Tag Archive for: business

Cyberproofing small and medium businesses—a small step with a big impact

Small businesses are not immune to cybersecurity incidents. In fact, they’re often more vulnerable because they lack the time, resources and sometimes the skills to prepare for and defend against an attack, or to mitigate and remedy any consequences.

That is why ASPI, supported by .au Domain Administration, or auDA, created a tool—.auCheck—to help businesses quickly and easily test the security of their websites. The tool is intended to empower businesses to improve their internet security practices.

There are 2.3 million small businesses in Australia. While not all have an active or extensive online presence, digital transformation prompted by the Covid-19 pandemic has made every business increasingly dependent on the secure use of the internet.

In its latest threat assessment, the Australian Cyber Security Centre reports that small organisations, sole traders, medium-sized businesses, schools and contributors in the supply chain are among the entities most affected by cybercrime and state-sponsored cyber operations. Cybercriminals seek financial gain or sensitive business information and personal data. Even if they are not direct targets, businesses may fall victim due to the spread of ransomware or a data breach.

In the 2020 Australian cybersecurity strategy the government instructs all businesses to take responsibility for securing their products, services and supply chains, and for protecting their customers from known cybersecurity vulnerabilities.

So, how best can a sole trader or a micro or small business—and even some medium enterprises—be empowered to protect their online presence, data, systems and transactions?

The answer lies in the architecture of the internet. Historically, the community of technicians has developed internet standards, most of which include critical security features that find their way into national standards. They are reflected in the Australian government’s Information security manual.

But uptake of standards doesn’t happen automatically. Among other things, it requires public- and private-sector leadership, foresight and ambition, and demand from the market.

That’s why we launched .auCheck, a free tool that allows owners of websites and email domains, users and customers to check if their site and email standards are up to date.

For most smaller businesses, websites and email accounts are their first and often only platforms for interaction with customers, suppliers and resellers. A designer creates the webpage, adds third-party features such as a payment cart and it’s all then managed by a hosting provider. A registrar provides a licence to use a .au domain name and other providers are enlisted for web and mail security or cloud storage services.

Trust and confidence are critical, but how can business owners check that their providers have enabled the most up-to-date settings and follow the latest security advice from the ACSC? This can be quite complicated and time-consuming if the business operators don’t possess technical knowledge and insights.

On .auCheck you can enter a domain name (e.g. website.au or @email.au) to check whether its settings meet recommended standards. You can also check the configuration of your current internet connection. The tests verify the internet records for the domain name and don’t involve any penetration testing (in which attempts are made to find vulnerabilities in a system). These records are public and ensure devices can communicate and that their authenticity can be verified.

The most important standards that .auCheck tests include:

  •   protocols that enable the establishment of encrypted connections
  •   security of regular website applications such as online forms and shopping carts
  •   security of the domain name by checking whether a cryptographic record is available and correctly configured
  •   application of a set of authenticity marks in your email that help against phishing attacks
  •   the use of version 6 of the internet protocol (IPv6) which will accommodate the inclusion of new devices and connections.

The results show users how the website or email domain is performing. Business owners are encouraged to share their .auCheck test report with their IT providers, have a conversation and make an informed decision about the required security features for their online business presence.

As Australians become more familiar with internet security and demand higher standards, Australian internet service providers are more likely to apply .auCheck-recommended standards by default. This will help make the .au and Australian internet ecosystem more secure.

Our .auCheck is part of a global effort to boost the cybersecurity of individuals and small businesses. Similar initiatives have been launched in the UK (WebCheck and MailCheck) and the Netherlands (internet.nl) to improve the security of small business owners’ online presence.

With .auCheck, the Australian internet community can become active (early) adopters of secure internet standards. That’s how we make sure the .au domain remains one of the most secure ways to connect online.

To check the security of your online services, visit aucheck.com.au.

Wine-dumping ‘investigation’ shows Australian businesses must plan for Chinese coercion

Australian companies are getting the point—trade with China is hostage to the actions of the ruling Chinese Communist Party regardless of consumer desires or business partnerships formed over decades. We now need to move beyond handwringing and think clearly about where our trade with China is structurally secure and where it’s subject to the whims of the CCP. The good news is that the maturing Australian debate now has room for this approach.

Following barley, now Australian wine is subject to a Chinese anti-dumping investigation. As usual, Chinese officials are denying that this is because of Australian decisions that are against the CCP’s wishes, but it’s impossible to believe that the actual motive is addressing aggrieved Chinese wine producers facing cheap competition from Australian producers. It’s even harder when you consider that luxury wines like Penfold’s Grange also seem caught up in the investigation.

China’s ambassador to Australia, Cheng Jingye, foreshadowed this back in April when he said, ‘Maybe also the ordinary people will say why should we drink Australian wine or to eat Australian beef?’ Of course, it’s not Chinese consumers clamouring to stop our wine exports. But the ambassador did us a favour by letting Australians know the nature of the regime that is the gatekeeper to China’s economy.

Put bluntly, the Chinese government under Xi Jinping is a coercive outfit that has no qualms about using economic measures and technicalities as tools to punish and pressure those who act against its interests. And Australians will keep doing things that are against the Chinese government’s interests as long as we believe in values and freedoms that Beijing simply does not. Except for chunks of the business and academic community who still harbour ideas that it’s all about the tone of our engagement, Australians already know the problem is one of substance, not tenor. That’s why public trust in China to act responsibly in the world has collapsed from 52% to 23% in just two years.

Our systems of governing and living are too different for this to be otherwise. Hong Kong shows this very practically: could any Australian government stay silent and do nothing while we watch the violent and repressive acts of the new national security apparatus Beijing has imposed on 7.5 million Hongkongers, particularly given our own Hong Kong diaspora and the 100,000 Australian expats living there? If freedom of speech and the rule of law matter, not rule by the whim of those in power, then we will continue to need to protect and advance these values domestically and internationally.

We will also need to continue to deter further aggressive expansion of China’s military reach and presence, whether it’s in the South Pacific, the South China Sea or Southeast Asia. These things are about us and like-minded countries wanting a free and open region and world in which to live.

The areas where we trade and engage more deeply with the Chinese economy must be carefully calibrated as a result. Structural needs, not discretionary ones, are the areas where Australian trade can be more secure from Beijing’s economic hostage-taking. And those structural needs will change over time.

Right now and likely for at least the next decade, the Chinese economy needs the huge volumes of iron ore and energy that Australia supplies, and economies of scale and efficiency mean that we are simply the best-placed supplier.

That’s why BHP, Rio Tinto and Andrew Forrest’s Fortescue Metals Group have not been on the receiving end of punishment from Chinese officials. It was touching to see the rapport with the Chinese consul-general in Melbourne, but neither Forrest nor any of the shareholders in his company should believe that it’s their close friendships with Chinese officials that have made them successful.

As we heard from Taylors Wines, 30 years of partnerships with Chinese colleagues has not helped them avoid being the latest victims of Beijing’s way of operating. When the party calls, the Chinese apparatus answers and friends are left wondering what happened. Protection only comes where Australia has a clear comparative advantage in what we sell and where the Chinese economy has a compelling need that party officials recognise.

This way of assessing the risk in engaging with the Chinese economy is well within the grasp of our government and businesses. It requires an in-depth understanding of the health, directions and needs of the Chinese economy, including how the planned transition from a production- and export-based economy to a consumption- and services-based one is, or is not, occurring. It also requires us to understand Xi’s strategic drive to make the Chinese economy less dependent on others, while ensuring other economies become more dependent on China’s. That’s something we can—and should—avoid through policy, forethought and planning.

An objective assessment of the changing Chinese economy’s needs will include the fact that at some point Chinese demand for iron ore will begin to fall, simply because infrastructure-creation has occurred and the planned shift away from an economy centred on heavy industrial production has made some progress. What’s a structural need now will not be so in coming years. Right now, Chinese policymakers have slowed this shift because stimulus measures that pump-prime this ‘old economy’ are the levers close to hand in the middle of the Covid-19 pandemic. Revenue is flowing to Australia as a result.

While ‘at least a decade’ sounds reassuring, it’s not. The timescale means planning is necessary now, as our big energy and resource companies have long lead times to change their operations and markets.

Despite much of the public debate and the massive disruption the pandemic has caused, higher education—another area where China’s ambassador has threatened a consumer boycott—probably also has at least some structural security in engaging with China.

That’s because Australian universities have the capability to produce high-quality skilled workers and do world-leading research. The Chinese economy can’t get enough of either and that need is likely to endure. Of course, there are strings attached when that research is turned to the advantage of China’s military or internal security apparatus, and when fear of reprisal limits freedom of expression on campus. Again, new business plans are required to assess the structural need and to then plan for how it can be met while protecting the integrity and quality of education and research in our universities.

In most other areas of trade, the Chinese government can inflict economic pain on Australian companies and sectors, and those that are overexposed to the Chinese market will feel this the most.

This is an absolutely foreseeable business risk, so it’s one that companies, industries and the government agencies that work with them must understand and factor into their plans. That’s happening with wine even now, and the industry has also sounded a note of confidence about the quality and appeal of the wine we produce. That self-confidence is well placed and not just when it comes to wine.

Just as climate change and cybersecurity risks took a while but have now made their way into the planning frameworks of many Australian and global corporations at board level, this coercive risk from the Chinese state can now become a normalised business planning factor. CEOs and directors who fail to adequately plan for this risk will have audit committees and shareholders wanting to know why duties may not have been adequately discharged. In contrast, those who do take this risk into account will be rewarded by shareholders.

I’m optimistic that Australia has come out of the reflexive crouch that occurred whenever the Chinese government made noises about punishing Australia for doing what we must.

The pandemic is inflicting more pain than any amount of Chinese economic coercion, even in sectors that are at the most risk from Beijing’s actions.

Our public debate is maturing. We have largely stopped acting like victims of violence who blame themselves, not the perpetrator, and we’ve started to make plans that consider both our security and our economy in light of the situation we’re living in. Prime Minister Scott Morrison’s recent speech to the Aspen Security Forum shows that. The maturing understanding in Australia’s business world is moving in the same direction. Further naked coercion from Beijing will only deepen this trend.

Covid-19 could be a game-changer for Australia’s tech sector

If there’s a silver lining in the dark cloud of Covid-19, it’s that previous business-as-usual practices cannot continue after the crisis is over. Not only must changes in personal and social behaviour remain, but changes in how businesses and governments approach national economic security must also remain.

This pandemic has clearly demonstrated that national security isn’t limited to military capabilities. It includes our sovereign capacity to independently meet our needs for day-to-day survival—from food production to energy and critical national infrastructure.

Our dependence on global supply chains for essential manufactured, processed and value-added products—such as pharmaceuticals, oil and energy supplies, equipment used in healthcare and other essential services, and commercial high-tech equipment and software—can also threaten our national security.

Globalisation, with economically interconnected nations attempting to engage in free trade, has led to increased specialisation, which has left many countries dependent on a few for the manufactured goods and technology required for their economies and their security.

Australia is such a country. Our dependencies expose us to security threats. When facing a crisis (national, international or global), we can expect trading partners to supply themselves first. Australia will then have to compete with the rest of the world for what’s left over.

The current situation is akin to the Wild West—everyone for themselves. The pandemic has highlighted common human failings. We’ve seen crucial supplies of protective masks hijacked en route and sold to the highest bidder, and shortages of medical-grade sanitisation products and other medical supplies such as ventilators. Australia has even experienced threats of trade boycotts by China through its ambassador because we want to understand what caused this pandemic so that we can help prevent the next one.

In this life or death battle, normal protocols of international law and contracts simply don’t apply. As a nation we’ve had a wake-up call. We have realised that when this level of trouble strikes, we must fend for ourselves and do what we can to get through it, and to ensure that our economy survives.

Australians have always been innovative, inventing and developing world-class technologies in industries such as defence, medicine and information technology. Australians developed wi-fi, Google Maps, the cochlear implant, the black box flight recorder, spray-on skin for treating burn victims, over-the-horizon radar and the electronic pacemaker. We were the first to develop and use robotics in mining and have a world’s best biotechnology company, CSL Limited.

We must not rest on our laurels. Australia must recognise that business as usual is risky business. The government, as part of a post-Covid rebuilding process, has established a taskforce to look at manufacturing sectors and how we can protect our national security by reviving specific capabilities.

We must not stop there. Australia must have policies to encourage a vibrant post-Covid-19 technology sector. We must act like the ‘smart country’ we believe we are. That requires leadership and action rather than words.

As chair of an Australian cybersecurity company with a global presence and government and enterprise customers in more than 40 countries, I’m obviously keen to see the Australian technology sector accelerate. But that will require policies that nurture these companies and their skills by supporting their commercialisation and access to financial and human resources.

The capability to produce sovereign technology is essential to national security, be it in health, defence, energy, cybersecurity, IT systems, robotics and artificial intelligence, or any other field.

A strong, robust and successful technology sector is critical to Australia’s future economic prosperity in a world that’s constantly being changed by new and emerging technologies. To be at the forefront of economic recovery, we must also have a united commitment among the federal, state and territory governments.

This is not about governments picking individual winners. It’s about creating the right policy environment to give the private sector the confidence to invest in and develop technologies of the future.

Australia’s IT industry has suffered from many conflicts over the past two decades, including a lack of clear government policies, partisan politics, a lack of government commitment to the sector (such as a ‘buy Australian first’ policy), and confusion about changing policies on taxation of and grants for research and development.

Most important will be a coherent policy to ensure effective student education in science, technology, engineering and maths and enough IT graduates. Too few software developers are graduating from our tertiary institutions to meet industries’ demands. Confusion and lack of policy commitment have resulted in a severe technology brain drain.

Covid-19 has shown how closely linked Australia’s economy and national security are to our technological capabilities, and we must learn from those lessons. The solution isn’t difficult, but it’s not attainable without resolute commitment.

Governments at all levels need to step up and not squander this opportunity. They must set bipartisan policies and gather support for them. Technology industries must provide leadership and engage with governments. Together, the focus must be on developing the optimal policies to create a thriving technology sector to boost economic growth and support our national security.

Chinese investment—risky business?

Former US president Barack Obama characterised the message in American Factory, a new documentary produced by his company Higher Ground Productions, as a way to find common ground and move forward together.

American Factory chronicles the purchase of a closed General Motors plant in Dayton, Ohio, by a Chinese billionaire who reopens the factory and employs 2,000 Americans in the process. It has been broadly well received. One film critic concluded that the ‘film is a reminder that capitalism is always double-edged’.

However, the film carries another, more subtle double-edged message—about national security. This example can spark discussion about the risk that foreign investment from China potentially poses.

Despite the American example, this risk is not limited to the US, which has engaged international partners, including Australia, New Zealand and Japan, to cooperate on countering Chinese influence operations and certain types of investments.

Most foreign direct investment is legitimate and good for the economy. Indeed, Fuyao’s automotive glass factory, featured in American Factory, has been clearly beneficial in revitalising Dayton’s industrial sector.

Despite the clear benefits, however, the facts show that policymakers must approach any economic engagement well-informed and clear-eyed.

Intelligence and law enforcement leaders cite China as a significant national security threat; FBI Director Christopher Wray has claimed that China poses a more serious counterintelligence threat than any other country, including Russia.

Wray is not alone on this. John Demers, assistant attorney-general for national security at the Department of Justice, called China’s espionage campaign, ‘persistent, sophisticated, well-resourced, patient, and broad in scope’ , and former CIA director and retired army general David Petraeus said experts assess the top security threat facing the US as ‘all China, all the time’.

This is not unfounded. Economic espionage, in particular, has a high cost. It costs the American economy, for instance, billions of dollars annually. Other critical intelligence threats cut across influence operations, critical infrastructure, supply chains and traditional espionage.

China is accelerating these espionage efforts, targeting businesses and industry, in an effort that has been described as a key part of the nation’s growing power.

In addition to technological and cyber espionage, China’s security services still rely on traditional human intelligence operations and forging interpersonal connections. Anyone in any industry is a potential recruitment target.

Indeed, Wray has told the US Senate that the FBI has over 1,000 cases involving economic espionage and attempted intellectual property theft, nearly all with ties to China.

All countries must be aware of this threat. But as American Factory shows, honest and mutually beneficial foreign investment is of crucial interest. So what are governments doing to ensure risk is low, and what options do they have?

There are structures in place in some countries to minimise risk, such as the Committee on Foreign Investment in the United States, which reviews transactions to prevent control of a US business by a foreign person.

The committee’s efforts are having some impact. New investments from China in 2018 reportedly fell 95%, primarily in the technology sector, as compared to 2016, in part due to enhanced scrutiny of these transactions.

Programs such as the US’s National Counterintelligence and Security Center’s ‘Know the risk, raise your shield’ provide resources to the private sector, including tips to help businesses better understand threats and how to protect themselves. Intiatives like this should be expanded across industry as a routine part of all businesses engagement with foreign entities.

State and local governments also have a key role in ensuring foreign investment doesn’t pose a risk to national security. Developing processes at the local level and scrutinising investments in regional economies through a mechanism similar to the US foreign investment committee could be a valuable option.

More generally, policymakers and businesses must examine investment through a national security lens, and every investment should be properly scrutinised.

Along with these examples, Australia’s new national security laws banning foreign interference are also instructive for governments in the Asia–Pacific region. In fact, other countries are taking note of Australia’s ‘new transparency scheme’.

This may become even more relevant as China shifts investment to Asia as a result of the US–China trade war.

American Factory shows that the benefits of these projects can be valuable for communities, but only with this kind of scrutiny can governments accept Chinese direct investment and be sure they aren’t risking their security. A transparent and fair scrutiny process will allow states to comfortably accept Chinese investment while ensuring it is truly to the benefit of all.

Australia’s strategy for protecting crowded places: will it work?

On Sunday 20 August as the world was coming to grips with the Barcelona terror attacks, Prime Minister Malcolm Turnbull unveiled Australia’s first national strategy for protecting crowded places from terrorism. According to the PM, the aim of the strategy, which was apparently developed in consultation with the business community and local councils, is to empower owners and operators of ‘crowded places’ to assess the vulnerability of their locations to terrorists who use ‘basic weapons’ such as vehicles, knives and firearms. The need for such an assessment stems from the government’s expectation that terrorism will remain an enduring threat.

One thing that becomes clear when reading the strategy is how loose the language is, which undermines its usefulness. This begins with the government’s broad definition of ‘crowded places’ as ‘locations which are easily accessible by large numbers of people on a predictable basis’. The strategy makes it clear that the term encompasses both indoor facilities and open spaces, such as parks and pedestrian malls, that tend to be crowded at specific times of the day or night. Under that definition, just about any location could be a ‘crowded place’, and it’s unclear what exactly the government expects the owners and operators of those places to do to ‘protect’ them.

Rather worryingly, the strategy declares, ‘Owners and operators have a responsibility to undertake a risk assessment and/or vulnerability analysis of their crowded place, implement the appropriate mitigations, monitor them for effectiveness (including through audits), and review them at appropriate junctures’ (emphasis added). An immediate question is whether that responsibility is equated with liability: what would happen to a business that didn’t take ‘appropriate’ measures? Business owners and operators are also required to ‘raise awareness of possible security threats among their staff and patrons’. Could a business be held legally responsible for failing to raise awareness? And how are businesses to determine what a heightened level of awareness might entail, and whether it’s useful if it doesn’t include staff training?

The strategy also declares that ‘in many cases, owners and operators will be required to seek further advice from private security professionals’. Such obligations could require a business to spend thousands of dollars consulting with a security company and then pay even more to install whatever preventive measures are recommended. The strategy has a single paragraph on cost, which it links to proportionality. The language used in that section alone is woefully inadequate. It’s littered with conflicting messages, such as noting that security measures can be resource-intensive and costly if not properly managed, while emphasising a need to turn to ‘expert specialist advice’ which is expensive. The government’s advice on how to mitigate cost is to ‘prioritise the highest risk areas of a crowded place’ and make sure that security ‘is incorporated into the design phase of a crowded place’—but, given the loose definition of ‘crowded place’, that could be a one-off sporting event.

In the aftermath of Barcelona, there have been calls for the erection of more bollards to prevent future vehicle-borne terrorist attacks. Such a reaction is understandable, but it may not be practicable. First, we need to decide what we want our cities to represent. The construction of bollards could be seen as another small victory for the other side, because it means we’re adjusting our way of life to address the threats posed by jihadists. Second, installing bollards isn’t cheap. And it often requires redirection of traffic and affects businesses by adding to delivery costs, not to mention making it hard for emergency services to get through when a crisis occurs. Finally, we are surrounded by soft targets and our lives revolve around cars.

Even if we cordon off popular tourist areas or other crowded places, which in major cities are numerous, one must wonder whether that’s likely to actually stop a terror attack, as those who wish to cause us harm may simply change their modus operandi. Terrorists are good at adapting. If they can’t use explosives, they’ll use vehicles, and if that’s not possible they’ll use knives (which they are increasingly using, as seen in Finland and outside Buckingham Palace). This is because the goal of all terrorists is to create fear and widespread panic.

The change in tactics is in part because governments have taken concrete measure to respond to explosive-based or vehicle-borne attacks. From the terrorists’ side, vehicles and knives are a sure-fire way to extract maximum fear because they know that there’s no way that governments can ban the use of cars or knives. They’re also attractive to a group like Islamic State because they’re low-tech: an individual needs no training to use a vehicle or a knife.

The strategy is too thin on detail to be a useful tool. It places a great deal of responsibility on the business community, but it doesn’t explain what help will be given to businesses beyond encouraging them to interact with the Business Advisory Group and ASIO’s Business and Government Liaison Unit.

In reacting to terrorism in the 21st century, it’s imperative that policymakers recognise that their role is not to heighten the sense of insecurity that tends to become pervasive in the wake of a terror attack. To do so only feeds into the terrorists’ dystopic goals. Policymakers must encourage resilience on the part of the public, and not only in ‘crowded places’. They also must recognise that the most effective way to respond to terror attacks is by continuing to address the root causes of political violence, which are often linked to discrimination and a sense of alienation, as well as the corruption of ideas.

Australian businesses will need help if we want them to contribute more to national security

There’s more work to do to get Australian businesses—particularly smaller organisations—fully prepared to risk-manage the spectrum of security threats. Many Australian businesses know that, as evidenced in KPMG’s recently released Global CEO Outlook 2017 for Australia.

CEO responses in the report highlighted ‘geopolitical uncertainty’ as one of the top factors affecting growth, confirming that the current geopolitical landscape is having a significant impact on businesses. While 80% of CEOs rate cybersecurity as a top investment priority, less than half believe they are prepared for a cyber threat.

Australians have become more aware of the threat, but understanding its full spectrum is difficult, particularly given rapid technological changes and uncertain global geopolitics. Further, the government’s longstanding policy of not commenting on many national security issues limits its ability to contribute to the public debate.

Long gone is the belief that Australia is geographically ‘too far away’ from national security threats. The internet exposes us to the world’s cyber threats, and our place in the Western world exposes us to many geopolitical threats. As a result, Australian businesses are rich pickings for those who want to obtain sensitive commercial information, steal cutting-edge intellectual property, or simply launch a destructive political attack (whether in cyberspace or the real world).

The more we can raise collective awareness in Australia about national security threats, the more our society can contribute to security. With the right knowledge, Australian businesses can become key drivers of innovative solutions and shared risk management in the areas of public safety and cyber security. We certainly see this now at the big end of town, but we have vast untapped potential in Australia’s smaller and more agile businesses.

Terrorism has been front and centre in the public mind for a long time, which has driven efforts to improve the Australian counterterrorism system. The recent report on the Lindt Café siege inquest is the latest proof—it highlights many instances of effective counterterrorism arrangements, but it also presses hard with many nuanced recommendations to improve the system and hopefully prevent similar tragedies.

Discussion of cybersecurity challenges intensified with the media coverage of Russian election meddling, #CensusFail, and the leaking of Central Intelligence Agency and National Security Agency cyberweapons. Those events, plus the release of the Australian government’s cybersecurity strategy, have helped increase Australia’s cybersecurity maturity. But there’s more work to do if we want to be prepared for an increasingly sophisticated and complex cyber threat.

What’s needed is more public debate on the new age of covert statecraft we have entered—an age that involves covert political pressure against expatriates living in Australia, subversion of democratic political processes, and damage to Australian businesses for the benefit of foreign industries. Yes, countries have spied on each other since Tribe A became jealous of Tribe B’s pointier spears; but we have entered an era in which international norms are losing their power and many countries are more willing, and able, to meddle without repercussion. The lines between foreign governments and commercial interests are becoming increasingly blurred, as shown by the level and sophistication of intellectual property theft by state-supported attackers.

Growing covert statecraft is a problem affecting many areas of Australian society, but for businesses it means greater risk. There is more uncertainty that rules will be followed: whether business deals can be done in good faith; whether investing in R&D will pay off, or a competitor will simply produce cheap copies in a few months using stolen data; whether businesses can operate without being subject to political coercion; or whether a small company will be patient zero for a widespread and highly destructive cyberattack.

As we’ve seen in counterterrorism and cybersecurity, greater transparency from the Australian government in providing information goes a long way to help businesses properly assess and mitigate commercial risks. A better informed and prepared business community helps protect Australia’s national interests, particularly in relation to the Australian economy and innovation, but also in blocking regional and global threats.

But when it comes to covert statecraft, the type of information we’re asking for is often ‘counterintelligence’ information: details on the intent and capabilities of foreign intelligence services (and their proxies). That is some of the most closely guarded government information due to the effort it takes to collect it, and the repercussions of its release. As a result, many Australian businesses might have only limited insight into the threat posed by covert statecraft. Such businesses have to rely on generalised information gleaned from the ASIO annual report or revealed through attempts by serving or retired government officials to highlight their security concerns.

Many Australian businesses—particularly small businesses—are unlikely to have the access and know-how to fully understand and protect against the current spectrum of national security threats. Both the government and capable private sector organisations (like KPMG) have a role in helping businesses and developing the maturity of the Australian public’s security discussions—not just to protect the business bottom line, but also to defend Australian interests against harm.