What is the terrorist threat to Australian business?
The main terrorist threat to Australia emanates from al-Qa’ida and associated groups, particularly Jemaah Islamiyah. Statements by Usama bin Laden since November 2001 underline the fact that Australia and Australians are regarded as legitimate targets by al-Qa’ida and associated groups.
Successful, aborted and thwarted terrorist attacks around the world by al-Qa’ida and associated groups include government buildings, diplomatic and consular offices, commercial buildings including hotels and other tourist facilities, residential compounds, commercial and military shipping, aviation and oil and other critical energy and transport infrastructure. In addition, al-Qa’ida and associated groups have considered a large range of targets from bridges to sporting stadia – while in the past many of these terrorist plans proved impractical or beyond available resources at the time, the possibility exists that they may be re-addressed in the future.
The threat posed by terrorism to our security is complex, broad-ranging and long-term in nature.
All governments have had to adjust to meet the new and unpredictable threat of terrorism. It does not respect borders nor the rights of people to lead peaceful lives and go about their business. Terrorists do not abide by rules or engage in regular forms of combat. Instead, they use whatever means are available to them to achieve their political and ideological objectives.
The Australian business community must consider a range of threats and hazards that put their operations, staff and customers at risk. Businesses can be damaged, destroyed or disrupted by natural disasters, negligence, accidents, criminal activity (including computer hacking, theft and malicious damage) as well as by acts of terrorism. The business community requires information about the extent of the threat of terrorism and the role it can play in safeguarding Australia.
The Australian Security Intelligence Organisation (ASIO) produces threat assessments for specific events, facilities, and sectors. Threat assessments fall into two broad categories:
• those that assist preparedness and planning, and
• those that require an immediate response to a specific threat or to a heightened assessment of threat.
Such threat assessments are the key to ensuring that security measures are applied to the areas of greatest need, and are in proportion to the risk. ASIO is responsible for the distribution of relevant intelligence and information to Australian Government departments, the Australian Federal Police and state and territory police. The dissemination of threat assessments concerning industry sectors is undertaken in cooperation with the state and territory police via a briefing with all relevant industry representatives.
Where there is a particular urgency, ASIO will contact relevant police and other organisations, including business owners/operators.
The protection of the private sector from national security threats is the responsibility of both the government and the owners and operators of business enterprises. All governments in Australia accept the need to engage the private sector on a partnership basis in developing a response to national security threats, whilst the private sector accepts that the cost of their security is part of the cost of doing business.
What is Critical Infrastructure, and what is being done to protect it?
Critical infrastructure is defined as “those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well-being of the nation, or affect Australia’s ability to conduct national defence and ensure national security”.
Significant is defined as an event or incident that puts at risk public safety and confidence, threatens our economic security, harms Australia's international competitiveness, or impedes the continuity of government and its services.
Critical infrastructure extends across many sectors of the economy, including banking and finance, transport and distribution, energy, utilities, health, food supply and communications, as well as key government services and national icons. Some critical elements in these sectors are not strictly speaking "infrastructure", but are in fact, networks or supply chains that support the delivery of an essential product or service. For example, the supply of food to our major urban areas is dependent on some key facilities, but also a complex network of producers, processors, manufacturers, distributors and retailers that get the food from paddock to plate. Where an incident involving these networks could have a significant impact, those networks are treated as critical infrastructure.
The continuity of supply of all critical infrastructure is dependent, to some extent, on availability of other infrastructure, and some sectors are mutually dependent on each other. The degree and complexity of interdependencies is increasing as Australia becomes more dependent on shared information systems and convergent communication technologies, including the Internet.
The protection of critical infrastructure is a shared responsibility of business and the Australian, State and Territory Governments. Government and the owners and operators of critical infrastructure need to work together to identify these interdependencies and apply appropriate strategies to reduce risk where possible.
The role of business
Much of Australia’s critical infrastructure is privately owned. As such, owners and operators of critical infrastructure are key players in ensuring the security of their assets and accept that the cost of their security is part of the cost of doing business. Whilst it is not possible to secure all critical infrastructure from all threats, good business practices such as applying risk management techniques to their planning processes, conducting regular reviews of risk management assessments and plans, as well as developing and reviewing business continuity plans, will assist businesses in mitigating potential risks and threats.
Participation in the Trusted Information Sharing Network for Critical Infrastructure Protection (TISN) (see below) enables the owners and operators of critical infrastructure to share, on a national level, information on important issues such as business continuity, consequence management, and threats and vulnerabilities with other business and the Commonwealth, State and Territory Governments.
The role of the National Counter-Terrorism Committee
The National Counter-Terrorism Committee (NCTC) is the national coordinating body for counter-terrorism in Australia. It comprises senior representation from relevant agencies within the Australian Government, as well as from Premiers' and Chief Ministers' departments and Police Services in each jurisdiction.
The NCTC has primary responsibility for the oversight of the protection of critical infrastructure from terrorism. In close consultation with industry and with security agencies in each jurisdiction, the NCTC has developed the National Guidelines for the Protection of Critical Infrastructure from Terrorism.
The Guidelines provide a framework for national consistency in the provision of advice on the protection of critical infrastructure from terrorism. The Guidelines suggest actions that critical infrastructure owners need to consider in response to the security environment in consultation with law enforcement agencies.
Importantly the Guidelines recognise that the treatment of individual critical infrastructure assets will depend on an assessment of the criticality of the asset, the nature of the security environment and the risk profile for that asset or relevant industry sector. All levels of government and industry have a role to play in the protection of critical infrastructure. The National Guidelines clearly articulate the various roles and responsibilities.
The role of the State and Territory Governments
State and Territory Governments have primary responsibility for critical infrastructure protection within their jurisdiction. The National Guidelines outline the roles and responsibilities of state and territory governments and police services. These responsibilities include:
• the identification of critical infrastructure
• activities in relation to the development of security prevention and response strategies and plans, and
• the direct engagement of critical infrastructure owners and operators.
Each jurisdiction has developed or is developing a framework for how it will deliver the responsibilities agreed under the National Guidelines. Adoption of the National Guidelines by all jurisdictions ensures a consistent approach to critical infrastructure protection, acknowledging that the mechanisms established in each jurisdiction for the delivery of the program may vary. The Guidelines are not a public document, but are being distributed by State/Territory Governments to identified critical infrastructure owners/operators.
Given the States and Territories have primary responsibility for the prevention of and response to potential terrorist incidents involving critical infrastructure, they are the first point of contact for critical infrastructure owners/operators.
The role of the Australian Government
The Australian Government has a coordination role in the development of a nationally consistent approach to the protection of critical infrastructure. In particular it provides coordination and national leadership in areas of joint responsibility and international issues, produces and communicates relevant intelligence and information to stakeholders, and promotes critical infrastructure protection as a national research priority.
The Australian Government also has a direct role in ensuring that protective arrangements are in place for defence assets, Parliament House in Canberra, foreign missions and Australian Government-regulated sectors including aviation, maritime and offshore oil and gas facilities.
The Australian Government is responsible for ensuring that protective arrangements for these identified assets and industries are reviewed and updated in line with the current security environment and risk profiles. However, this task is undertaken in conjunction with the respective jurisdiction to ensure effective and comprehensive security prevention and response strategies are in place and maintained for the protection of critical infrastructure.
The Critical Infrastructure Protection Branch of the Attorney-General's Department is responsible for the development and coordination of Australian Government policy and international cooperation relating to critical infrastructure protection, including the national information infrastructure. The Branch also provides general and legal policy advice and coordination within the department on e-security (including its relationship to high-tech crime), and cyber-terrorism.
The role of the Trusted Information Sharing Network for Critical Infrastructure Protection
The Australian Government, through the Attorney General’s Department has established a range of inter-governmental and business government consultative mechanisms to assist in the development and coordination of national security policy. The Trusted Information Sharing Network for Critical Infrastructure Protection (TISN) enables the owners and operators of critical infrastructure to share, on a national level, information on important issues such as business continuity, consequence management, and threats and vulnerabilities.
The TISN consists of a number of Infrastructure Assurance Advisory Groups (IAAGs) for different business sectors, and the Critical Infrastructure Advisory Council. The Council oversees the Advisory Groups and provides advice to the federal Attorney-General on the national approach to protecting critical infrastructure.
The Council consists of representatives from each of the States and Territories, the critical infrastructure business sectors, relevant Australian Government agencies and the NCTC.
The Business-Government Advisory Group on National Security has also been created to provide senior business leaders an opportunity to input into the strategic direction of Australia’s national security policy. It should be noted that Critical Infrastructure Protection is just one element of national security and that this group will also consider other issues impacting on the business community.
What is being done to protect Australia from cyber terrorism?
Whilst there is no evidence that there has been an act of cyber terrorism in Australia to date, our vulnerability to such attacks is increasing as we become ever more dependent on the information economy. This dependence creates new threats and vulnerabilities. In the recent past, companies and government agencies, both here and overseas, have been fending off successive threats, each with the potential to cause billions of dollars in damage. Convergence of technologies such as voice over IP replacing parts of telephone networks means that the information infrastructure has less built in redundancy.
Threats and vulnerabilities increase as the costs of the technology and the required skill level of potential attackers decrease. At the same time the ‘attribution of attackers’, our ability to be sure of their identity, location or motive, is becoming more difficult as the internet grows exponentially. For this reason, the traditional concept of ‘jurisdiction’ is clouded and a multi-jurisdictional and multi-national response is required.
The Australian High Tech Crime Centre (AHTCC) and the Computer Network Vulnerability Assessment (CNVA) Program are just some of the Australian Government initiatives developed to better protect Australia’s information infrastructure.
What is being done to protect other parts of the business community?
Government has, in certain circumstances, found it necessary to regulate to ensure that a minimum level of protection or preparedness is put in place. This may occur for a number of reasons, such as:
• international obligations
• the need for national consistency
• the likelihood of market failure, or
• in response to legitimate community concerns and expectations.
Regulation does not, however, have to include mandatory prescriptive specifications. The Australian Government has put in place a regulatory regime for the security of aviation and maritime transport, and more recently proposed an extension of this to cover offshore oil and gas. The implementation of these regimes has been achieved through a business-government partnership that included the Australian Government contributing to the cost of the new security measures.
Places or venues where large numbers of people gather are referred to as ‘places of mass gathering’. It is believed some of these might present an opportunity for terrorists to cause a large number of deaths and injuries from an attack. These places by their nature allow public access, and many forms of security that are applied in the protection of critical infrastructure may not be appropriate for protecting places of mass gathering.
Also, in critical infrastructure protection there is a strong emphasis on business continuity arrangements, which may be less relevant in dealing with places such as tourist attractions, major shopping centres, sporting stadia and hotels. These places do not fit the normal definition of critical infrastructure, as it is their visitors, customers and patrons that would be targeted, rather than the buildings themselves. All governments are exploring how best to work with the owners and operators of these venues.
Whilst government cannot guarantee that Australia will not be subject to terrorist attacks, all practical steps are being taken to protect Australians and Australian businesses against the threat of terrorism.
The National Security Hotline (1800 123 400) provides an effective interface and accessible point of contact for the Australian public in relation to security matters. The Hotline has two main objectives:
• to receive information from the public on suspicious activities, and
• to provide information and reassurance to the public on the arrangements for preventing, deterring and detecting terrorism in Australia.