08 Jan 2020
Ending secrecy key to filling the void on cybersecurity
Two key new national security leadership positions provide an opportunity to develop a partnership between business and government to safeguard Australia.
ASIO chief Mike Burgess spent some years running IT security at Telstra. The new director-general of the Australian Signals Directorate, Rachel Noble, while working in the public service for many years, once worked for Optus.
Both leaders understand that our business sector is under attack through economic coercion, cyber attacks and irregular warfare by proxies, designed to undermine trust in the state.
Corporations are making valiant efforts to protect their assets and capabilities from attacks in the physical and cyber environments. They do so for sound business reasons. But such attacks aren’t just matters of commercial concern. They have significant potential to weaken national resilience, and so should matter to all of us.
Business and government need to co-operate when it comes to protecting our security: our businesses are much more globally focused than before and our nation’s reliance on technology is unprecedented.
Our infrastructure is becoming increasing interconnected, creating new vulnerabilities. Power struggles over commercial goals are now not just about corporate success or failure but are also setting the stage for kinds of foreign interference that weren’t possible before.
But there’s a void between business and national security agencies when it comes to understanding each other’s capabilities and limitations. Corporations have great visibility in terms of what is happening domestically and internationally that may affect their operations. Some of our corporate heavyweights have an in-house analytical capability or subscribe to specialist intelligence and analytical providers.
Most major companies have an operations or crisis centre. Corporations hold considerable data that may be of benefit to governments during and after incidents.
The official national security community should “dare to share”: be willing to provide information to business that is timely and of value in the prevention and mitigation of all risks faced by the nation.
Federal and state governments should expand the involvement of business in crisis exercises related to all aspects of national security.
There are constraints relating to passing on certain security information related to international agreements, perceptions of corporate advantage and, potentially, foreign ownership. But these restrictions should not affect the intent to share, although they can influence the depth and timeliness of the sensitive information to be shared.
There are already some mechanisms in place, established by both the Australian government and state governments, to hook up with business on issues of national security.
The Office of National Intelligence is seeking to expand its links to the private sector through more active engagement with business groups. ASIO has also been active over some years in reaching out to company boards. ASIO's Business and Government Liaison Unit delivers a suite of activities to business. But the structures are fragmented between and within government departments and agencies, and are often based on sector-specific silos.
National security agencies and corporate executives believe that sometimes the other party intentionally or needlessly holds back essential information. Business believes that there isn’t much scope to discuss or even know what national security policy or legislation is coming down the pike.
Developing a secure and resilient nation can only be ensured through mutual obligation whereby both governments and corporations understand and are committed to developing and maintaining the measures required to safeguard Australia.
We should strengthen corporate and government co-operation in national security by creating a central hub in the Department of Home Affairs for ensuring information transfer on national security risks and support for industry in better understanding emerging security issues.
A chief security officer advisory group should be established to work with such a hub, consisting of a small number of senior security, business continuity and resilience managers.
We should reinvigorate the Industry Consultation on National Security, which has not met for over two years. ICONS would provide a forum for the prime minister and senior ministers to engage with CEOs on national security policy and issues.
We should broaden the scope of state-based joint cyber security centres (JCSCs) so they become converged centres for integrating national security interaction between business and government.
The JCSCs should be rebadged as joint threat management centres to establish two-way communication, analysis and planning not just on digital and cyber risks but on other security risks such as foreign interference, activism and politically motivated violence, and the security of offshore business activities. The federal government and the states should expand the involvement of business in crisis exercises related to all aspects of national security.
A secondment program of national security agency personnel into the corporate security and more general risk management environment should be developed. We need to encourage an awareness among major corporations that when selecting a chief security officer the ability to obtain a national security clearance will be of benefit.
Today, corporate security is national security.