Australian Security Intelligence Organisation
Australian Security Intelligence OrganisationAustralian Security Intelligence OrganisationAustralian Security Intelligence OrganisationASIO's workYear in reviewPublicationsASIO Public StatementsCareers with ASIOContact Details

Skip Navigation Links

Risk Management Institution of Australasia
Director-General's Address
'National Security and Risk Management'
27 November 2007

Introduction
  • Thank you, Hugh, for that introduction.
  • It's a pleasure to be here today to provide the concluding keynote address to the Fourth National Conference of the Risk Management Institution of Australasia (RMIA).
    • I know your mission is to champion risk management and foster professionalism in this field across the public and private sectors.
      • This is something I fully endorse.
      • ASIO works closely with the private sector to assist in the development, and implementation, of strategies to deal with security-related risks; and
        • we continue to be impressed by the proactive approach to risk mitigation within the Australian business community.
  • Let me say at the outset that the theme of this year's conference - risk equals opportunity - is particularly germane for my address today.
  • For despite the rise, in recent years, of a more challenging domestic and international security environment, it's vital that we continue to build and capitalise on our identity as a modern, cosmopolitan nation:
    • a confident nation, engaged politically, economically and culturally with our immediate region, and the world beyond.
  • Australia has traditionally placed great weight on its continental geography as a formidable line of security.
    • Yet, in a globalised world, more of our interests lie, or are affected by circumstances and events, offshore.
    • And the globalisation of insecurity associated with the rise of militant, non-state actors, has brought the catalysts of new forms of extremism, formerly confined to overseas locations, to our own shores.
  • It's worth considering, in this context, the findings of two recent reports.
  • The first, by the journal Foreign Policy, ranks Australia as the thirteenth most globally integrated country in the world, placing us in the top five for our level of technological connectivity.
  • The second, Under Attack? Global business and the Threat of Political Violence, by Lloyd's and the Economic Intelligence Unit,
    • documents the level of uncertainty within international business about the risks associated with geopolitical instability and political violence.
  • Noting this uncertainty, Lord Levene, the Chairman of Lloyd's, prefaces the report, saying,
    • 'the importance of reflecting changing political violence risk in corporate risk management strategy has never been greater.'
  • So today I will discuss some of the challenges we face, providing you with an overview of the current security environment, and noting some of the significant implications it has for risk management.
Our mission
  • Let me preface my overview of the security environment with some general remarks about ASIO's role, and some of the broad changes to have taken place in the way we do our work over the last five to ten years.
  • ASIO's mission is to identify and investigate threats to national security, both in Australia and overseas, and to provide advice to protect Australia, its people and its interests.
  • Under our legislation, we have a mandate to investigate espionage, sabotage, politically motivated violence, the promotion of communal violence, attacks on Australia's defence system, and acts of foreign interference.
  • And while ASIO is often referred to as Australia's 'domestic security service', this is incorrect to the extent it implies that ASIO operates only within Australia; or is concerned only with threats to Australia itself.
    • We are responsible for countering threats to Australia and Australian interests, whether these are directed from, or committed within Australia, or not.
      • As we like to say, our security mandate is defined thematically, not geographically.
  • This is a significant point - particularly in light of the challenges entailed by the current security environment, because
    • our capacity to collect intelligence, investigate threats, and provide timely advice relevant to Australia's national security,
      • requires effective and strategic international engagement and reach.
  • Turning now to some of the changes to our working environment.
  • It's worth reflecting that, from our inception in 1949 until the early 1990s, ASIO provided advice principally to the Australian government, and this advice related predominantly to counter-espionage investigations.
  • Since the end of the Cold War, and the rise of trans-national terrorism, there have been two striking changes to our work.
    • First, while counter-espionage remains important, and we have boosted the resources devoted to this function, our major focus now is counter-terrorism.
    • And second, given there are more people in more agencies dealing with the threat and implications of terrorism, we now work with, and provide advice to, a much broader range of clients -
      • not only within government, but also, significantly, within the private sector.
  • This reflects far reaching changes to the global security environment following the attacks of September 11; and, closer to home, the string of terrorist attacks in our own region since October 2002.
  • Because the threat of terrorism affects the entire community, and has a range of implications for the private sector, ASIO, like intelligence services elsewhere, has had to rethink some of the constraints put on intelligence reporting, and its dissemination, during the Cold War.
    • We must, by the very nature of our business, continue to perform much of our work out of the public eye.
    • And there will always be strict limits on who can see our most sensitive information.
    • But we need to continue to explain the nature of the challenges we face as a nation, and assist members of the community, not least the private sector, to prepare and adjust to the new security environment.
  • Later in my address I will return to what ASIO is doing to build an effective relationship with the private sector, particularly through our Critical Infrastructure program, and our Business Liaison Unit.
  • I want first, though, to provide you an overview of the security environment.
The present security environment
  • Terrorism is by no means the only threat to national security.
  • It is, though, the most serious and, potentially, the most destructive threat Australia presently faces.
  • On current indications, terrorism carried out by Islamic extremists is likely to be a destabilising global force for some time to come.
  • The main threat to Australia and its interests comes from Islamic extremists who are part of, or take inspiration from, the global jihadi movement.
  • Al-Qa'ida is the vanguard of this movement, not just in the important role of symbolic figurehead, but as the central node in an inventive, loosely coordinated, network of affiliated groups.
  • You may previously have heard me, and others, warn that al-Qa'ida has been rebuilding its organisational structures and operational capabilities in bases in the tribal regions bordering Pakistan and Afghanistan.
  • It also continues to expand its sphere of influence and activity by entering into alliances with Islamic extremists on the Asian sub-continent, in the Middle East, and in East and North Africa.
    • Beyond al-Qai'da in Iraq, we have seen:
      • al-Qa'ida in the Arabian Peninsula;
      • al-Qa'ida in the Islamic Maghreb (formerly an Algerian jihadi group known as the Salafist Group for Call and Combat);
      • al-Qa'ida in Lebanon;
      • al-Qa'ida in Yemen; and, most recently,
      • al-Qa'ida in Libya.
  • In ideological terms, this expanding number of 'franchises' provides forward momentum for al-Qa'ida's broader mission,
    • as it seeks to reframe a panoply of national conflicts and insurgencies involving Islamic militants as part of the global, anti-Western struggle.
  • In practical terms, more 'franchises' mean:
    • new asset flows and communication channels between affiliated extremist groups and networks, facilitating the exchange of information, funds, personnel and operational techniques;
    • extended operational reach; and,
    • the likelihood of more attacks against Westerners, Western targets and Western interests.
  • Al-Qa'ida also continues to be the inspiration for extremist networks worldwide, including in Western countries, and,
    • as the ongoing number of arrests around the world attest, no country, Western or Muslim, can consider itself immune, or invulnerable to this threat.
  • It is significant in this context, that the rise of the global jihadi movement largely has coincided with the development and expansion of the internet,
    • which extremist groups like al-Qa'ida are using to great effect,
      • massively extending their ideological reach by disseminating propaganda - in some cases, rough and ready; in others, highly sophisticated - to incite, inspire and recruit well beyond what would be considered their 'traditional' constituencies.
  • Closer to home, the security outlook in our immediate region remains mixed.
  • Terrorist activity and sectarian violence persists in parts of South East Asia, particularly in southern Thailand, Indonesia and the Philippines.
  • Successful counter-terrorism efforts by Indonesian authorities have diminished the capacity of Jemaah Islamiyah (JI) -
    • the regional group responsible for the 2002 and 2005 Bali bombings, as well as the attack in 2004 on the Australian embassy in Jakarta -
      • ... although hardline militants like Noordin Mohammad Top are likely to continue to target Australians and Australian interests in the region.
  • And JI is able to utilise an intricate network of extremists across the region, allowing its members to move across borders to train, raise funds, or to find safe-havens on the run from authorities.
  • I would like to cap my brief overview of the security environment on a cautionary note.
  • Six years on from September 11, and five years on from the first Bali attack, there is a risk of 'security fatigue' -
    • the risk that, as the memory of major terrorist attacks in New York, Washington, Bali, Madrid, and London recedes, we become complacent.
    • Or even that, as reports of terrorist attacks, successful or thwarted, become more familiar, we gradually become desensitised and less vigilant.
  • In some ways, this response is understandable; and may well be a mark of a healthy society.
    • For free and moderate peoples don't tend to dwell, singularly and intensely, upon one area of life.
  • I would, however, strongly caution against complacency, particularly amongst those of you who are involved in risk management.
  • For while we, as a society, don't tend to dwell on one aspect of life, militant extremists clearly do.
  • Global jihadists single-mindedly dedicate their life - in the fullest sense possible - to a violent cause,
    • which they believe is sacred, and therefore definitive of their personal and collective identity as members of a particular faith group.
    • And this distorted, and belligerent, identity has led them to target 'the West' and 'Westerners' as aggressive enemies to be goaded, punished, attacked and violently defeated.
  • So I think it's necessary to reiterate that Islamic extremists have identified Australia as a target for terrorist attacks in public statements.
  • Australians have been targeted, injured or killed in terrorist attacks overseas,
    • most notably in Bali and Jakarta, but also in terrorist attacks in the UK, the USA, the Middle East, and Afghanistan.
  • Islamic extremists have targeted Australia itself in terrorist planning.
  • And Australian citizens have engaged in terrorism-related activities, both here and abroad.
  • Unfortunately, there is nothing I've seen to indicate this will not remain the case.
The challenge of risk management
  • Terrorism of the sort I've just described presents significant challenges for risk management strategies - for Australia as a nation, for particular sectors of our economy, and for individual businesses.
  • Classically, risk managers have drawn a distinction between 'measurable' and 'unmeasurable' uncertainties.
  • Risk management is more comfortable - if that's the best phrase - with the realm of measurable uncertainty, which can be subject to risk calculus and the metrics of risk analysis.
  • Unmeasurable uncertainty, on the other hand, presents fundamental challenges for risk analysis and decision making.
  • Since its emergence in the 1990s as a trans-national, anti-Western force, Islamic terrorism has been a source of significant strategic uncertainty.
  • Security intelligence services can, in large measure:
    • track the development of groups and networks within the global jihadi movement;
    • identify and analyse their beliefs, goals and methods; and,
    • to the best of our capabilities, disrupt specific plots before they are carried out.
  • But the simple fact is that terrorists put a lot of energy into concealing their identity, their activities, and their specific intentions.
    • They combine shadow and light; revelation and concealment -
      • publicly ventilating, on the one hand, their ideology and propaganda; and,
      • disguising, on the other, their intentions and planning for the next attack.
  • Of course, strategic and tactical surprise has always been part of the terrorist's armoury.
  • But the new factors of virulent anti-Westernism, strategic trans-nationalism, and now, 'home-grown' radicalisation, have decentralised the threat, introducing deep uncertainties into the equation.
    • All of which is usually ignored, or papered over, by the rather jejune attempts, I must say, by some commentators to equate the risk posed by terrorism,
      • to the risk of personal injury from falling off a ladder, or being bitten by a red-back spider.
  • Risk management, as this audience well knows, involves identifying and assessing events that, should they occur, will impact on activities and objectives; and then assessing and ranking these events within an order of risk,
    • from those with the greatest probability of occurrence and the highest potential cost, through to those with the lowest probability of occurrence and the lowest potential cost.
  • Such an enterprise is never straightforward, and is not itself without risk.
    • This is particularly so when it comes to terrorism, where the chance and cost of making the wrong decision can be especially high.
  • There is, for instance, what we might call the 'identification problem'.
    • The problem, that is, of failing to identify or conceive something as a risk, until it's too late.
  • There is the fundamental problem of sailing in only partly charted waters.
    • You probably recall Donald Rumsfeld's infamous, if inelegant, taxonomy of the 'knowns' and the 'unknowns'.
  • And in addition to understanding, and dealing with, present risks - of which, only some are known - we need to anticipate future risks.
  • History holds valuable insights, but ultimately provides unreliable testimony concerning the possibilities of the future.
  • And the gravity of the present - our immediate horizon - creates powerful biases that will always prove difficult to overcome.
  • Risk managers will look to statistics.
  • But the Lloyd's report I cited earlier makes the point, correctly in my view, that terrorism 'does not follow simple statistical patterns'.
    • And a threshold event like September 11 somewhat defies the statistical framework informing risk analysis, because it embodies such a radical asymmetry between probability and consequence.
      • In fact, it arguably created a new concept of risk, by showing that large scale, catastrophic terrorist attacks sit within the horizon of the possible.
  • All these are, or border on, major and difficult uncertainties.
  • But this is not to say that risk management in the new security environment is a flawed enterprise.
    • It is to say, rather, that it is necessary; that we cannot escape it.
  • Within ASIO, we have to make hard choices concerning investigative priorities on a daily basis.
    • We cannot pursue all leads of potential security concern equally.
    • And we are conscious of the need to devote resources towards the challenging but necessary task of identifying 'the unknowns'.
  • But even this exposes us to risks, as my British colleague, Jonathan Evans recently noted.
  • For networks don't have neat or clear boundaries. So our investigations may well come into contact with someone whose connection to an individual of current concern appears tangential.
  • We cannot pursue all avenues, and there may not appear to be an immediate reason to do so in all cases.
    • But, given the pace and intensity with which some individuals radicalise, there is a risk that someone apparently peripheral to dynamic, and never fully visible, extremist networks, could move, unnoticed to authorities, to the very centre of active terrorist planning,
      • with potentially devastating consequences.
  • A person who, it will eventually be said, was 'known' to authorities.
  • While we put a lot of time and effort into managing this risk, there is no guarantee, in the current environment, that we will always succeed.
  • As Jonathan noted, though, 'it would be perverse' for an intelligence service,
    • 'to avoid knowing of somebody for fear of being held to blame if they later become involved in an attack.'
ASIO and the private sector
  • So in this dynamic and volatile security environment, cooperation between Australian government agencies and the Australian business sector is essential.
  • Our challenge is to continue to understand the nature of a threat that moves at pace and adapts to each of our own moves; and to look for better ways to conceptualise and manage our exposure to the risks.
  • Exposure to risk is not necessarily uniform, and will vary from individual business to business.
  • In general terms, risk managers should look closely at their company's:
    • sector,
    • size and workforce,
    • corporate identity and familiarity,
    • connectivity to other sectors of the economy,
    • IT systems and security,
    • supply-chains, and
    • location.
  • The security measures you decide to implement should be proportionate to your exposure to risk, although your assessment should go beyond the physical security of premises and staff.
  • Internationally, some sectors - transport and energy, for example - have been heavily targeted by militant extremists.
    • There is a significant history of terrorist attacks involving aviation.
    • And, as we saw with the disrupted Heathrow plot last year, al-Qa'ida and their associates have kept coming back at this target, in spite of the ever increasing security precautions.
  • Other sectors haven't previously been targeted, but might be -
    • particularly as security measures introduced in those sectors currently at highest risk, tighten, making it harder for terrorists to mount attacks against them.
      • So it's vital to keep abreast of the latest information provided by the government, and to remain alert to new developments.
  • Most businesses, however, are exposed to some level of risk indirectly through a range of second order effects -
    • the flow-on consequences of a terrorist attack for business continuity,
      • whether caused by damage to critical infrastructure or facilities on which your business activity depends, or
      • by disruption to supply-chains, or
      • by causing significant damage or disruption to your business district.
  • We know global jihadists consider this to be a powerful component of terrorist attacks -
    • as evidenced in Usama bin Laden's attempt, in a statement issued in April 2002, to quantify the direct and indirect financial costs of the September 11 attacks.
      • So it's particularly important to take a broader perspective in your risk management planning, and to ensure you have business continuity plans in place.
  • There is another risk that bears consideration: the risk that your business may be misused by extremists to facilitate terrorism-related activities,
    • through the dimension of dual-use materials that, if falling into the wrong hands, might be used in terrorist attacks; or,
      • by individuals obtaining positions that would allow access to materials and technology that could be exploited by extremist networks.
  • Or there is the risk of companies unwittingly supplying materials or services to extremists through the normal course of business,
    • either because proper systems to manage this risk have not been implemented; or,
      • staff have not sufficiently been made aware of this risk.
  • So it's important you have reporting systems in place, so that your staff are able to report suspicious behaviour, including
    • unusual inquiries or orders, and the theft, or attempted theft, of dual use capabilities, or,
      • of even more prosaic items such as uniforms, identity cards, or official vehicles.
  • While individual companies or agencies are best placed to assess their particular exposure to risk, it is clear that the new security environment has introduced significant uncertainty into risk-related decision making.
  • As such, ASIO has two areas that deal closely with the private sector, the Critical Infrastructure Protection Unit and the Business Liaison Unit, and
    • we also have a protective security area that works on a cost recovery basis with the public and private sectors.
  • Under the Australian Government's national counter-terrorism arrangements, we are responsible for maintaining, in collaboration with State and Territory agencies, a national database of critical infrastructure assets.
  • Our Critical Infrastructure Protection Unit undertakes detailed analysis of Australia's critical infrastructure, working closely with public and private sector owners and operators.
  • It prepares threat assessments for nationally vital assets and business sectors, and disseminates information to a range of stakeholders, including the private sector, to strengthen their capacity to develop risk management strategies.
  • Our other direct link to the private sector is through the Business Liaison Unit (BLU), which was established in late 2005.
  • The BLU liaises directly with business, and operates a website designed specifically for business clients.
  • Registered businesses can use our Business Liaison Unit website to access Business Security Reports designed to provide up-to-date information relevant to security, and
    • inform and assist decision making across a range of business activities.
  • I mentioned earlier that ASIO's security intelligence responsibilities are defined thematically rather than geographically, and we seek to safeguard Australians and Australian interests wherever they might be.
    • This naturally includes the increasingly diversified commercial interests overseas that contribute substantially to Australia's national income and global recognition.
  • To this end ASIO, through the Business Liaison Unit and the National Threat Assessment Centre, is developing a register of Australian commercial interests overseas.
  • This register will allow Australian companies to lodge information of their overseas interests with ASIO.
  • This information, which we will keep securely on a purpose-built database:
    • will inform the preparation of our threat assessments for Australian interests abroad;
      • allowing us to better target our product to meet your interests; and
    • greatly assist the Government's ability to conduct emergency response activities abroad, should the need arise.
  • The register will foster greater security awareness and risk management capability in the private sector, as well as improved connectivity to Australia's national security efforts:
    • particularly as ASIO is often the first government agency to receive emerging threat information,
      • so having details of Australian interests in affected areas will greatly improve our reporting and response capabilities; and
      • will allow companies to have a more complete basis for assessing security-related risks abroad.
  • These are some of the things we're doing to help business acclimatise to the new security environment.
    • I would add, though, that this level of engagement between ASIO and the private sector is still relatively new, and both sides continue to learn about the best way to shape our working relationship.
Conclusion
  • Let me conclude by saying terrorism is likely to remain a significant threat to Australia, and to Australians and Australian interests abroad, for some time to come.
  • It is essential, therefore, that government and business continue to work constructively together to manage the risks it presents, and to strengthen our ability to respond to incidents or attacks, should that need arise.
  • Good risk management calls for frank but also imaginative assessment - of the dangers we confront, and of our own particular vulnerabilities.
    • Good risk management is perpetual, and forms part of an ongoing cycle of assessment, implementation and review, becoming hardwired into the normal decision-making of an organisation or enterprise.
  • I have outlined some of the challenges as I currently see them, and tried to convey a sense of the genuine and deep-seated security issues we face together as a nation.
  • Our challenge is to continue to build and capitalise on our national identity, at home and abroad.
  • In doing so, we will constantly have to make difficult decisions in an environment presently full of imbalances.
  • And in this environment, we see an ongoing role for ASIO in providing advice that will assist you, as risk managers, to inform your boards on the security risks they face.
  • Thank you.