Home       Previous newsletters

28 October 2003

1. Editor's prerogative
2. Parliamentary update on the Commonwealth's Critical Infrastructure Policy
3. Developments in the Commonwealth's Critical Infrastructure Protection Branch
4. Improving sea port security
5. Report released on business continuity in Centrelink
6. Creating an ACT chapter of the Business Continuity Institute
7. Launch of a new national security journal
8. Essay: On protective security education

Question 1: In respect of paragraphs 37, 38 and 39 of the National Counter-Terrorism Plan, which Commonwealth agency is responsible for developing a database on nationally significant critical infrastructure?
Answer: The Australian Security Intelligence Organisation (ASIO) has been tasked by the National Counter-Terrorism Committee (NCTC) to develop the database on nationally significant critical infrastructure.

Question 2: What is the definition of "critical infrastructure" for the purposes of the database?
Answer: Critical Infrastructure is defined in the National Counter-Terrorism Plan as "infrastructure which, if destroyed, degraded or rendered unavailable for an extended period, will impact on social or economic well-being or affect national security or defence".

Question 3: Who is responsible for determining which critical infrastructure will be included in the database?
Answer: Australian Government agencies and the States and Terrorities, in cooperation with the private sector where relevant, have the role of identifying infrastructure that is critical to them and passing the information to ASIO.

Question 4: What test does the Government apply to determine whether critical infrastructure is of national significance or importance?
Answer: A risk framework has been developed and will be further refined in consultation with the Australian Government agencies and the States and Territories using the definition at question 2 above.

Question 5: To whom and by when are Commonwealth agencies, and States and Territories obliged to identify critical infrastructure for inclusion in the database?
Answer: Australian Government agencies and the States and Territories are currently providing information for inclusion in the database.

Question 6: Has the Commonwealth Government identified a consistent format for Commonwealth agencies, States and Territories to follow when providing information on critical infrastructure within each jurisdiction; if so (a) what information must be provided and in what format, and (b) when was the format communicated to Commonwealth agencies, States and Territories; if no, why not?
Answer: The NCTC developed a consistent format for use by all Australian Government agencies and the States and Territories. (a) The information sought in the format included details of business continuity plans, risk analyses, security arrangements and key input/resource dependencies. (b) The format was communicated to Australian Government agencies and the States and Territories in January 2003.

Question 7: What is the purpose of the database and who will be able to access it?
Answer: The purposes of the database is to provide a consolidated listing of those assets which are considered to be critical to Australia's economic well-being, or affect national security. This information will be used to consider whether any action is required to improve the resilience, redundancy or protection of those assets. The NCTC will oversight management of the information and the uses to which the data can be put. ASIO, the manager of the database, will not provide data to others without the approval of the NCTC. Furthermore, the Australian Government does not intend that the data will be used for regulatory purposes.

Question 8: When does the Government aim to have the database operation?
Answer: The database is operational now. Data entry is ongoing.

Question 9: What is the budgeted cost of developing and operating the database and which agencies will bear those costs?
Answer: The cost of the database will be met within ASIO's budget from funds provided as part of the Government's Critical Infrastructure Protection policy initiative of October 2002.

1. The next meeting of the Critical Infrastructure Advisory Council (CIAC) will be held on 4 December 2003.
2. The draft National Strategy on Critical Infrastructure Protection has been circulated to the CIAC members. Feedback has already been received by the Branch. If no major rewriting is required, as appears likely, Governments and the CIAC may sign off on the strategy by the end of the year. One of its key principles will be that organisations should not compete on national security. However it is appropriate to compete on providing a more reliable and robust service such as offering buildings with its own generators to create an uninterruptible power supply.
3. The formation of an Infrastructure Assurance Advisory Group dealing with iconic structure and built environment is being considered. The exact types of structures and functions that may be within the Group’s responsibility are yet to be determined. Over the next few weeks, the Branch will be meeting with relevant representative bodies in the iconic structure and built environment areas to gain their views on the composition and scope of the Group. Following these consultation, a proposal will be discussed at a meeting of relevant groups. If the need for a new group is agreed, it is expected a proposal will go to the December CIAC meeting to form the group. The CIAC members have been asked to identify possible research priorities. The CIAC will then liaise with the Department of Education, Science and Training (DEST). DEST is responsible for science policy and the National Research Priorities.
4. Agreement has been reached with the Science, Engineering and Technology (SET) Cell in the Department of the Prime Minister and Cabinet on how to manage research needs on critical infrastructure protection. The SET Cell is responsible for coordinating and focusing science, engineering and technology to support Australia’s counter-terrorism needs. Recommendations from the Cell regarding the research needs in infrastructure protection will be passed through the CIAC.
5. The planned October 2003 bilateral discussion with the US has been postponed until March 2004 following requests from the US. It is envisaged that the bilaterals will allow both government to government and US Information Sharing and Analysis Centres (ISACs) and the Australian Infrastructure Assurance Advisory Groups to meet and share experiences.
6. In February 2004, a bilateral discussion between Australia and Japan on e-security is being planned.
7. Decisions on the constitution, function and duration of CIAC Expert Panels has not been finalised. The Panels will advise the CIAC directly rather than through an Infrastructure Assurance Advisory Group. It is envisaged that the Panels will be established when needed to examine a specific issue and after completing its task, disbanded.
8. The Branch has recognised a need to create a predictive capacity so the infrastructure stakeholders can be more aware of medium and long term security issues. An example of this is the implications of the impending use of GPS (global positioning system) timing signals for synchronisation of digital communications systems. Robust synchronisation is essential for

• control systems where the control data comes from multiple workstations
• time sensitive transactions (stock/money transfers, purchase, sales etc) and database transactions (airline and freight systems), both of which need absolute agreement on their reference
• security systems as many local area network security systems are based on accurate time tagging at each end of a communication path
• network fault diagnosis and recovery

Since September 11, 2001, the main security focus has been on airport and aircraft security. Little attention has been paid thus far to shipping containers where the danger is real and potentially more lethal.

There is now increasing concern that the next terrorist attack will be marine based and will aim to destabilise or possibly cripple the global economy. A substantial catastrophic event at any one of Australia’s major ports would cripple the economy of the State involved as well as impact the national economy. Other sea ports and the domestic transport infrastructure do not have the capacity to adequately handle diverted containers.

There are currently two major maritime security initiatives. They are the:

• International Maritime Organisation (IMO) is introducing the International Ship and Port Security (ISPS) Code.
• Australian Customs Service (ACS) is progressively introducing X-Ray facilities in some ports. The annual budget for import cargo screening is about $200 million but will only X-Ray screen 5% of import containers.

Few in the maritime industry believe that security will significantly improve as a result. This is because neither initiative is enough to persuade terrorists that Australian ports are not a soft target or that detection will occur if an attempt is made.

The company, Homeland Security, is proposing a solution to screen 100% of arriving and departing shipping containers at no cost to the government. It is an innovative X-Ray screening process that will not slow down or impede the throughput of containers at sea ports. The real-time container screening process will improve security to a level comparable to airports as well as reducing trade fraud via the misdeclaration of cargo and creating a significant deterrent to the importation of illicit goods.

Homeland Security has been considerable experience in maritime trade security issues and is currently briefing governments on their solution.

For information, contact Andrew Burgess on (02) 9144 6428 or homelandsecurity@vtown.com.au. Andrew Burgess was a former director of P&O Ports.

5 Report released on business continuity in Centrelink
For those interested in the effectiveness of continuity management in government agencies, a report released last week provides interesting reading. The report is called Business Continuity Management and Emergency Management in Centrelink and was produced by the Australian National Audit Office.

Centrelink paid around $55 billion to over 6.3 million customers last year. Consequently their Business Continuity Management (BCM) strategies are essential to ensure the agency can continue to deliver these important programs in the event of a crisis. Given that the January 2003 fires in Canberra came within 500 meters of one of their two data centres and its major development centre, continuity of supply has come to the fore.

The report found that Centrelink "has comprehensive and detailed BCM and associated risk management frameworks, policies and plans that generally provide appropriate preventive controls to minimise the likelihood of outages to many of its critical business processes. As well, they provide effective corrective treatments to minimise disruptions of services to customers where these business processes are interrupted. It also has skilled staff, committed to the continuity of essential services to customers."

It found that "notwithstanding this good performance and inherent strengths, Centrelink has a number of continuity risks. In particular:

• some elements of its I&T environment do not have sufficient continuity controls and treatments, and in light of experiences with the ACT firestorm in January 2003, it is apparent that Centrelink has not adequately addressed risks associated with simultaneous catastrophic events to its data centres and off-site backup storage facility;
• the existing framework for BCM provides insufficient assurance as to the state of BCM preparedness throughout its service delivery network; and
• there are inadequacies in plan maintenance, rehearsal and staff training."

Centrelink noted many of these shortcomings during audit fieldwork, and is in the process of implementing strategies and practices to improve its BCM capacity.

Report>>

6 Creating an ACT chapter of the Business Continuity Institute
A group of Canberra practitioners is considering establishing a chapter of the Business Continuity Institute (UK) in the ACT. The Institute is the premier international body involved in the development of BC practices and the development and certification of BC professionals. A local forum would provide an opportunity for those involved in BCM to share information and ideas, as well as facilitating presentations and training.

An exploratory meeting will be held on Thursday, 30 October 2003 to consider the idea. The venue will be the Canberra Club, and it will run from 4:00 to 6:00pm.

If you are interested in attending, contact Jennifer at Wookey jwookey@sms.com.au, 6230-1211 or Megan Jeffress at mjeffress@sms.com.au, 6230-1211.

7 Launch of a new national security journal
The first edition of the Australian National Security Review came out this month. The monthly publication is a subscription-based news publication and a subscription includes an emailed news update service. It’s intended for both government and private sector readers interested in keeping abreast of government policy initiatives, technology developments, trends and business opportunities in national security and related matters.

Judy Hinz is the launch editor of Australian National Security Review. Judy is well-known in Defence and industry circles as the current Managing Editor of Australian Defence Magazine (ADM). The annual subscription is $495.

For subscriptions, contact Masters Publishing, PO Box 5197, Manly Qld 4179 at tel 07 3348 3808, fax 07 3348 6511 or masterspublishing@ozemail.com.au

8 Essay: On protective security education
by Clive Williams is the director of terrorism studies at the Strategic and Defence Studies Centre, Australian National University (ANU).

Earlier this month, a colleague and I ran a new Masters course elective titled "Security in Business in Government" in Canberra. This was because there appeared to be no courses on offer that looked at protective security from a senior management perspective.

Last year, we had run a course for the ANU’s National Graduate School of Management and were surprised to learn that the students had never been taught anything about protective security issues in any of their undergraduate or postgraduate courses.

In the past, security tended to be regarded as a blue-collar area, but senior managers are now finding themselves responsible for new and challenging security issues that could affect their organisation's survival.

more>>