Serious shortcomings in government agencies’ work on preventing infiltration
Many central government agencies are at risk of infiltration by, for example, criminal organisations or foreign powers. The Swedish National Audit Office’s audit of three government agencies shows deficiencies in their work on counteracting and detecting infiltration.
In recent years, there have been numerous reports of infiltration in public sector activities. Infiltration may have consequences such as divulging information that benefits serious crime, information tampered with or destroyed, financial irregularities and disruptions in security-sensitive activities – all of which result in high costs for society.
The Swedish National Audit Office has therefore examined work to combat infiltration at three central government agencies – the Swedish Defence Materiel Administration (FMV), the Legal, Financial and Administrative Services Agency and the Swedish Prison and Probation Service. These agencies were selected because their activities are deemed to be at high risk of infiltration, and the consequences are potentially severe.
The overall conclusion is that their work on the whole is not effective. This includes both processes aimed at preventing and stopping infiltration as well as detecting ongoing infiltration. The shortcomings are sometimes so extensive that they risk exposing critical security gaps.
“Our assessment is that the audited agencies have not attached sufficient importance to security work, which has led to extensive security deficiencies that, at worst, could lead to severe consequences,” says Auditor General Christina Gellerbrant Hagberg.
Progress on protection against infiltration varies across the three agencies. FMV has come farthest, with coherent processes, traceability and links between protective security analysis and agency-wide risk management. The Swedish Prison and Probation Service has critical deficiencies that undermine both prevention and detection, although it has recently taken several steps in the right direction. The Legal, Financial and Administrative Services Agency conducts fragmented security work, with unclear procedures for incident logging and management.
The Swedish National Audit Office notes that the agencies’ follow-on security vetting of staff has not been sufficiently effective. For example, all too rarely are important sensitive questions asked (about employees’ personal finances, social exposure, threats, vulnerabilities and dependencies) to detect vulnerabilities.
“Follow-on security vetting meetings are often difficult conversations, because managers have to ask their employees sensitive questions. However, it is too late to do so once suspicions have arisen,” says Per Dackenberg, Project Leader for the audit.
Another vulnerability is uncertainty among employees – particularly at the Swedish Prison and Probation Service but also at the Swedish Defence Materiel Administration – concerning whistleblowing possibilities. There is thus a risk that signals picked up on by staff will not reach agency management.
Recommendations
The Swedish National Audit Office recommends that the audited government agencies:
- integrate employee security issues into regular procedures, to make them integral leadership components
- ensure that follow-on security vetting meetings for staff in a classified position are systematic and cover all relevant areas
- ensure that guidance materials for security vetting are based on the guidelines of the Swedish Security Service and the Swedish Armed Forces. However, ensure to develop and adapt the materials as far as possible based on the nature of the operations and staff tasks.
Infiltration
In this performance audit ‘infiltration’ is defined as activities that an insider performs for the purpose of divulging sensitive data or of destroying or tampering with information, reaping personal financial gain, or other disloyal conduct. This may include individuals seeking employment on behalf of illicit actors (individuals, organisations or people acting as agents of states), existing staff recruited by illicit actors or staff who do so on their own initiative.