29 Jul 2019
Corporations must co-operate on security
Corporations already protect their assets and functions. But business should be understood as a key component of our deterrent posture against a range of threats from economic coercion, cyber-attacks and irregular warfare by proxies designed to undermine trust in the state.
As such attacks are likely to be directed towards private sector assets, business owners and operators should be recognised as central to this country’s security.
Corporations are making valiant efforts to protect their assets and capabilities from attacks in the physical and cyber environments. They do so for sound commercial reasons.
But such attacks are not just matters of commercial concern to companies and their shareholders. They have significant potential to weaken national resilience.
There exists a void between business and national security agencies when it comes to understanding each other’s capabilities and limitations.
Most major companies have an operations/crisis centre. Corporations hold considerable data that may be of benefit to governments during and after incidents. But the private sector currently plays a limited role in national crisis exercises.
A phrase that has gained some usage among Australian corporate security professionals when talking about the desire for greater co-operation with the official national security community is dare to share: security officials being willing to provide information that is timely and of value in the prevention and mitigation of all risks faced by the nation.
There are constraints on passing certain national security information to business related to international agreements, perceptions of corporate advantage and potentially foreign ownership.
But these restrictions should not be insurmountable barriers: they don’t affect the intent to share, although they can affect the depth and timeliness of the sensitive information to be shared.
There are already in place some mechanisms, established by both the Australian government and state governments, for security agencies to “hook up” with business. But the structures are fragmented between and within government departments and agencies and are often based on sector-specific silos.
Business sometimes wrongly believes that security agencies are sitting on an information goldmine that they refuse to share. This indicates a lack of understanding. But corporate security professionals complain there isn’t much scope at the moment to discuss or know what national security policy or legislation is coming.
Developing a secure and resilient nation can only be ensured through mutual obligation whereby both government and business understand and are committed to developing and maintaining the measures required to safeguard Australia.
When it comes to contributing to national security, business is generally not seeking financial incentives from government such as tax breaks, subsidies for corporate back-up plans, or somehow being given special government status as resilient companies to “do the right thing”.
Rather than government incentives, what business wants is timely security-related information and an understanding of how their business fits within the overall concept of a resilient nation.
To strengthen corporate and government co-operation on national security we should establish a Chief Security Officer Advisory Group to work with the department of Home Affairs. The group would consist of a small number of senior security, business continuity and resilience managers as well as organisations representing the broader corporate sector.
We should reinvigorate the Industry Consultation on National Security. ICONS hasn’t met for over two years. It would provide a forum for the Prime Minister and senior ministers to engage with CEOs on national security policy and issues.
We should broaden the scope of state-based Joint Cyber Security Centres so they become converged centres for integrating national security interaction between business and government. The JCSCs should be rebadged as joint threat management centres to establish two-way communication, analysis and planning not just on digital risks but on issues such as foreign interference, activism and politically motivated violence, the security of off shore business activities and disaster resilience. Governments should expand the involvement of business in exercises related to all aspects of national security.
The threats we face don’t recognise the walls that exist between Australian businesses and national security agencies. To safeguard Australia, we need to put more doors in those walls.