By: Claude Khoury
As we reach the halfway mark of 2018 there is an unprecedented threat of espionage in Australia that has the potential to cause long-term damage. This has been a hot topic in parliament in recent weeks and an ongoing issue that is discussed throughout the risk management industry. A recent speech made by MP Mr Andrew Hastie, who chairs the Parliamentary Joint Committee on Intelligence and Security (PJCIS) revealed allegations of a Chinese-Australian businessman that allegedly conspired to bribe the United Nations president to attend a conference in China. Many criticised Mr Hastie for this speech though the issue runs far deeper and is part of a mounting concern relating to foreign interference and the increased threat of espionage in modern Australia.
Yesterday, Mr Hastie reiterated that the current laws are inadequate to deal with the threats we are now facing stating that, “Unchecked, espionage has the potential to significantly reduce Australia’s long-term security and foreign interference could undermine our democracy and threaten the rights and freedoms of our people”. It is now evident and has been for some time, especially in the eyes of the Australian intelligence agencies, that tougher espionage and foreign interference legislation is required.
Drafting and amendments are still ongoing for the National Security Legislation Amendment (Espionage and Foreign Interference) Bill 2017. This bill requires bipartisan support in order to pass and has recently received further recommendations. The committees latest report recommends that the Bill must be clear and unambiguous in its terms, proportional and appropriately targeted to the threat, and of course, enforceable. The Bill will introduce a new range of offences into the Criminal Code in relation to espionage, foreign interference, theft of trade secrets, sabotage, and secrecy of Commonwealth information.
The new laws will seek to provide law enforcement and prosecutors with new tools that will allow them to respond to the theft of trade secrets on behalf of foreign state actors. This economic espionage has been present for some time, especially in the private sector.
The reported cost of corporate espionage in Australia alone amounts to over $5 Billion per annum (AON, 2018). Worldwide this figure rises to over $600 Billion per annum (CSIS, 2018) and is forecast to exceed $8 Trillion (Juniper Research, 2017) by 2022. Of particular note is the fact that these ﬁgures are based only on reported incidents.
The Counter Intelligence Community has long understood these ﬁgures to be woefully underestimated. The reality is the vast majority of corporate espionage attacks go unreported due to the fear of the reputational and ﬁnancial damage that can result. The Ofﬁce of the Australian Information Commissioner (OAIC) recently introduced new laws which will signiﬁcantly change this trend. “As of the 22nd of February 2018, the Notiﬁable Data Breaches Scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) is now enacted. This scheme has established requirements for entities in responding to all data breaches. The Australian Information Commissioner (Commissioner) must also be notiﬁed of eligible data breaches. The maximum ﬁne that the OAIC can issue is $2.1 million to businesses or $420,000 to individuals.” (OAIC)
Economic espionage can negatively impact on the economic health of the Australian economy. Foreign powers that have persons working on their behalf can, for example, obtain trade secrets and skip years of research and development jumping years ahead in capabilities at a fraction of the cost of what Australia or a company may have spent to reach that stage.
After the Notifiable Data Breach Scheme came into effect in February earlier this year, businesses have been forced to increase their data protection capabilities and are now being held accountable for their actions. Just last week the Australian recruitment and human resources software company ‘PageUp’ experienced a suspected data leak.
Regardless of the business or entity experience the breaches the mindset of just meeting compliance standards still remains a problem. Businesses must be proactively defending against these threats and taking the necessary steps to mitigate these risks as part of their corporate social responsibility. Furthermore, whilst the cyber domain presents an enormously large threat in regards to data breaches and espionage, many aspects of security may then be overlooked.
Many organisations have implemented sophisticated multi-million dollar cyber security architectures. Unfortunately, the majority continue to experience breaches. Why is this the case? They forget to think like an attacker! If an adversary can harm you or proﬁt from sidestepping your cybersecurity protocols they will. In doing so they will routinely spend up to 20% of the value of what it is they are trying to steal. Don’t fall prey to the misconception that all corporate espionage is limited to the cyber realm. Many times the attack takes the form of a hidden device or an external attack (Laser Microphones, IMSI Catchers, Burst Transmitters, etc.).
A large number of espionage cases often involve employees with high-level access who can cause damage in a number of ways such as planting recording devices. Whilst vetting, monitoring and clearance levels go a long way to combatting espionage threats it sometimes isn’t enough. Thus, a simple cyber approach won’t always be appropriate given the levels of human access to physical systems, files, and information. For this reason, a holistic approach to security needs to be taken which involves auditing and managing the risks associated with both physical and digital threats. Whilst the new legislation will solve problems companies still need far greater protections than what is currently in place in order to combat the ever-evolving and increasing threat of espionage.
Without appropriate counter measures every Australian business is an easy target! The secret to creating an effective counter measures program is to partner with a Specialised Counter Intelligence Agency.
At NSI we understand a cyber security program is only one component of a complete counter espionage program. Once engaged, NSI will perform a comprehensive risk audit. This will identify numerous other vulnerabilities in the organisation and detail the threats that can exploit them before commencing a comprehensive Technical Surveillance Counter Measures (TSCM) Bug Sweep. NSI can then project manage the implementation of a state of the art Corporate Counter Espionage Program while working collaboratively with your own cyber security personnel to truly secure your business interests.
About NSI Global Counter Intelligence
NSI Global Counter Intelligence are an Australian owned Global Geopolitical Risk and Counter Intelligence Advisory Firm. NSI has an interdisciplinary team of employees and partners in strategic locations around the globe.
Our Best in Class Services include:
Our experts have provided consultation, and have been interviewed numerous times by major media outlets such as:
NSI is called upon for its expertise by corporations in the Mining, Oil and Gas industries, Financial Institutions, Insurance companies, Law and Accounting firms, Government agencies and High Net-Worth individuals. Our services are available globally with local offices in Sydney, Canberra, Dubai, and Hong Kong. To book a confidential consultation, feel free to contact our team.