Australian Security Intelligence Organisation
Australian Security Intelligence OrganisationAustralian Security Intelligence OrganisationAustralian Security Intelligence OrganisationASIO's workYear in reviewPublicationsASIO Public StatementsCareers with ASIOContact Details

Skip Navigation Links

Director-General's Address
Australia–Israel Chamber of Commerce
‘Threats to business in the current security environment’
22 May 2008

Introduction
  • Thanks for the invitation to address you today.
  • ASIO has expanded greatly its engagement with the private sector over the past years, and, given the nature of the security environment, it is our intention to continue to do so.
  • I like to talk regularly to members of the business community, not only to broaden awareness of key aspects of this engagement, but also to hear some of your experiences and concerns about the risks you face in the current security environment, both here and overseas.
  • I think it's worthwhile that I begin by briefly giving you an overview of ASIO's role, as this will provide some context for the type of assistance we can, and do, provide to Australian businesses, and to international businesses operating in Australia.
  • I'll then speak about trends in the current security environment, and identify some areas of concern that you may wish to consider within the context of your own particular risk management strategies.
About ASIO
  • The model adopted by Australia for determining the respective roles and responsibilities of its intelligence agencies distinguishes security and foreign intelligence, and, ASIO excepted, separates collection and analysis, functions.
  • ASIO is responsible for security intelligence, which means that we have a legislated mandate to obtain intelligence and provide advice on:
    • espionage;
    • sabotage;
    • politically motivated violence;
    • the promotion of communal violence;
    • attacks on Australia's defence system; and
    • acts of foreign interference.
  • We are, with some limited caveats, the only intelligence agency mandated routinely to collect intelligence within Australia; and also the only intelligence agency that collects and analyses intelligence.
  • One common misconception that influences public discussion of ASIO is that the distinction between security and foreign intelligence equates to a distinction between domestic and foreign responsibilities or activities.
  • Despite the fact that ASIO is often referred to as Australia's 'domestic security service'; and the Director-General of ASIO as Australia's 'domestic spy chief', our Act actually defines our responsibilities thematically, not geographically.
    • Which means, in practical terms, that in pursuing our role we go wherever the work takes us.
  • So while much of our focus is in Australia, it is more accurate to say that our focus is on Australia -
    • that is to say, on the security of Australia and Australians - and this necessarily involves working and having strong links overseas.
  • The temper of the times is such that many of the threats impacting on our domestic security environment are international in source or complexion.
  • Conversely, our international exposure to risk from security-related threats continues to evolve with the diversification and globalisation of Australian interests, and the significant numbers of Australian citizens who travel, live and work abroad.
  • ASIO therefore has an extensive international liaison network comprising:
    • 311 approved liaison relationships with foreign intelligence, security and law enforcement agencies in 120 countries.
  • Through these liaison relationships not only are we are able to access valuable information, and tap into a wider set of judgements about global security issues.
    • We also gain valuable insight into circumstances overseas that may impact on Australian interests or influence our domestic environment.
  • Another significant dimension of our international reach comes via the National Threat Assessment Centre (NTAC).
  • The NTAC, which is located within ASIO, and staffed by officers from various Australian government agencies, receives information from around the world, which it uses to provide pointed, timely judgements concerning events or emerging threats impacting on Australia's security and interests.
  • I make these points because I believe it is important for members of the public, and of the business community, to know that ASIO is much more than the oft-quoted phrase 'Australia's domestic security service' implies; and that our security-intelligence role encompasses threats to Australia, Australian interests, and Australians wherever they might arise.
  • We are also mandated to carry out Australia's responsibilities to any foreign country regarding a matter covered under the definition of security I mentioned above.
  • So our engagement with the private sector is not based wholly or solely on our understanding of Australia's domestic security environment, but encompasses our broader international reach.
  • And I'll return later to some of the significant initiatives we have put in place or are currently working on to assist and inform your risk management strategies.
Current security environment
  • Moving now to the security environment.
  • Our broad judgement is that the security environment is much more fluid than in previous times, because the sources and targets of potential threats tend to be more diffuse and diverse.
  • While states remain the principal actors in the international sphere there are a range of non-state actors capable of threatening the security of Australia, Australians and Australian interests.
  • Islamic extremism is the most dangerous catalyst for politically motivated violence undertaken by non-state actors, particularly in the virulent, anti-Western form espoused by al-Qa'ida and the broader global violent jihadi movement.
  • Al-Qa'ida and those it inspires regard Australia and Australians as a legitimate target for terrorism both in our own right, and as part of that more amorphous category, 'the West'.
  • As such, individuals and groups committed to violent jihad pose a considerable threat to Australia, Australians and Australian interests here, in our immediate region, and around the world.
  • This judgement is no idle speculation.
  • A number of Australians have or are being tried on serious terrorism-related charges, and ASIO continues to take a close interest in people who have or may become radicalised to the point where they engage in activities of security concern.
  • Islamic extremism also remains a significant concern in our immediate region.
  • Effective counter-terrorism work by authorities in Indonesia and other neighbouring countries has impacted significantly on extremist groups -
    • although hardened jihadists who have planned or participated in previous anti-Western attacks, like Noordin Mohammad Top, remain dangerous, and unlikely to be dissuaded from attempting to carry out high impact attacks against Westerners and Western interests.
  • Beyond our immediate region, al-Qa'ida central has regrouped in the border regions of Pakistan and Afghanistan, and expanded its network by entering into alliances with various extremist groups across the Middle East and Africa.
  • Terrorist groups and networks are not the only non-state actors of security concern, however.
  • Other protest groups and movements are willing to engage in violent protests to disrupt activities or events which they deem illegitimate or unacceptable for an assortment of ideological or political reasons.
    • The G8 protests in Melbourne and similar protests overseas show that such activities can cause significant damage and disruption to metropolitan commercial centres.
  • Significantly, espionage and espionage-related activities also continue to evolve and pose security challenges in the post-Cold War world.
  • As I noted in a speech last year, the classical paradigm of espionage as something undertaken principally by states against other states, while still valid, has been unsettled somewhat, as non-state actors are now a more prominent part of the equation -
    • either as protagonists or targets of espionage or espionage-like activities.
  • Joining traditional political forms of inter-state competition and rivalry, are other competitive pressures (and opportunities), spurred on particularly by 'globalisation'.
  • As such, there are various incentives for individuals, groups, and states to seek to acquire sensitive information, intellectual property, and other capabilities, not only in government, but also in commercial spheres.
  • This is not to say that sensitive information and capabilities protected by governments has lost its strategic value.
  • It is to say, rather, that it is more difficult to put a neat boundary around the type of information that may have value, and therefore be sought after.
  • To give you one illustration: Pakistani national, AQ Khan, who was at the centre of a major nuclear proliferation network, was able to capitalise not simply on sensitive industry designs, but also on the business supplier lists of his former Dutch employer, so that he knew exactly where to go to purchase the components and materials he needed for his nuclear weapons program.
Areas of risk for business
  • There are various areas of potential risk to the private sector in this environment that may require your prudent management.
  • With regards terrorism, the violent jihadists' targeting of the commercial sector is not merely incidental, but is firmly grounded in their ideological dogma and forms a fundamental plank of their long-term, strategic outlook.
  • An al-Qa'ida manual, The Management of Barbarism, gives an insight into their thinking.
  • The manual states that given "a superior enemy is defeated by economic and military attrition" it is important to stretch the enemy's military and economic resources by attacking a wide range of targets.
  • In a significant statement issued in April 2002, Usama bin Laden provided his own calculation of the direct and flow-on costs to the US and global economy of the attacks of September 11, 2001.
  • And, internationally, we have seen significant targeting of the aviation, oil and energy sectors, as well as transport hubs and business districts that attract large numbers of people.
  • Perhaps less well documented than physical attacks against or affecting commercial assets is the interest extremists have shown in infiltrating companies or misusing their employment to gain access to information, materials and equipment, or insight into security measures put in place in certain sectors.
  • Convicted UK extremist, Waheed Mahmood, used his employment in a UK national gas supply company to gain access to details of the locations of some of the high pressure gas pipelines in operation across Britain.
  • Nor can we rule out the possibility that extremists may actively seek to recruit or insert insiders working in companies to gain access to capabilities, materials or information, in a similar fashion to the way a state or non-state actor engaged in commercial espionage might seek to do so.
  • Aside from misusing employment to acquire information or access, we know that extremists also use publicly available or observable information to assist attack planning.
  • In fact, an al-Qa'ida terror manual recovered in 2000 instructs that it is possible to gather most of the information needed to plan and conduct an operation using public sources.
  • And whereas extremists have proven adept at utilising new media for propaganda purposes, it doesn't take a large leap of the imagination to envisage them engaging in other types of cyber-activity, with the aim of exploiting our society's growing dependence on information technology systems and infrastructure.
  • Regarding potential exposure to cyber-activities more broadly, the widespread use of the internet in government and business presents opportunities for state agencies to gain covert access to information.
  • And a range of non-state actors - hackers, criminals and other foreign entities, acting independently or on behalf of groups, networks, or states - are engaged in nefarious cyber-activities:
    • whether for profit; to cause damage; test for vulnerabilities; or acquire sensitive information.
  • Such actors are targeting business and government alike. And, in terms of private sector vulnerabilities, they may not be trying merely to test, manipulate, or damage your IT systems.
  • By using trojans and other covert programs designed to transmit sensitive information, data held on compromised IT systems can be exfiltrated, covertly, via the internet, to someone virtually anywhere on the planet.
  • A successful attack could see the loss of commercially-sensitive information: business strategies, intellectual property, sensitive client details, even company employee information.
  • Not all such attacks originate from the internet, however.
  • The various IT related devices - software, mobile phones, disks, thumb-drives, personal organisers, and so forth - all of which are now in common use - are also potential vectors for trojans, etc, capable of compromising your information security.
  • So it is important that you consider whether you have appropriate security policies covering their use, particularly as they can be easily 'inserted' into your systems, sometimes quite innocuously - as gifts to staff, for example.
  • Such devices have also changed the way business is conducted around the world, making it possible to maintain access to information when you travel -
    • but it is essential you consider whether the information you carry around on laptops, personal organisers or data-sticks when you travel overseas is exposing you to risks.
Prudent risk management
  • These are some of the things we are seeing, and some of the areas that are of concern.
  • The key point about the present environment is that various activities of concern are directed at, or may affect, the private sector.
  • And given the spectrum of these activities, it is clear that your protective security measures shouldn't begin or end with physical security, but also need to consider the way you
    • vet and manage personnel (including contractors),
    • manage your information systems, and
    • the information you make publicly available about yourselves.
  • Obviously, the character and severity of risk varies, and doesn't affect all businesses in the same way.
  • Individual companies are best placed to identify and prudently manage their particular exposure to risk, depending on:
    • sector,
    • size and workforce,
    • corporate identity and familiarity,
    • connectivity to other sectors of the economy,
    • IT systems and security,
    • supply-chains, and
    • location of premises and operations,
      • locally and internationally.
  • But we are doing significant work to assist your efforts.
  • ASIO's subscriber-based business liaison website (which is available both to Australian companies and overseas companies operating in Australia) has sectoral- and country-specific threat reporting that can inform your considerations.
  • We have also made available through the website a new line of reporting on information security, in recognition of the growing importance of this area of risk management.
  • And we are currently establishing a register of Australian commercial interests overseas.
  • This joint BLU and NTAC initiative will provide Australia with a unique capability, allowing ASIO to target its overseas threat reporting more effectively to:
    • help business better understand the nature of the different security environments in which they operate; and
    • assist the Government's emergency response efforts abroad, should that need arise.
  • Given the international profile of many of our major companies, we are also working closely with key overseas partners to pool and compare experiences, and further refine judgements so that businesses are provided with consistent advice.
  • As I said at the beginning of my talk, ASIO has greatly expanded its engagement with the private sector over the past years, and given the nature of the security environment, it is our intention to continue to do so.
  • We see ongoing and constructive dialogue with business as a key part of our mission to protect Australia, its people and its interests.
  • Thank you.