Director-General's speech at Security in Government Conference

I am honoured to be called upon to address such an august public service gathering on a subject that receives too little attention in the day-to-day running of national affairs.

If nothing else, I hope this Conference on Security in Government will assist you to understand the rapidly changing security threat environment in which we conduct the nation’s business; to understand the nature of the threats and your role as SES managers of security risks.

My first point is that security awareness, sound security practices and appropriate security prohphylaxis are not simply the preserve of the traditionally sensitive areas of Government: foreign affairs, defence, border integrity or Australian Government negotiating strategies or leadership intentions. Security threats cover many other aspects: our critical infrastructure such as the resources, financial, communications, transport and energy sectors. They cover the integrity of our national systems, the protection of our intellectual property, the commercial wellbeing of enterprises that contribute to our national wealth, our research and development effort; indeed even the integrity of our system of democracy – and of our fellow public servants. And ultimately, of course, it covers the safety and welfare of our citizens.

No SES officer can escape the need to consider his or her day-to-day work in the absence of considerations of the need to protect vital information from getting into the wrong hands, of the need to protect the privacy of our fellow Australians.

For us in ASIO, the rapidly changing character of security threats has forced us to adapt to a range of new challenges, stemming in particular from several key phenomena:

• The processes of globalization that causes threats to cross national boundaries more rapidly and more easily than ever before; uncontrolled people movements, disease, the insidiousness of the anonymous cyber hacker, and so on;
• The explosion of technological advances that increase the range of possibilities available to those who might threaten our security; precision weapons of warfare, new techniques of espionage, particularly in the cyber realm, etc.;
• The continuing traditional threats posed by nation states in a world still trying to find its strategic balances after the end of the Cold War are now having to share the international stage with the growing incidence of threats posed by non-state actors; jihadist terrorism is the most obvious example but which also includes a host of private individuals determined to create havoc with our increasing dependence on the cyber world in the conduct of national and international affairs.

ASIO’s ROLE

ASIO performs a number of precisely defined security intelligence functions, as stipulated in the ASIO Act (1979). We have responsibilities for protecting the nation against sabotage, covert foreign influence, threats to our defence capabilities and politically motivated violence; this latter translating these days in efforts to prevent acts of terrorism, both at home and overseas.

TERRORISM

A very substantial part of ASIO’s operational effort goes into protecting ourselves against terrorism, both at home and overseas. I should not need to remind you that the threat from extremist Islamic jihadist terrorism remains both very real and persistent. Over 100 Australians have died in terrorist attacks since 2002. Australia remains a proclaimed terrorist target of al-Qaida and a number of mass casualty terrorist attacks on Australian territory have been prevented in recent years.

ESPIONAGE

Meanwhile, espionage against Australian interests remains alive and well. The film and print media have long glamorized the intelligence business. While the Great Games played out in print by John Buchan and Rudyard Kipling have subsequently been replaced by Le Carre, Fleming and their like, the business of espionage goes on. It has survived the Cold War and it is as alive today as it was when the Berlin Wall still stood grey and foreboding. It is directed not simply at our defence and foreign affairs sensitivities but far more broadly, at our commercial interests, our intellectual property, our resources and our trade policies.

The covert acquisition of secret information traditionally relied upon convincing someone with access to that information to hand it across. This is roughly what we call HUMINT. The reasons why some people are willing to betray the trust of their Governments and provide intelligence to foreign spies may be ideological, financial or psychological. It is ASIO’s job to try to detect, prevent or disrupt such betrayals of trust.

Foreign espionage services seeking out persons willing to betray that trust do not focus solely on Defence, Foreign Affairs or the Australian Intelligence Community. They may be found in the most unlikely of Government departments harbouring information that the Government would prefer remain confidential.

CYBER ESPIONAGE

Electronic intelligence gathering is now a huge industry. It is being used against Australia on a massive scale to extract confidential information from Governments, the private sector and ordinary individuals. It is used to steal intellectual property, all kinds of defence secrets, weapons designs and commercially advantageous information from both the public and private sectors. The security threat presented by the exploitation of the technology of the cyber world is both pervasive and insidious. It is ubiquitous and feeds off – and is enabled by – what we would normally expect to be a great social and economic good - technological advance and our dependence upon it. It involves the technology of the innocent as well as the guilty and geography and distance are no barriers to effectiveness. Worse, our own territory can be used to surreptitiously penetrate the cyber defences of our friends and allies.

We are talking about a phenomenon that threatens both national security as well as the security, privacy and even the well being of our ordinary citizens. In recent months there have been many well-publicised hacking attacks on major private sector as well as government institutions around the world. The ability of the private sector and governments to protect the privacy and the personal information of their customers and clients, in accordance with modern privacy laws is called into question by the apparent ease with which hackers have been able to break into data banks around the world. Financial institutions have been particular targets, but any one with intellectual property to protect seems fair game.

From our perspective, I can say that it seems the more rocks we turn over in cyber space, the more we find. The traditional practice of espionage has found a new way too harness the quite incredible reach and presence of computer technology; this is not totally unexpected. It is perhaps axiomatic that the extraordinarily democratic institution of the internet should prove also to be a ‘two-edged sword’, with implications not simply for commerce and trade, social interaction and privacy, but also for modern national defence efforts. Our experience leads us to expect that those whose business it is to steal our secrets and interfere will always be looking for innovative ways to practice their craft, and cyber space allows them yet another avenue to work. This is what they do.

But I think it is the scale and reach that is a little surprising: in many ways, we are looking at an iceberg, the tip of which is visible to us and it is a matter of conjecture at this point how big and far reaching the body of the problem is going to be. Moreover, we have now seen many instances where cyber attack can disrupt or bring down the delivery of services. What we can see right now, both in regard to the emerging threat and the medium through which it affects our national well being, is sobering enough. The internet itself presents particular difficulties for those working on national security. Its sheer unregulated, disorganised and multi-faceted size presents enormous challenges in detection of nefarious activity and prevention. It was, for example, developed to share data between ‘trusted’ computers and networks. It was never developed with security in mind; we have to bolt that on.

All this means that the Internet and increased connectivity has expanded infinitely the opportunities for the covert acquisition of information by state-sponsored and non-state sponsored actors. The fact is that today we continue to see attempts to steal the nation’s secrets through cyber space, as well as information vital to the effective operation of critical national industries and infrastructure, not to mention commercial intelligence and criminal fraud.

So my key message here today is that cyber espionage has emerged as a particularly serious and widespread concern – and one that I predict will continue to gain prominence due to the ongoing digitisation of data and increasing reliance on technology in commercial, governmental and military business. It will impact not only on traditional national security arenas, but all aspects of Government work.

THE RESPONSE

So how do we respond to all of this? Certainly we need to be spreading the message of the threat. But with all the publicity surrounding cyber and cyber security, I still worry that the message to protect yourself – to do something – is not hitting home out there.

Second, we all need to ensure our IT hygiene is in order to help guard against cyber intrusion to our networks and data. In the course of this conference, I expect you will become familiar with the excellent list of must-do defensive measures advocated by DSD for good IT hygiene.

The Australian Government has devoted considerable effort to redressing the situation, and to assisting the broader community to improve its security stance. Three agencies are worth expanding upon as they demonstrate the direction the Australian Government is taking.

Firstly, the Computer Emergency Response Team (CERT) Australia – which sits within the Attorney-General’s portfolio and is responsible for working with the private sector in identifying computer systems important to the national interest and providing these with information and advice to assist in protecting them from cyber threats. It also assists in developing national e-security policy. And CERT Australia is a source of information for Australian society and, in this sense, works, primarily, in the unclassified space.

Meanwhile, the Cyber Security Operations Centre (CSOC) is located within the Defence Signals Directorate and has two main roles. It provides the Australian Government with an understanding of cyber threats and, secondly, working with relevant agencies, coordinates operational responses to cyber incidents of national security importance. The CSOC is a multi-agency body and ASIO has a presence within it.

For its part, ASIO has set up a new Cyber Security Unit that works closely with CERT and CSOC. Under our counter-espionage mandate, we engage broadly within government and with our overseas partners, but, we also talk with the private sector- not just to collect information, but to assist the Australian Government’s effort to help industry come to grips with security.

ASIO also has a Business Liaison Unit which is working to provide information to the private sector through its website, briefings and fora. ASIO also engages with companies associated with Australia’s critical infrastructure.

ASIO also has a work area which is focused on investigating and analysing cyber espionage – and this too engages with the private sector when necessary.

We know that despite the efforts to date, there is quite a way to go. And part of that way involves much greater collaboration between the government and private sector –

• Software and hardware suppliers and developers
• IT service providers, including the telecommunications sector
• Key IT consumers and key holders of data on IT systems
• Cloud computing providers.

I will finish my remarks at this point. Hopefully you have a sense of the challenge we all face from threats operating through cyber space and what we can do to mitigate those challenges.