ANNEX 4 - ABRIDGED IGIS REPORT— LT COL LANCE COLLINS
Report of inquiry into the loss of access by Dili users to an intelligence database in December 1999
Background
On 20 December 1999 several ADF intelligence officers attached to the INTERFET force in Dili, East Timor, lost access to a particular intelligence database hosted by the Defence Intelligence Organisation (DIO). That remained the case until the evening of 21 December 1999.
2. Following subsequent representations to the then Minister for Defence by one of these officers, Lieutenant Colonel Lance Collins, this issue was one of three matters inquired into by my predecessor, Mr Bill Blick PSM. Mr Blick reported in May 2003. On this issue he said, relying significantly on a report from DIO and five statutory declarations, that the loss of access appeared to result from technical problems rather than a deliberate policy decision by DIO.
3. In April 2004 the Chief of the Defence Force, General Peter Cosgrove AC MC, sent to me various papers associated with a redress of grievance by Lt Col Collins. I examined these and other available relevant papers, to consider whether Mr Blick's inquiry should be re-opened and whether there were any other issues which might be within my jurisdiction.
4. Under the Inspector-General of Intelligence and Security Act 1986 ('IGIS Act”) as it currently stands, the Inspector-General of Intelligence and Security can only conduct a formal inquiry into the activities of DIO at the request of the Minister for Defence.
5. In May 2004 I advised Senator the Hon Robert Hill, the Minister for Defence, that there was one issue only which he might consider should be the subject of a further inquiry. This was the loss of access to the particular database on 20 December 1999.
6. Senator Hill then requested me, pursuant to section 8(3)(a) of the IGIS Act, to inquire into how and why the loss of access occurred.
Approach taken
7. At my request the Department of Defence made available forensic IT expertise from the Defence Security Authority. The two officers who assisted me had no prior involvement in the events under examination and they brought a critical and unbiased perspective to the exercise. I should express my appreciation for the quality and thoroughness of their work.
8. The logs of relevant servers were restored and reviewed. Other components of the IT infrastructure relevant to the provision of access to that database were also examined. Additional e-mails of relevance were identified.
9. The two IT experts and I also spoke to and obtained information from a range of people. As the inquiry progressed I decided that the formal questioning powers in section 18 of the IGIS Act should be used. I therefore required 12 people to appear before me to compulsorily answer questions relevant to the matter under inquiry. Either an oath or an affirmation that the evidence they would give would be true, was administered. One key person was required to appear twice, and one person three times.
How access was denied
10. What is clear from my examination is that this particular denial of access to the relevant Dili users was indeed deliberate. It was not the result of technical failure or technical faults in any part of the system.
11. In the early afternoon (Australian Eastern Summer Time) of 20 December 1999 [a named person], gave a series of commands which disabled the access by the relevant Dili users to the database of concern to this inquiry. A more detailed technical account of this is attached. *
12. The IT records show that the total period in which the relevant Dili users were denied this means of accessing the database in question was approximately 26 hours.
13. I formally questioned [this person]. He has no recollection of the events [words deleted] but he agreed with my experts’ advice that the logs show the denial was deliberate. The expert advice to me was that the change was done by the quickest and easiest means of removing access for a particular group of users. The manner in which the denial was effected, and the state of the logs, do not indicate any attempt to be devious about, or to cover up, what was being done.
14. Two additional e-mails located during the inquiry also point to the denial being deliberate.
15. Furthermore, [another person—Mr A], has told me, on oath, that he instructed [the other person referred to in paragraphs 11 and 13 above] to remove the access.
Significance of the loss
16. It is important to note that we are talking about access to one specific database, not the general availability of intelligence to the users in Dili. The loss of access to the particular database of itself does not seem to have been a critical deficiency in operational terms. The database did not contain real-time intelligence or threat indicators and warning. Such operationally vital information was collected locally, or sent to the deployed forces via other means—Defence computer and communication systems, secure telephone, fax and e-mail—and was not affected by the short-term loss of access to the particular database.
17. Notwithstanding the above, one can readily understand the sensitivity of those in the field to any change, without consultation, in intelligence access arrangements.
18. In this instance, however, the issue was not what was done, but rather the means by which it was done and what was said about it afterwards.
Why the access was removed
19. [Mr A] said that on 20 December 1999 he went and spoke to the Director of DIO, with no third person being present. He asserted that the discussion was one in which the Director made a decision to cut the access of the relevant Dili users while security changes were made in the system to limit access to some categories of sensitive information. [Mr A] said that there was pressure that certain sources of sensitive information were likely to be cut offif security was not improved. He said that [another named person] was not present for this discussion, although in a later interview said that after giving [the person
20. I questioned him on whether the Director, in this alleged meeting, had properly understood that the relevant Dili users would lose access, but he still asserted it was probable that the Director had understood. I should note that [Mr A] made his disclosures early in the first interview, before any robust questioning. However, there are issues about the reliability of [Mr A’s] testimony which I will discuss later in this report.
21. The Director, DIO gave sworn testimony (key extracts at Attachment D) that he had not directed a cut in access and did not recall a meeting on 20 December 1999 with [Mr A]. He said that on the morning of 21 December 1999 he was told that technical problems were responsible for the loss of access. He said that he did not direct immediate restoration, while consideration was given to whether security limitations could be introduced quickly; on being told this was not possible, he directed restoration of access and this occurred later on 21 December 1999. He was confident that had he had a discussion on 20 December 1999 of the sort outlined by [Mr A], or even one which touched on Dili users, he would have recalled it the next morning in these discussions.
22. What the Director said was consistent with a statutory declaration he made on 10 January 2002:
'I did not, in December 1999 or at any other time, authorise a cut in the access of INTERFET forces to [the system] or [the database], nor was I then nor am I now aware of any decision by any other DIO officer to cut such access. Prior to discussions with [several named persons] on 21 December 1999 on this issue, I was not even aware that the INTERFET forces had [database] access. I was informed at those discussions that the cut was due to technical problems.”
23. I should note that access by the relevant Dili users to the particular database was not part of the formal intelligence support plan and that the actual access was facilitated by another area of Defence. Comment on the manner in which this was done is contained in a 7 May 2004 ministerial submission by the Department of Defence.
24. Which of [Mr A’s] or the Director's account—or a variation on either of them—is to be believed?
25. In order to form a view on this it is useful to look at what is in the contemporary written record. A set of 18 key e-mails and documents is attached. There are also the statutory declarations made to my predecessor in December 2001/January 2002 (Attachment M).
26. On 20 December 1999 there was an e-mail by a [non-DIO officer] to his (non-DIO) senior officers. It includes: [extract from e-mail text deleted].
27. I will discuss this e-mail further (and the testimony of [the sender of this e-mail and of another person]) later in this report, but should point out now that it [is relevant to Mr A’s account].
28. Also sent on 20 December 1999 was an e-mail by Lt Col Collins which objected to the loss of access and mentions he had been advised that it had occurred 'on the order of Director, DIO”.
29. On 21 December there were discussions between [several named people]. The allegation in paragraph 28 was in front of these [people]. There are no minutes of these discussions. However, [people] did make statutory declarations in December 2001/January 2002.
30. [One person] included in his declaration:
'In regard to LTCOL Collins’ specific concerns, I am not aware of any decision in DIO to turn off [the database] to the [system] in East Timor. At no time did I authorise a feed to be cut off nor am I aware that anyone else did. My clear understanding is that there was a technical problem which resulted in [the database] to Dili failing.
I am not certain of the exact nature of the technical problem. [the database] and the IT systems were [rest of sentence deleted].
[A meeting was organised]. At the meeting it was confirmed that the outage was technical. The problems of [the system] not being accredited to have [the database] on it were raised as well as how much Dili needed access to [the database]. A statement of requirement was sought from Dili.
31. [Another person] declared that:
With regard to [the database] support, I did not make any recommendation or decision to turn off [the database] support to the [system] terminal for CTF 645. Similarly, to the best of my knowledge there was no decision taken by DDIO to turn off [the database] support to the [system] terminal for CTF 645.
To the best of my recollection, refreshed to some extent by a perusal of filed emails and documents originated at the time, I was advised by the DIO IT staff that technical problems associated with security had caused [the database] to be not available to the deployed element… I recall that at about the same time, [a named person] noted that in the rush to get the deployable system established in Dili earlier that month, there had been no formal paperwork done to establish a business case for the deployed element to have access to this sensitive material. In anticipation of this becoming an issue (and the Christmas break imminent), [LTCOL Collins was asked] to provide some justification for a business case for the deployed element to have direct access'
32. [Yet another person] declared that:
'I have no recollection of any decision by me that CTF 645 should not have [the database] support through the [system]. The cut was, at least in part, a result of technical problems associated with the need to implement more stringent need-to-know access controls for [sensitive] material following the leaks of DIO analysis.
After DIO IT reported the [database] problem a decision was taken [that access] should not be restored immediately and that DIO IT should attempt to put in place controls required on [certain] reporting and should investigate whether or not only [certain] related reporting could be provided to the intelligence staff in Dili. I cannot recall the exact details of what was put in place or the exact nature of the technical fault, but we could not put in all of the restrictions we had hoped to. [Sentence deleted].”
33. On 21 December 1999 Lt Col Collins responded to [the] request for access justification, and included a comment: 'It is interesting that [a named person] reported that DDIO did not order the denial of intelligence. Some faceless bureaucrat assumed far too much.”
34. On that day [a named person] prepared a draft minute to Lt Col Collins which included:
'The purpose of this minute is to formally advise you that DDIO has agreed to the restoration of full [database] services to [the system] within CTF 645 provided certain conditions are met. While DDIO did not direct the removal of the [database] feed, he is concerned at the scope and level of reporting and assessment being produced by you and your staff on events that are outside the INTERFET area of operations.”
35. This minute was not sent. Instead the Director prepared his own minute on 22 December 1999 to Lt Col Collins, copied to Maj Gen Cosgrove. It included:
'Full [database] services to [the system] within CTF 645 have been restored. I did not direct the removal of the [database] feed, but I did authorise a short delay in its restoration until certain issues had been clarified—namely, access on a need-to-know basis and protection of the material accessed, and respective responsibilities for the production of intelligence. This minute outlines those issues.”
36. My inquiry also located another message sent early on 22 December 1999, from [one person] to another DIO staffmember. Apparently unaware that access had been restored on the evening of 21 December, this minute said:
'I have spoken to [a named person] on this matter. If there are no security implications with the [intelligence] staff having access to [the database] and they have found it to be valuable, I can’t see why it should be cut off . Apparently [Mr A] discovered they had access, went and spoke to DDIO and [the same named person] then cut it off .
37. Neither the [sender or the person to whom he had spoken]—when formally questioned by me—could recall the discussion alluded to in this minute. However, there is no reason to doubt that it records [the sender’s] genuine understanding at the time. Importantly, it does not state that the Director or [the person named in the e-mail] actually instructed that the access be cut; it is ambiguous in that regard. And I recognise that its hearsay nature means caution is warranted. However, it does provide some support for the view that there was at least one discussion of some sort involving DIO management on 20 December 1999 prior to the access cut.
38. [The named person in the e-mail referred to in paragraph 36], advised me in sworn testimony that he has no firm recollection of what occurred on 20 and 21 December 1999. This is somewhat frustrating given the positioning of [that person] in relation to these events. However, it is four and a half years since the events and after carefully questioning him twice, I must accept that there is nothing he can add beyond what is in his statutory declaration.
39. Upon request, the Director made available his hard copy diary from that time. I also had access to his electronic diary. The entries on 20 December 1999 do not include one referring to [Mr A]. This suggests that if there was indeed a discussion, the Director did not at the time consider it a particularly significant one. If this were the case, it is also quite likely that he would not recall it either two years later (for Mr Blick's inquiry), or four and a half years later (when queried by me).
40. [Two named people] were not able, when interviewed by me recently, to recall the events in a specific way which adds much to what is contained in their statutory declarations. Both could vaguely recall that there was some surprise on the morning of 21 December 1999 (when they met with the Director) that it had been alleged the access might have been cut deliberately. [Two sentences deleted].
41. There is arguably further support, at least in part, for the account in paragraph 19 by [Mr A] of a meeting on 20 December 1999 from [another named person]. [This other person] told me on oath that he could recall in a general way [Mr A] [words deleted] at sometime prior to Christmas and saying that the Director had ordered a cut in the access of Dili users. In the broad I accept his account.
42. This suggests [Mr A] may have thought he had been given such a direction, but it does not confirm that the Director had intended such an outcome. Equally, it does not support a hypothesis that [Mr A] acted unilaterally on 20 December 1999 and is now saying the Director was involved, to diminish his own responsibility for what occurred.
43. It was suggested to me that [Mr A] may have been covering up his actions right from the start (ie. in December 1999)—and by implication that this sort of comment was 'staged”—but I do not find that credible after reflecting upon the general views of others about [Mr A]. [One colleague of Mr A] commented that '[Mr A] was always very positive in supporting deployed elements”.
44. Nor do I think it is credible to suggest that there was some sort of a conspiracy in the IT area of DIO. The IT area was under pressure and security was an important issue, but it was also an area which 'routinely worked excessive hours in order to ensure the best possible support was provided”.
45. I think it is plausible that some sort of a discussion did occur on 20 December 1999 between the Director and [Mr A]. There is the contemporaneous record of the e-mail quoted in paragraph 36, and there is the account given by [a named person] (paragraph 41). But if it did occur what did such a discussion involve?
46. There are some strong reasons to not accept the detail proffered to me by [Mr A]. These flow from consideration of:
(a) the statutory declaration he made in December 2001,
(b) the account given of a meeting in December 2001 by [a named person] (an officer in DIO), and
(c) the e-mail sent on 20 December 1999 [words deleted] (already mentioned in paragraph 26).
47. On 12 December 2001 [Mr A] made a statutory declaration for my predecessor (copy in Attachment M), in which he stated:
'To the best of my recollection, having read through correspondence and recovered documents at the time, the technical problem which resulted in [the database] support to CTF645 failing on 20 December 1999 resulted from actions by DIO IT to put in place enhanced security on [the database] for Dili users.”
48. [The person referred to in paragraph 46(b)] told me in sworn testimony that he could recall being present at a discussion in December 2001 involving [rest of, and next sentence deleted].
49. I should note that [this person] had no direct involvement with the events being considered, [rest of sentence deleted].
50. [This person] recalled that in this December 2001 discussion:
' [Mr A] was saying ‘I think we cut it’ and then Frank was saying ‘well that’s not what you told me at the time, …are you sure of this?’ He said ‘oh’. He tended to waver on whether it was or was not…”
51. According to [this person] the last thing that the Director said when they left the room was 'make sure it’s the facts and that you are confident in what you say”. I questioned [this person] on whether the discussion included any suggestion of bullying by the Director of [Mr A], or whether the two of them seemed to be 'cooking up a story”, but he did not believe either of these applied and I accept his assessment.
52. Noteworthy in the description by [this person] of the Director's comments to him during the 2001 inquiry, is the absence of any indication that the Director thought he had anything to hide. Indeed, the contrary is indicated:
'He said, ‘No, provide everything. There’s nothing to hide from. Provide everything that’s there. The facts will speak for themselves’.”
53. I also asked [Mr A] whether the Director approached him on 21 December 1999 or in the days after to suggest a discreet silence or that a certain 'line” be taken by both of them about what had occurred on 20 December. He could not recall any such approach. Nor does he believe the Director would 'hide anything”.
54. Also relevant to [Mr A’s account] is the e-mail sent on 20 December 1999 [words deleted] which included:
[Extract from text deleted].
55. [Discussion of credibility]. [Mr A] suggested that [extract deleted]. I interviewed the author of the e-mail and while he could not recall the specifics of the conversation, [rest of sentence deleted].
56. [Discussion of credibility]. But while I am not prepared to accept [Mr A’s] specific account of 20 December 1999, I am also not prepared to accept that he acted unilaterally and acted deviously on 20–21 December 1999 (see paragraph 43). [Sentence deleted].
Statutory Declaration
57. I discussed with [Mr A] whether his statutory declaration of 12 December 2001 was truthful. He argued that the 'technical problem” (see the extract in paragraph 47) was that sensitive intelligence might be withdrawn by an outside source unless certain restrictions were introduced within the system to enhance security. I pointed out that word 'failing” later in the sentence added to an impression of technical systems failure or fault, rather than a deliberate action.
58. Even if his interpretation of that element of his statutory declaration is accepted—and it was not the one taken by my predecessor or [another named person]—part of the declaration must still be heavily criticised for omission and its apparent deliberate ambiguity.
59. [Mr A] attempted to explain it in these terms:
'IGIS: But, at the time that you signed this, did you think that that was a truthful statement or not?
[Mr A]: It was probably the best result I could get.
IGIS: Why do you say that?
[Mr A]: Because between myself and Frank we were the only two people in that room at the time and he did not recall the conversation. It was a technical problem, the security issue.”
60. When I put it to him that Mr Blick and [a named person] read his declaration in the way that I believe most people would, ie. that work to introduce limitations within the system had accidentally caused a technical systems failure, he responded as follows:
'It might. The words were crafted in such a way that it appeared to be a bit one or the other. For me, it read there was a technical problem, a security problem being a technical problem, resulting in failing. Information from DIO IT they’ve put basically enhanced security. The word 'failing” there, I probably was not all that happy with at the time.”
61. [Mr A] intimated that the statutory declaration had been drafted for him [by a named person] and that some of the final words were not ones with which he was necessarily comfortable. When I put it to him that the final declaration didn’t appear to be a truthful statement he responded:
'Correct, and it wasn’t in the original draft I put up.”
62. However, he did not allege that [the person referred to in paragraph 61] was attempting a 'cover-up” and I have seen no evidence that there was such an attempt. I questioned [four named persons] closely about the statutory declaration process; and reviewed what electronic records there were about it: I am satisfied the exercise as a whole was not a 'cover-up”.
63. [The account of a named person] of the finalisation of [Mr A’s] declaration is different and one which I accept. He said that he did a first draft (based on discussions with [Mr A], and because [several words deleted] and that [Mr A] had suggested amendments (which were made) and finalised the declaration [several words deleted].
64. I do not consider [Mr A’s] attempts at explanation justify what he did. A forthright statutory declaration would have indicated the doubts he had about what occurred; not one which used words meant to ambiguously cover quite different possibilities.
65. [Paragraph deleted]
66. This does not cause me to lessen my criticism. There seems to have been specific attention by [Mr A] to the second paragraph of the statutory declaration (see paragraphs 59–60 above).
Director's role
67. As concluded earlier, it is plausible—but by no means certain—that there was a brief discussion on 20 December 1999 involving the Director and [Mr A]. However, I do not accept the detail of [Mr A’s] version. There is absolutely nothing in the Director's behaviour (at the time or subsequently), which indicates he gave the alleged direction. It does not seem credible—particularly given his personal style—that he would immediately start dissembling on the morning after he had given an instruction of that sort. Even [Mr A] does not assert that (see paragraph 53).
68. Perhaps the discussion was one about the need to introduce some further controls on access to the database, in order to protect certain categories of raw intelligence and to establish communities of interest. Perhaps [Mr A] spoke in general terms of a problem and the Director said 'fix it”, without the implications being discussed or appreciated. In any case, the important conclusion I have reached, on the evidence, is that the Director did not give an instruction to cut the access of the Dili users.
69. I have reflected on whether the true cause of the loss of access should have been identified on 21 December 1999. The Director submitted to me that there was advice from the IT area that a technical problem was the cause, and he had no reason to query this. He correctly points out that the system had been experiencing a number of technical problems. On the other hand one could argue that senior managers should seek plain English explanations of technical problems, their cause and their likely duration; so assessments can be made of the wider potential ramifications and what it indicates about the state of the IT arrangements. It can be risky to leave it to the experts. And on this morning there was also in front of [people] an allegation that the loss of access had been ordered by the Director. Such an allegation should arguably have prompted some questioning of [words deleted] about what had actually occurred.
70. Hindsight is, of course, extremely accurate; and it must be acknowledged that the main issue on 21 December 1999 was whether there should be access for the Dili users. The attention to this was timely and access was restored that day.
71. I have also reflected on whether the Director should be accountable in a general sense for what occurred. Heads of agencies are not always held 'strictly liable” for everything their agency does and says. They are clearly accountable for matters such as governance, influencing culture, and the overall effectiveness of internal controls and internal communication. Whether the Director should be held accountable in a more general sense for what occurred on this occasion can only be judged fairly [by others].
Conclusions
72. On the basis of my independent investigations, I have reached the following conclusions:
(a) The denial of access to the relevant Dili users on 20–21 December 1999 was deliberate and not the result of technical failure or technical faults in any part of the system.
(b) It is possible that the Director and [Mr A] had a brief discussion on 20 December 1999, but I do not accept that the Director gave an instruction to cut the access. [Mr A] later instructed [another person] to effect a denial of access for the relevant Dili users, and this was done.
(c) [Mr A] may have [made statements in 2001 that potentially raise issues of a legal or administrative nature].
Recommendations
73. Given these conclusions, I recommend that my report be referred to the Secretary of the Department of Defence for him to consider whether an investigation should be conducted [into issues of a legal or administrative nature].
74. It should be noted that use of the testimony given to me is generally precluded by section 18(6) of the IGIS Act from being admitted as evidence [words deleted] in any court or in any other proceedings before a person authorised to hear evidence. This may have a bearing on what action is reasonably open to the Secretary of the Department of Defence. [Comment on feasibility and desirability of certain actions].
75. Developments since 1999 appear to have overtaken what might otherwise have leant themselves to general recommendations about security policy and practice. These have been enhanced as a result of my predecessor’s review of the Wispelaere matter.
Ian Carnell
Inspector-General of
Intelligence and Security
* All 16 attachments to this report are classified and cannot be released publicly. References to attachments have been deleted from this abridged version for the sake of readability. All significant matters are supported by detailed material in the attachments. referred to in paragraphs 11, 13 and 15 above] the direction to cut the access, he had gone and spoken to [that other person].
|