There’s more work to do to get Australian businesses—particularly smaller organisations—fully prepared to risk-manage the spectrum of security threats. Many Australian businesses know that, as evidenced in KPMG’s recently released Global CEO Outlook 2017 for Australia.
CEO responses in the report highlighted ‘geopolitical uncertainty’ as one of the top factors affecting growth, confirming that the current geopolitical landscape is having a significant impact on businesses. While 80% of CEOs rate cybersecurity as a top investment priority, less than half believe they are prepared for a cyber threat.
Australians have become more aware of the threat, but understanding its full spectrum is difficult, particularly given rapid technological changes and uncertain global geopolitics. Further, the government’s longstanding policy of not commenting on many national security issues limits its ability to contribute to the public debate.
Long gone is the belief that Australia is geographically ‘too far away’ from national security threats. The internet exposes us to the world’s cyber threats, and our place in the Western world exposes us to many geopolitical threats. As a result, Australian businesses are rich pickings for those who want to obtain sensitive commercial information, steal cutting-edge intellectual property, or simply launch a destructive political attack (whether in cyberspace or the real world).
The more we can raise collective awareness in Australia about national security threats, the more our society can contribute to security. With the right knowledge, Australian businesses can become key drivers of innovative solutions and shared risk management in the areas of public safety and cyber security. We certainly see this now at the big end of town, but we have vast untapped potential in Australia’s smaller and more agile businesses.
Terrorism has been front and centre in the public mind for a long time, which has driven efforts to improve the Australian counterterrorism system. The recent report on the Lindt Café siege inquest is the latest proof—it highlights many instances of effective counterterrorism arrangements, but it also presses hard with many nuanced recommendations to improve the system and hopefully prevent similar tragedies.
Discussion of cybersecurity challenges intensified with the media coverage of Russian election meddling, #CensusFail, and the leaking of Central Intelligence Agency and National Security Agency cyberweapons. Those events, plus the release of the Australian government’s cybersecurity strategy, have helped increase Australia’s cybersecurity maturity. But there’s more work to do if we want to be prepared for an increasingly sophisticated and complex cyber threat.
What’s needed is more public debate on the new age of covert statecraft we have entered—an age that involves covert political pressure against expatriates living in Australia, subversion of democratic political processes, and damage to Australian businesses for the benefit of foreign industries. Yes, countries have spied on each other since Tribe A became jealous of Tribe B’s pointier spears; but we have entered an era in which international norms are losing their power and many countries are more willing, and able, to meddle without repercussion. The lines between foreign governments and commercial interests are becoming increasingly blurred, as shown by the level and sophistication of intellectual property theft by state-supported attackers.
Growing covert statecraft is a problem affecting many areas of Australian society, but for businesses it means greater risk. There is more uncertainty that rules will be followed: whether business deals can be done in good faith; whether investing in R&D will pay off, or a competitor will simply produce cheap copies in a few months using stolen data; whether businesses can operate without being subject to political coercion; or whether a small company will be patient zero for a widespread and highly destructive cyberattack.
As we’ve seen in counterterrorism and cybersecurity, greater transparency from the Australian government in providing information goes a long way to help businesses properly assess and mitigate commercial risks. A better informed and prepared business community helps protect Australia’s national interests, particularly in relation to the Australian economy and innovation, but also in blocking regional and global threats.
But when it comes to covert statecraft, the type of information we’re asking for is often ‘counterintelligence’ information: details on the intent and capabilities of foreign intelligence services (and their proxies). That is some of the most closely guarded government information due to the effort it takes to collect it, and the repercussions of its release. As a result, many Australian businesses might have only limited insight into the threat posed by covert statecraft. Such businesses have to rely on generalised information gleaned from the ASIO annual report or revealed through attempts by serving or retired government officials to highlight their security concerns.
Many Australian businesses—particularly small businesses—are unlikely to have the access and know-how to fully understand and protect against the current spectrum of national security threats. Both the government and capable private sector organisations (like KPMG) have a role in helping businesses and developing the maturity of the Australian public’s security discussions—not just to protect the business bottom line, but also to defend Australian interests against harm.