"Threats to Australia's Security"
The Australian Industry Group
Melbourne, February 19, 2003

Review by Vernon Stagg
March 20, 2003


In February 2003 the Australian Industry Group ran a conference on the "Threats to Australia's Security" across three states. (This review, and associated web links are available from my website www.infowar.com.au) Ivan James, Chairman of the AiGroup provided the introduction and chaired the conference. He discussed the changing environment that businesses face, and warned not to become desensitised to the risks they face.


Daryl Williams, the Australian Attorney General was unfortunately unable to attend but provided a pre-recorded address to delegates. He discussed the heightened level of alert in Australia since September 11, and the fact we can't ignore terrorism or hope it will just go away. He outlined the Australian Government's commitment to strengthen security along with the public campaign to raise awareness. The support, advice, expertise and resources of businesses and the private sector was recognised, as well as the difficulties involved in cooperation between these various entities with government. Efforts in protection of national economic infrastructure, and the model of critical infrastructure assurance developed from the Business Government Task Force recommendations, and the forthcoming critical infrastructure protection summit in April were detailed. In describing the physical security and response measures provided by State and Territory services, he reinforced the need to be cautious and prepared. In recognition of the threats to IT infrastructure he cited the recent DDOS attack on the Internet root servers. The need to secure data, and provide esecurity will be strengthened with the recent AGD/AusCERT scheme to report on attacks. He closed with a description of the recent Cybercrime act and enhanced electronic investigative powers provided to law enforcement, claiming "protection of national security and critical infrastructure is now important than ever. Protect the future".

Dennis Richardson, Director General of the Australian Security Intelligence Organisation, began with a background on ASIO covering its role and powers. Highlighting the changes that terrorism has caused, he pointed out that pre-Sept 11 there was little public knowledge of Usama Bin Laden or Al Qaeda. He went on to discuss a number of terrorist incidents from the mid-90's to 2001 showing that terrorism is not a new issue. He discussed how post-Sept 11 Australia has become a legitimate terrorist target and that the threat levels to various elements of critical infrastructure and chemical, biological, and nuclear facilities have been raised. In discussing the need to apply appropriate security to each sector he indicated the need to determine whether you are part of the national or critical infrastructure, are your products of a security related concern (e.g. fertiliser), does your company have an overseas presence, and do your business continuity plans consider collateral damage.

Clive Williams, Director of Terrorism Studies at the Australian National University outlined various threats to Australia's security environment. Beginning with internal threats he examined

next he looked at external threats, including He then followed with industrial espionage and the various tools and techniques used, including the threats from temporary staff, cleaning staff (uninhibited access), and the increasing use of electronic communications. Finally he looked at terrorism and politically motivated violence and the high number of businesses affected by terrorism. He pointed out businesses need to be aware of their associations and determine whether they are targets. He also indicated that the perceived threat can be quite different to the actual threat, and that litigation poses a large risk to corporate assets.

Bruce Esplin, Chairman of the Victorian State Emergency Management Committee began by outlining the relationship between the States, Territory's, and the Commonwealth, and how State/Territory services would be first responders to an incident. There is a need to recognise the environmental and economic health of the States, and that each State is different and it will be difficult to develop a National strategy. Looking at the developments in counter-terrorism, he noted the improved cooperation and sharing between States, as well as the need to manage both the crisis and the consequences. Crisis will be primarily addressed by police and military, whilst consequences deal with emergency management arrangements, public health systems, national anti-terrorist plans, and an enhanced counter-terrorism capacity. He stressed that while public safety is a core responsibility of government, emergency management is a political activity, noting that communities hold government responsible and that communications with the community are critical in the judgement of success or failure. Following a list of emergency management issues, he listed the balances that need to be maintained, being

He looked at the Victorian efforts in protection of critical infrastructure and how the Victorian Police play a role and are assisting in audit and valuation, that a register of critical infrastructure is being developed (over 600 items), and how the Emergency Committee are working with operators and regulating departments in risk assessment. Victoria has a well developed emergency management arrangement, a whole of government approach, well coordinated, multi-agency response and recovery capabilities. [A question raised after this presentation highlighted the benefits of Standards Australia and the risk management (4360) and information security (17799) documents they provide, and forthcoming documents on business continuity planning.

Diane Sisely, CEO of Equal Opportunity Commission considered how workplace discrimination had risen since Sept-11, especially in racial and religious reports/incidents. Citing a number of statistics on these rises, she indicated that Arab people were facing a number of verbal and physical assaults and vilification. The notion of Islamophobia was raised, following from a Macquarie University report on widespread antagonism towards Muslims. Considering the risks to business from such discrimination, she highlighted the following issues

Considering overseas trading and international partners, she expressed the need for clear, insightful leadership on these issues, the ability to deal with systemic issues (be proactive), and complying with regulations and laws.

Ken Thompson, Project Director of the Critical Infrastructure Review Group (NSW) like many of the other speakers highlighted the change in the environment. He discussed the development of the National Principles Security Notification Model for Critical Infrastructure that is being adopted nationally. Examining the various levels, he outlined the practical measures required for medium to long term plans, including

Discussing the NSW initiative to develop the model, he outlined the need to establish context, develop risk criteria then identify, analyse, assess, and treat the risks. The model is aimed at providing the minimum security considerations and a risk analysis based on the 4360 Standard.

Geoffrey Ross, Managing Director of Securenet Limited said businesses need to recognise the new risks that have emerged, especially in an online environment. He stated how the number, frequency and targeting of attacks is increasing and how the Internet has changed security needs. With risks being cumulative, systems that are connected to the Internet are at risk. Pointing out that whilst security is expensive, businesses should see security as an enabler and aim at achieving a security return-on-investment. He finished by stating make security a serious issue in your business.

Bruce Gordon, Director of Marsh Pty Ltd provided an insurance perspective on the risks faced. He examined a breakdown of costs from the World Trade Centre collapse, and how Sept-11 has changed perspective on insurance. He explained the need to redefine credible/possible hazards, how the definition of "credible" has changed, and how exposure is no longer capable of specific measurement. Policies now have certain terrorism exclusions on liabilities, and various changes have occurred to the Australian reinsurance pool corporate structure. In regards to certain terrorism exclusions, he identified

Julia Selby, Executive General Manager of Austrade and Slater Smith, General Manager of the Export Finance and Insurance Corporation gave a shared presentation on implications for companies in developing and maintaining offshore markets. Examining offshore and overseas markets it was pointed out that business is still occurring overseas, and there are many opportunities available. Company's can maintain contact with overseas clients and customers through physical interaction, representatives, email, and video conferencing. It is important to maintain these relationships during good and bad times, and also to remain aware of a country's status. People were reminded that economic problems existed pre Sept-11, that they can't just blame terrorists or terrorist incidents for world risks, and that terrorism and war threats are only marginally holding back projects and the world economy. The need to look for risks was detailed through a number of examples such as how the Asian financial crisis affected the Italian clothing manufacturers which in turn affected Australian wool growers.

Robert McNaught, Director of Control Risks Group finished the conference off with a look at how to protect employees overseas. In considering the heightened risks of political and popular violence, organisations should have effective

Some of the implications if unprepared can include injury or loss of life, business interruption, damaged reputation, or financial loss. He indicated that businesses have an obligation under law ("duty of care") to their employees and should