describe their actual activities.

ACTING CHAIR: To add to that, Brigadier, where does the seven per cent growth figure that is identified in the submission come from?

Brig. Beutel : The actual approved establishment for the Australian Cyber Security Centre is 300 personnel. At the moment, Michael has only 260 personnel working for him. But that covers the 300 that we have at the moment. There is also at the moment approximately 100 personnel located in other facilities. So there are people coming in from other agencies. The anticipated growth based on the cyber security and defence white paper, which is where the figure comes from, is 200 personnel. We have rounded these figures up. Industry academia internships or graduate programs account for 100. So the 300 existing personnel, the 100 who are already existing but located elsewhere plus the 200 for the anticipated growth plus the 100 for industry academia gives us a total of 700 personnel.

Mr COLEMAN: How long will that whole process take? I guess when you move in you will have the space for the 700, but presumably you will not have the 700 people straightaway.

Brig. Beutel : That is correct. My understanding is that there is a two-year—

Mr Scotton : It is a four-year time frame.

Mr COLEMAN: So when you move in at the start of next year it will be more like 300 or 400?

Mr Scotton : Not completely. At the moment, because we operate in this high-security environment, a number of organisations, such as the Computer Emergency Response Team, the Australian Federal Police and the Australian Criminal Intelligence Commission, do not have a lot of cleared staff at that high level of classification. So they will be able to relocate staff who work elsewhere into the new facility at that lower level.

Mr COLEMAN: What happens with those 100 people you have elsewhere? Does that achieve any savings for those facilities in terms of leases or anything like that? Or will they still lease the same amount of space for fewer people?

Mr Scotton : I could not speak on behalf of any other agencies involved. Each of those agencies I just mentioned has also identified staff growth under the Cyber Security Strategy so they will be recruiting additional people as well.

Mr COLEMAN: Just to be clear: there are 260 people now who are in the city and there are 100 people who are elsewhere who are part of the centre. Are they part of the centre now or not?

Mr Scotton : They perform work on behalf of the centre; they just are not physically located there.

Mr COLEMAN: Okay. So they are all going to go to the new facility when it opens—

Mr Scotton : Yes.

Mr COLEMAN: and therefore come out of wherever it is they are now, and you are not sure whether or not there are any savings for government in them—

Mr Scotton : They are spread across four different organisations.

Mr COLEMAN: Yes, but you do not know.

Mr Scotton : I can't.

Mr Rees : Mr Coleman, in my discussions with the agencies in looking at how we are going to stage them moving from those sites, they have identified already where those people are coming from. They want them out as soon as possible so that they can reallocate that to staff that are already there, or in areas that they want to recruit and expand into. So it is not just cyber that the expansion is happening; it is happening in other areas within the various agencies. They need that space to then re-use for that purpose.

Mr COLEMAN: Because it would be fair to say that agencies in this space, broadly, are probably growing faster than the public sector as a whole.

Brig. Beutel : Perhaps, there is just one point that I would make—and Mr Rees may be able to confirm: when we are talking of 100 personnel across these other agencies, which are other large agencies, I cannot give you an exact percentage but I would assume that it is a very low percentage of the total numbers across all those—

Mr COLEMAN: Sure. If it is 100 people, you need to redevelop for the 100 people. One of the benefits, obviously, as I understand it, is its capacity. The fact that it is not top secret and, therefore, there is the—

Brig. Beutel : There are levels that will be at the highest level.

Mr COLEMAN: Sorry—the entire building is not and, therefore, there is—

Brig. Beutel : No.

Mr COLEMAN: For me as a layperson, it almost sounds a bit counterintuitive in the sense that you want this to be. So can you just elaborate on that a bit more? I think what you are saying is that, whilst there is a nucleus of this which is very much top secret, it is also important to be able to interact with other groups. Is that right?

Mr Scotton : If we are talking about the cyber security and the role, in particular, that ASD plays, we are concerned with the security of Australian government networks, most of which are connected to the internet. Most of the threats to those networks come via the internet. A lot of the work we do in that space does not require that—we are not working at a highest level of classification. We are working with internet connected systems; the data they contain are not necessarily top secret. We also perform a range of other services, like the development of policy, the certification of cloud services, evaluating security products. Most of those activities do not require that level of classification. To some extent, the reason that has happened to date is because as a part of ASD we have always lived in a top-secret organisation. But the cyber security mission, as it has evolved over the last decade, increasingly large proportions of that work do not require that level of protection.

Mr COLEMAN: And you are talking about things like visiting academics and businesses and various entities that might come to the centre and collaborate on individual projects. Is that how it works?

Mr Scotton : Indeed. At the moment, there are many industries that provide very similar types of services as what ASD provides. Increasingly, we are finding ourselves having to work with industry around those services. So whether ASD undertakes a certain activity or whether it is done by a commercial provider under our guidance, that is one way that we are managing to leverage industry to meet the demand for cyber security services.

Mr COLEMAN: And just in terms of any community feedback that you have had or any comments from the public about this proposal—

Brig. Beutel : We undertook—in accordance with most of our Defence procedures—community consultation, and the outcomes of that have been advised formally to the committee. So written correspondence, providing information on the brief and offering briefings were provided to the local ACT government. In this case, we also wrote to the senators within the ACT, because it being a smaller territory. We normally would not do that for our other projects. And I think we provided one briefing, just recently, for Senator Seselja. No issues were raised there.

We also undertook a public information centre out at Brindabella Park in mid-December. We can get you the exact dates for that; it is in the letter provided. No-one showed up to that community information session. At the moment there have been no risks or issues identified in relation to this proposal.

Mr COLEMAN: On Senator Gallacher's comments about the cost of metreage and the break-up between the contribution of high security versus regular office space, I think that is something we should explore. But, as I understand it, we are going to do that later. So we look forward to that.

Brig. Beutel : We will be able to do that, Mr Coleman, in the in-camera hearing.

Senator GALLACHER: Can I just ask one question on Mr Coleman's question? Is there expertise that you are missing out on which does not need a security clearance? Are there hackers out there you can study or use? Can you stress their stuff? Is it like a movie—are you going to bring in people to try to break a few systems for practice? Is that what you do?

Mr Scotton : I would not put it like that; in fact, all the staff that ASD will recruit will still go through a security clearance process. At the moment, one of our big issues for recruitment is that to go through that process can be quite lengthy and the demand for specialists with those skills is so great. Many of them are not prepared to wait to get a security clearance. So having a space where they can perform work at a lower level of classification is going to help with our task of recruiting and meeting those growth targets.

Brig. Beutel : I think it may be important to note here that we are proposing to phase the build-up of capability at Brindabella Park from an initial operating capability proposed, subject to parliamentary approval in March, by June 2017, and then a final operating capability in December 2017. We are looking at an IOC and a focus on just the unclassified areas—Mr Scotton can correct me if I am wrong—is because of a lack in the capability at the moment and what is not achievable at the moment because of the security aspects are in the Ben Chifley Building. So that drives why we have staged the development of the operational capability.

CHAIR: Or, to put it another way, in order to increase the capability of the Australian Signals Directorate you need to have a mechanism so that you can recruit people and they can then participate in the ASD without the top secret classification whilst they go through the necessary processes to get that classification. That is currently absent at the moment because the Ben Chifley Building only allows top security access. Is that a correct summation?

Mr Scotton : Yes.

CHAIR: The government is committed to trying to consolidate its office space, not just around Canberra but in other capital cities. We previously heard that the old ASIO building in Russell had been examined as a possible site, but there were some significant costs involved in bringing that to a suitable level. Can you just speak briefly to that? What other sites around Canberra were explored in addition to the old ASIO building, if any?

Mr Mapletoft : The old ASIO building is also known as R9 in Russell. We did explore that as an option. There was a length assessment done on the state of the building. It was not a tick-and-flick exercise; it was a complete building survey, and a comprehensive report was issued.

CHAIR: Is that because that would have been your preferred option if it did come in at an equivalent or better cost scenario?

Mr Mapletoft : It was possibly not a preferred option for this particular requirement, as it would still be located in Russell, which does not necessarily support close proximity to ICT industry and the airport.

Brig. Beutel : I think it would have also been very difficult to try and compartmentalise R9 because, again, it was an ASIO building. To try to get separation such as we are proposing at Brindabella Park, where there are two separate buildings with that air gap, within that existing shell—to try to re-engineer that within the existing footprint and the structure of the building would have been extremely difficult, if not impossible.

Mr Mapletoft : Also, part of the assessment was driven by broader Defence. Outside of this particular project it was being examined as a potential option for other areas within the Defence department. That exercise determined that the building would require approximately $60 million of rework to the base building.

Brig. Beutel : So that is base building, before we even start to do the fit-out.

CHAIR: So $60 million compared to this $34 million project?

Mr Mapletoft : That is correct.

Brig. Beutel : Again, we can provide some purview, but the $60 million was just the base building works.

CHAIR: That is right; you said that.

Mr Mapletoft : It was simply a value-for-money exercise. You could spend $60 million on the building and wind up with a building that is still approximately 40 years old and was designed for another purpose, so it would still require additional investment on a suitable fit-out. By the time you have done a value-for-money assessment it does not stack up as a viable option. On your second point, on possible buildings, we had some considerations such as proximity to the rest of the Australian Signals Directorate to facilitate communications and movement between locations, so we tried to stay roughly locally in the neighbourhood, which led us to examine options at Majura Park, Brindabella Park, Fairbairn and Russell. Russell, with the exception of R9, is full. We have discussed R9. Majura Park was briefly considered but currently Defence does not have a presence there, to my knowledge, so they would be going to another location. Fairbairn we looked at, but there was not a suitable building that was large enough. So Brindabella Park was the ultimate consideration.

Senator GALLACHER: How old is Brindabella Park? How old is the building you are going into?

Brig. Beutel : BP1416 was built in 2003.

Senator GALLACHER: There is no issue with cables and all that sort of thing? It is fit for purpose?

Mr Mapletoft : The building is fit for purpose. In relation to cables, that is part of the fit-out work we will be delivering under this project.

Brig. Beutel : But there is no requirement for workplace health and safety upgrades in relation to this building. It is predominantly the fit-out for the office accommodation and the fit-out to support the operations of the centre, and also there are the security aspects of it and also the passive ICT.

Senator GALLACHER: Who was in it before?

Brig. Beutel : BP14 and 16?

Mr Scotton : Employment and Workplace Relations, I believe.

Brig. Beutel : It is currently vacant.

Senator GALLACHER: So you do not have to sweep it and check it for bugs or anything?

Mr Rees : As is par for the course on doing the security assessments on any building that is being repurposed, those will be done prior to the Commonwealth actively putting in ICT equipment and signing it off as fit for purpose.

Senator GALLACHER: Is that part of the cost in this project?

Brig. Beutel : Yes. For any of our high-security facilities, in addition to building certification we also do a security certification, a formal accreditation, of all those high-level facilities.

ACTING CHAIR: Mr Scotton, you mentioned the United Kingdom experience. What other lessons are we taking from the United Kingdom cybersecurity centre to inform this project or other elements of the government's cybersecurity framework?

Mr Scotton : We continue to engage closely with our UK partners. The centre itself was only stood up in October last year, so they are still very much in the early days. We stay in touch, but at the moment it is probably too early to draw any conclusions from that.

Senator GALLACHER: Who did you say the previous tenants were?

Mr Mapletoft : The Department of Employment and Workplace Relations.

Mr Collins : They moved out about four years ago.

Senator GALLACHER: So it has been vacant?

Mr Collins : Yes. For a long time.

Senator GALLACHER: And we did not get an incentive? Well, we did but it is not in this project.

Mr Collins : Yes.

ACTING CHAIR: Thank you very much. We will close the public hearing. Is there anything further you would like to add, Brigadier or other officials?

Brig. Beutel : No. Thank you very much, senators.

Committee adjourned at 14 : 03