Strengthening Integrity and Transparency: Lessons Learned from the NACC Investigation into Paladin (Operation Bannister)

Introduction

With over two decades of experience in cybersecurity and IRAP assessments within Australian government agencies, I have been involved in providing cyber forensic support for fraud investigations. My work has included assisting with investigations related to Commonwealth grants under AusIndustry grant programs, where I helped lead cyber forensic teams in executing Commonwealth search warrants. This involvement allowed me to contribute to uncovering misconduct and fraudulent activities through advanced forensic techniques.

Throughout my career, I have worked on projects such as developing the Commonwealth Department of Industry’s IT forensic and investigation capability. I have collaborated with the Australian Federal Police and provided forensic evidence in legal proceedings.

With qualifications like a Diploma of Government (Fraud Control) and extensive experience in cybersecurity and fraud investigations, I have gained insight into the frameworks that govern fraud prevention and investigation within the government. This background helps shape my understanding of the integrity challenges revealed in the NACC investigation into Paladin.

This article will discuss the lessons learned from the NACC investigation, highlighting gaps in the AGSVA clearance responsibilities, Commonwealth Fraud and Corruption Control Framework 2024, APS Code of Conduct, and Home Affairs’ policies. I will also recommend enhancing transparency and accountability in future government operations.

Case Summary: NACC Findings

The investigation report highlighted several important issues:

• Undeclared Financial Transactions: Ms Brown received $223,000 from Paladin Holdings through PayPal, payments that she did not disclose under her security clearance obligations.
• Failure to Declare Conflicts of Interest: Ms. Brown had close personal relationships with Craig Thrupp, a director of Paladin, and Carl Delaney, a former SES officer at Home Affairs. These relationships were not declared.
• No Direct Procurement Involvement: Although Ms. Brown did not directly influence the awarding of contracts, her failure to report these relationships and financial transactions created the perception of impropriety.

Comparing Findings to Existing Policies and Frameworks

1. AGSVA Clearance Responsibilities and Eligibility & Suitability

Key Requirements: Under AGSVA’s guidelines, individuals holding a security clearance must comply with strict reporting obligations, including:

• Reporting significant financial changes, such as lump sums or material financial assistance, may pose a risk of undue influence (AGSVA Clearance Responsibilities and Eligibility & Suitability).
• Disclosing personal relationships could affect their security clearance status, especially when these relationships intersect with entities involved in government contracts (AGSVA Clearance Responsibilities and Eligibility & Suitability).

NACC Findings:

• Undisclosed Financial Transactions: Ms. Brown’s failure to disclose the $223,000 from Paladin violated AGSVA’s rules regarding financial transparency. AGSVA guidelines make clear that any financial windfall that could influence an individual’s impartiality must be declared.
• Undisclosed Personal Relationships: Ms. Brown’s relationship with Craig Thrupp, a key figure in Paladin, and her failure to declare this relationship as a potential conflict of interest breached the AGSVA’s requirement to disclose significant relationships.

Improvements:

• Real-Time Financial and Relationship Reporting: AGSVA should implement a real-time reporting platform where individuals can report financial changes or relationships that might affect their eligibility. This would help ensure transparency and compliance.
• Regular Audits of Financial Records: Annual audits of financial records should be mandatory for individuals in sensitive roles, ensuring that all transactions are appropriately monitored and declared.

2. Commonwealth Fraud and Corruption Control Framework 2024

Key Requirements: The Commonwealth Fraud and Corruption Control Framework 2024 provides critical guidelines for:

• Ensure financial transparency in dealings with external entities involved in government contracts (https://www.counterfraud.gov.au/library/framework-2024/fraud-and-corruption-rule).
• The declaration of actual, potential, or perceived conflicts of interest to maintain public trust is mandated (https://www.counterfraud.gov.au/library/framework-2024/fraud-and-corruption-policy).

NACC Findings:

• Failure to Declare Conflicts of Interest: Ms Brown’s failure to declare her relationships with Craig Thrupp and Carl Delaney and the financial payments from Paladin violated the conflict of interest requirements outlined in the Fraud and Corruption Control Framework. Even though no direct misconduct was identified, the perception of a conflict undermined the integrity of the government procurement process.
• Lack of Financial Transparency: The failure to disclose significant financial transactions from Paladin also breached the Commonwealth’s financial reporting obligations, which emphasise full transparency to prevent the risk of fraud or undue influence.

Improvements:

• Mandatory and Regular Conflict Declarations: Public officials should be required to submit regular conflict of interest declarations, including financial and relationship disclosures, and update these declarations as situations change (https://www.counterfraud.gov.au/library/framework-2024).
• Enhanced Financial Monitoring: The Commonwealth should implement proactive financial monitoring systems to detect anomalies in the financial activities of public officials involved in procurement (https://www.counterfraud.gov.au/library/framework-2024).

3. APS Code of Conduct

Key Requirements: Under the APS Code of Conduct (as defined in the Public Service Act 1999), APS employees are required to:

• Act with integrity and transparency, ensuring they remain impartial in their professional duties (https://www.apsc.gov.au/working-aps/integrity/integrity-resources/code-of-conduct).
• Declare conflicts of interest, including those perceived as conflicts, to protect the public’s confidence in government processes (https://www.apsc.gov.au/working-aps/integrity/integrity-resources/code-of-conduct).

NACC Findings:

• Perception of Bias: Ms. Brown’s failure to disclose her relationship with Craig Thrupp and the financial payments from Paladin created a perception of bias, even though she did not directly influence procurement decisions. This violated the APS Code of Conduct’s requirement to declare a potential conflict.
• Lack of Formal Declaration: Although Ms. Brown verbally informed her supervisor of her relationship, she did not submit a formal written declaration, which APS policy requires for managing perceived or actual conflicts.

Improvements:

• Mandatory Written Conflict Declarations: The APS should enforce the submission of formal written declarations for any conflicts, which should be updated annually or whenever a potential conflict arises.
• Ethics and Perception Training: Implement mandatory ethics training to help public servants understand the importance of declaring perceived conflicts and managing potential biases in their roles.

4. Relevant Home Affairs Policies and Procedures

Key Requirements: Home Affairs’ Conflict of Interest Policy and Integrity and Security Clearance Procedures require employees to:

• Declare conflicts of interest in writing, especially in cases where personal relationships intersect with official duties (https://www.homeaffairs.gov.au/access-and-accountability/our-commitments/integrity-and-professional-standards).
• Report any changes in financial circumstances that could affect security clearance status (https://www.homeaffairs.gov.au/access-and-accountability/our-commitments/integrity-and-professional-standards).

NACC Findings:

• Failure to Declare Personal and Financial Conflicts: Ms. Brown did not formally declare her relationship with Mr. Thrupp or report the substantial financial payments from Paladin, violating Home Affairs’ integrity procedures. These undeclared conflicts risked undermining the department’s internal processes for managing conflicts.
• Inadequate Reporting Mechanisms: The absence of a formal, structured reporting process allowed Ms. Brown’s relationships and financial transactions to go undeclared.

Improvements:

• Real-Time Conflict Reporting: Home Affairs should implement a real-time reporting mechanism where employees can declare changes in their financial status or relationships as soon as they occur, ensuring ongoing compliance.
• Regular Integrity Reviews: The department reviews conflict declarations and financial transactions to ensure employees adhere to its policies.

Potential Avenues for Foreign Influence: A Broader National Security Concern

Although the NACC investigation into Paladin did not find evidence of foreign influence, and Paladin itself was a domestic entity, the failures in this case reveal potential vulnerabilities that foreign actors could exploit. The ASIO Director-General's 2023 Annual Threat Assessment emphasised that foreign interference is a persistent and evolving threat to Australia’s national security. Foreign actors are becoming increasingly adept at exploiting weaknesses in governance and integrity frameworks, particularly in areas where transparency and disclosure are lacking - (See https://minister.homeaffairs.gov.au/ClareONeil/Pages/statement-in-response-to-asio-director-general-threat-assessment.aspx).

Exploitable Failures in Governance

Although domestic, the undisclosed financial transactions and personal relationships highlighted in the NACC case point to areas that foreign actors could target. The ASIO Director-General has warned that foreign actors use various tactics—including financial leverage and personal manipulation—to gain influence within governments. Similar failures in financial disclosure and conflict of interest management could provide a pathway for foreign interference.

• Undeclared Financial Transactions: In the Paladin case, the $223,000 payment to Ms. Brown was domestic. However, ASIO’s 2023 threat assessment stresses that foreign actors often exploit financial vulnerabilities to coerce or manipulate individuals in sensitive roles. As seen here, the failure to disclose significant financial transactions could provide a window for foreign influence operations in future cases, where payments might come from foreign entities.
• Undeclared Personal Relationships: The failure to declare foreign actors could exploit personal relationships connected to government contracts. In response to the ASIO threat assessment, the former Minister for Home Affairs noted that foreign states increasingly target key individuals within Australian institutions, often through personal or financial relationships. In this instance, the relationships were domestic, but the same vulnerabilities could be leveraged by foreign entities in future cases, particularly in government procurement processes.

Strategic Risks to National Security

The ASIO threat assessment highlights the growing sophistication of foreign interference operations. As the former Minister for Home Affairs noted in her statement, foreign states continuously seek to exploit governance weaknesses within Australian institutions. While the failures in the Paladin case were limited to domestic actors, similar governance lapses—such as undeclared financial transactions or conflicts of interest—could open the door to foreign actors looking to influence government decision-making or secure sensitive contracts.

These failures underscore the need for robust financial and relationship disclosure mechanisms. Even though foreign actors were not implicated in this instance, the Minister for Home Affairs clarified that foreign entities actively seek opportunities to infiltrate government processes by exploiting weak governance and personal conflicts.

Recommendations for Preventing Foreign Influence

To safeguard against foreign interference and prevent future exploitation of similar vulnerabilities, several measures should be taken:

1. Strengthened Financial Transparency: Government agencies should enforce stringent financial reporting mechanisms to prevent foreign actors from exploiting undisclosed transactions. As emphasised in the ASIO threat assessment, foreign states frequently use financial leverage to infiltrate government institutions.
2. Proactive Relationship and Conflict Declarations: Personal relationships that intersect with sensitive government contracts should be declared proactively. According to the Minister for Home Affairs, foreign actors increasingly target individuals through personal connections to gain influence over government decision-making.
3. National Security Training for Public Officials: Public servants should receive targeted training on foreign interference risks, especially those in sensitive roles. The ASIO threat assessment highlights the need for increased officials' awareness of foreign states' evolving tactics.

Public Education on Transparency and Integrity

Public education is critical to maintaining public trust in government operations. In addition to improving internal processes, the government should emphasise transparency through public campaigns:

• Public Integrity Campaigns: Launch public campaigns to highlight the importance of conflict of interest declarations and financial transparency, helping citizens understand how these measures protect the integrity of government operations.
• Public Reporting Channels: Establish public-facing reporting tools that allow citizens to raise concerns about potential conflicts of interest, promoting transparency and public oversight.

Technological Improvements for Greater Transparency

Technology can be leveraged to improve transparency and reporting mechanisms across the public service:

• AI-Powered Monitoring Systems: Implement AI monitoring systems to analyse financial transactions and flag anomalies that could indicate conflicts of interest or financial misconduct.
• Blockchain Technology: Use blockchain to track and verify financial transactions in government contracts, ensuring transparency and reducing the risk of tampering.
• Digital Disclosure Platforms: Develop secure online platforms for public servants to declare conflicts of interest and report financial transactions in real time.

Conclusion and Recommendations

The NACC investigation into Paladin revealed significant gaps in conflict of interest reporting, financial transparency, and oversight. These failures, while domestic, also highlight potential national security risks, as foreign actors could exploit similar governance vulnerabilities in the future. The ASIO Director-General's 2023 Annual Threat Assessment and the Minister for Home Affairs’ response have underscored the evolving threat of foreign interference, where foreign states seek to exploit weaknesses in governance and personal relationships within Australian institutions.

To address these challenges and prevent future incidents, the following recommendations are crucial:

1. Annual financial audits and real-time reporting platforms should be implemented to manage financial changes and relationships for public servants, ensuring that foreign actors cannot exploit vulnerabilities.
2. Strengthen conflict of interest declarations by requiring formal written updates to be submitted annually or whenever changes occur, particularly regarding focus groups and financial transactions that may create opportunities for foreign influence.
3. Public education on transparency should be enhanced to build greater public trust in government processes and raise awareness about the risks of foreign interference.
4. Ethics training and technological improvements, such as AI monitoring and blockchain tracking, should enhance transparency and prevent potential conflicts while safeguarding against foreign influence operations that target financial or personal vulnerabilities.

By addressing these gaps and incorporating robust national security measures, the government can ensure a more transparent, accountable, and trusted public service while protecting Australian institutions from the risk of foreign interference.

References

Here’s a list of all the references used in the article, including full document names and URLs:

1. AGSVA Clearance Responsibilities and Eligibility & Suitability URL: https://www.agsva.gov.au/applicants/eligibility-and-suitability
2. AGSVA Clearance Responsibilities for Security Clearance Holders URL: https://www.agsva.gov.au/clearance-holders/responsibilities
3. Commonwealth Fraud and Corruption Control Framework 2024: Fraud and Corruption Rule URL: https://www.counterfraud.gov.au/library/framework-2024/fraud-and-corruption-rule
4. Commonwealth Fraud and Corruption Control Framework 2024: Fraud and Corruption Policy URL: https://www.counterfraud.gov.au/library/framework-2024/fraud-and-corruption-policy
5. Commonwealth Fraud and Corruption Control Framework 2024: Fraud and Corruption Guidance URL: https://www.counterfraud.gov.au/library/framework-2024/fraud-and-corruption-guidance
6. APS Code of Conduct URL: https://www.apsc.gov.au/working-aps/integrity/integrity-resources/code-of-conduct
7. Home Affairs: Integrity and Professional Standards URL: https://www.homeaffairs.gov.au/access-and-accountability/our-commitments/integrity-and-professional-standards
8. Home Affairs: Direction to Implement Integrity Measures URL: https://www.homeaffairs.gov.au/commitments/files/direction-integrity-measures.pdf
9. Home Affairs: Direction to Implement Professional Standards URL: https://www.homeaffairs.gov.au/commitments/files/direction-professional-standards.pdf
10. Home Affairs: Integrity and Conflict of Interest Policy URL: https://www.homeaffairs.gov.au/commitments/files/integrity-conflict-interest.pdf
11. Home Affairs: Integrity and Declarable Associations URL: https://www.homeaffairs.gov.au/commitments/files/integrity-declarable-associations.pdf
12. Home Affairs: Integrity and Declarable Circumstances URL: https://www.homeaffairs.gov.au/commitments/files/integrity-declarable-circumstances.pdf
13. Home Affairs: Integrity Testing URL: https://www.homeaffairs.gov.au/commitments/files/integrity-testing.pdf
14. Home Affairs: Integrity and Mandatory Reporting URL: https://www.homeaffairs.gov.au/commitments/files/integrity-mandatory-reporting.pdf
15. Home Affairs: Procedural Instruction - Code of Conduct URL: https://www.homeaffairs.gov.au/commitments/files/procedural-instruction-code-of-conduct.pdf
16. Home Affairs: Integrity and Security Clearances URL: https://www.homeaffairs.gov.au/commitments/files/integrity-security-clearances.pdf
17. ASIO Director-General’s Annual Threat Assessment 2023 URL: https://www.asio.gov.au/director-generals-annual-threat-assessment-2023
18. Minister for Home Affairs' Statement in Response to ASIO Director-General's Threat Assessment URL: https://minister.homeaffairs.gov.au/ClareONeil/Pages/statement-in-response-to-asio-director-general-threat-assessment.aspx

Author Bio

Nathan Joy is a seasoned cybersecurity professional with over two decades of experience safeguarding Australian Government agencies and cloud vendors. As the first IT security manager in the Australian Government to implement the ASD Top 4 controls, Nathan played a pivotal role in pioneering robust cybersecurity practices within our nation. His dedication to innovation was recognised by the prestigious SANS Cyber Security Innovation Award, and he even had the honour of briefing the Whitehouse, Homeland Security, and the NSA on Australia's groundbreaking approach. Nathan's expertise extends to all cloud deployment models (IaaS, PaaS, SaaS) and is further validated by his IRAP assessor endorsement from the Australian Signals Directorate (ASD) since 2011. The views and opinions expressed in this article are Nathan's own and do not reflect the official position of the ASD or the Australian Cyber Security Centre (ACSC).